[cups.general] Is it possible to make available certain printers to specific hosts/networks while others are not
wtautz
wtautz at cs.uwaterloo.ca
Fri Jun 16 09:57:07 PDT 2006
Kurt Pfeifle wrote:
>wtautz <wtautz at cs.uwaterloo.ca> wrote (Friday 16 June 2006 15:42):
>
>
>
>>Is it possible to have certain printers be made available for certain
>>hosts/networks only while others
>>are not.
>>
>>
>
>Yes, it is.
>
>I note you said "available", not "visible"....
>
>
>CUPS-1.1.x:
>-----------
>Assuming CUPS 1.1.x, you'd put a separate "Location" section for each
>printer in your cupsd.conf, like that:
>
><Location /printers/PrinterNameA>
> Order Deny,Allow
> Deny From All
> Allow From 192.168.1.*
> Allow From 192.168.2.*
></Location>
>
><Location /printers/PrinterNameB>
> Order Deny,Allow
> Deny From All
> Allow From 192.168.2.*
> Allow From 192.168.3.*
> Allow From 192.168.4.*
></Location>
>
>and so on.... (you could add more access control directives, and also
>authentication as needed).
>
>
>CUPS-1.2.x:
>-----------
>Assuming you use CUPS 1.2, you can use the same thing as in 1.1.x,
>using the same syntax.
>
>But you can also use an "OpPolicy" for each printer definition. The
>Policy itself is defined in cupsd.conf. You can define different
>"policies", and the assign the specific policy to each printer as
>needed. The concept of policies provides a more finely granulated
>set of controls over your IPP printer and job objects and operations.
>
>>From the top of my head (I've not actually tested it, just shortly
>checked against the available docu), put this in cupsd.conf (the
>actual policy names are arbitrary). It is the most simple way to
>define a Policy with "Limit All". In essence, the following does
>not give a different outcome than the "old2 1.1 syntax does:
>
>
>-------- snip --------------------------
><Policy my_policy_for_PrinterNameA>
> <Limit All>
> Order Deny,Allow
> Deny From All
> Allow From 192.168.1.*
> Allow From 192.168.2.*
> </Limit>
></Policy>
>
><Policy my_policy_for_PrinterNameB>
> <Limit All>
> Order Deny,Allow
> Deny From All
> Allow From 192.168.2.*
> Allow From 192.168.3.*
> Allow From 192.168.4.*
> </Limit>
></Policy>
>-------- snap --------------------------
>
>
>After you've defined a policy in cupsd.conf and re-started cupsd,
>you can assign an OpPolicy to a printer, either with the lpadmin
>command:
>
> lpadmin -p PrinterNameA -o printer-op-policy=my_policy_for_PrinterNameA
> lpadmin -p PrinterNameb -o printer-op-policy=my_policy_for_PrinterNameB
>
>or through the web interface shown in the "Policies" section at the
>bottom of:
>
> http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameA
> http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameB
>
>Of course, with the concept of policies, you can have very finely
>grained control structures. You can do things that are beyond what
>the CUPS-1.1.x "Location" syntax could do....
>
>Consider something like this (note that lineendings noted with "\"s
>are only used here for readability; you should put these one one
>single line) -- I'm not saying this is particularly clever way of
>setting things up:
>
>
>-------- snip -------------------------------------------------------
><Policy policy_for_PrinterNameC>
> # Job-related operations must be done by job owner or an
> # administrator, and only if connecting from an IP address
> # like 10.162.3.[0-255] or from localhost...
> <Limit Send-Document Hold-Job Release-Job Restart-Job \
> Purge-Jobs Set-Job-Attributes Create-Job-Subscription \
> Renew-Subscription Cancel-Subscription Get-Notifications \
> Suspend-Current-Job CUPS-Move-Job>
> Require user @OWNER @SYSTEM
> Order deny,allow
> Allow from 127.0.0.1
> Allow from 10.162.3.*
> Satisfy all
> Encryption Required
> </Limit>
>
> # Stop/start/pause/resume printer operations as well as listing \
> # all printers and classes may be done by any valid user, from \
> # any client that can access CUPS...
> <Limit Enable-Printer Disable-Printer Pause-Printer \
> Resume-Printer CUPS-Get-Classes CUPS-Get-Printers \
> Resume-Printer>
> Require valid-user
> Order deny,allow
> Allow from All
> Deny from None
> Encryption Required
> </Limit>
>
> # All other operations can only be done by an administrator
> # connecting from localhost and using Digest authentication...
> <Limit All>
> AuthType Digest
> Require user @SYSTEM
> Order Deny,Allow
> Deny From All
> Allow from 127.0.0.1
> Satisfy all
> Encryption Required
> </Limit>
></Policy>
>-------- snap -------------------------------------------------------
>
>
>Hope this helps. Hope also that I didn't put any major flaws into
>my examples.
>
>Cheers,
>Kurt
>
>
Hi, Thanks Kurt. Amazing granularity. Yes, this what I was think of
when I said available, i.e, be able to use. I assume that these
printers are still visible on networks that do not satisfy the Allow
from directives?
I guess that is how Michael was interpreting my question. It would be
cool if
one could put in the directives BrowseAddress, BrowseAllow, etc in a printer
definition....which would allow one to control where the printer packets are
sent per printer...
walter
More information about the cups
mailing list