[cups.general] Is it possible to make available certain printers to specific hosts/networks while others are not

Kurt Pfeifle kpfeifle at danka.de
Fri Jun 16 07:57:25 PDT 2006 

wtautz <wtautz at cs.uwaterloo.ca> wrote (Friday 16 June 2006 15:42):

> Is it possible to have certain printers be made available for certain
> hosts/networks only while others
> are not.

Yes, it is.

I note you said "available", not "visible"....


CUPS-1.1.x:
-----------
Assuming CUPS 1.1.x, you'd put a separate "Location" section for each
printer in your cupsd.conf, like that:

<Location /printers/PrinterNameA>
  Order Deny,Allow
  Deny From All
  Allow From 192.168.1.*
  Allow From 192.168.2.*
</Location>

<Location /printers/PrinterNameB>
  Order Deny,Allow
  Deny From All
  Allow From 192.168.2.*
  Allow From 192.168.3.*
  Allow From 192.168.4.*
</Location>

and so on.... (you could add more access control directives, and also
authentication as needed).


CUPS-1.2.x:
-----------
Assuming you use CUPS 1.2, you can use the same thing as in 1.1.x,
using the same syntax.

But you can also use an "OpPolicy" for each printer definition. The 
Policy itself is defined in cupsd.conf. You can define different 
"policies", and the assign the specific policy to each printer as 
needed. The concept of policies provides a more finely granulated
set of controls over your IPP printer and job objects and operations.

>From the top of my head (I've not actually tested it, just shortly
checked against the available docu), put this in cupsd.conf (the 
actual policy names are arbitrary). It is the most simple way to
define a Policy with "Limit All". In essence, the following does
not give a different outcome than the "old2 1.1 syntax does:


-------- snip --------------------------
<Policy my_policy_for_PrinterNameA>
   <Limit All>
      Order Deny,Allow
      Deny From All
      Allow From 192.168.1.*
      Allow From 192.168.2.*
   </Limit>
</Policy>

<Policy my_policy_for_PrinterNameB>
   <Limit All>
      Order Deny,Allow
      Deny From All
      Allow From 192.168.2.*
      Allow From 192.168.3.*
      Allow From 192.168.4.*
   </Limit>
</Policy>
-------- snap --------------------------


After you've defined a policy in cupsd.conf and re-started cupsd,
you can assign an OpPolicy to a printer, either with the lpadmin 
command:

  lpadmin -p PrinterNameA -o printer-op-policy=my_policy_for_PrinterNameA
  lpadmin -p PrinterNameb -o printer-op-policy=my_policy_for_PrinterNameB

or through the web interface shown in the "Policies" section at the 
bottom of:

  http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameA
  http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameB

Of course, with the concept of policies, you can have very finely
grained control structures. You can do things that are beyond what
the CUPS-1.1.x "Location" syntax could do.... 

Consider something like this (note that lineendings noted with "\"s 
are only used here for readability; you should put these one one 
single line) -- I'm not saying this is particularly clever way of 
setting things up:


-------- snip -------------------------------------------------------
<Policy policy_for_PrinterNameC>  
   # Job-related operations must be done by job owner or an 
   # administrator, and only if connecting from an IP address 
   # like 10.162.3.[0-255] or from localhost...
   <Limit Send-Document Hold-Job Release-Job Restart-Job \
           Purge-Jobs Set-Job-Attributes Create-Job-Subscription \
           Renew-Subscription Cancel-Subscription Get-Notifications \
           Suspend-Current-Job CUPS-Move-Job>
      Require user @OWNER @SYSTEM
      Order deny,allow
      Allow from 127.0.0.1
      Allow from 10.162.3.*
      Satisfy all
      Encryption Required
   </Limit>

   # Stop/start/pause/resume printer operations as well as listing \
   # all printers and classes may be done by any valid user, from \
   # any client that can access CUPS...
   <Limit Enable-Printer Disable-Printer Pause-Printer \
           Resume-Printer CUPS-Get-Classes CUPS-Get-Printers \
           Resume-Printer>
      Require valid-user
      Order deny,allow
      Allow from All
      Deny from None
      Encryption Required
   </Limit>

   # All other operations can only be done by an administrator
   # connecting from localhost and using Digest authentication...
   <Limit All>
      AuthType Digest
      Require user @SYSTEM
      Order Deny,Allow
      Deny From All
      Allow from 127.0.0.1
      Satisfy all
      Encryption Required
   </Limit>
</Policy>
-------- snap -------------------------------------------------------


Hope this helps. Hope also that I didn't put any major flaws into
my examples.

Cheers,
Kurt

More information about the cups mailing list