[cups.general] Is it possible to make available certain printers to specific hosts/networks while others are not

wtautz wtautz at cs.uwaterloo.ca
Fri Jun 16 09:57:07 PDT 2006 

Kurt Pfeifle wrote:

>wtautz <wtautz at cs.uwaterloo.ca> wrote (Friday 16 June 2006 15:42):
>
>  
>
>>Is it possible to have certain printers be made available for certain
>>hosts/networks only while others
>>are not.
>>    
>>
>
>Yes, it is.
>
>I note you said "available", not "visible"....
>
>
>CUPS-1.1.x:
>-----------
>Assuming CUPS 1.1.x, you'd put a separate "Location" section for each
>printer in your cupsd.conf, like that:
>
><Location /printers/PrinterNameA>
>  Order Deny,Allow
>  Deny From All
>  Allow From 192.168.1.*
>  Allow From 192.168.2.*
></Location>
>
><Location /printers/PrinterNameB>
>  Order Deny,Allow
>  Deny From All
>  Allow From 192.168.2.*
>  Allow From 192.168.3.*
>  Allow From 192.168.4.*
></Location>
>
>and so on.... (you could add more access control directives, and also
>authentication as needed).
>
>
>CUPS-1.2.x:
>-----------
>Assuming you use CUPS 1.2, you can use the same thing as in 1.1.x,
>using the same syntax.
>
>But you can also use an "OpPolicy" for each printer definition. The 
>Policy itself is defined in cupsd.conf. You can define different 
>"policies", and the assign the specific policy to each printer as 
>needed. The concept of policies provides a more finely granulated
>set of controls over your IPP printer and job objects and operations.
>
>>From the top of my head (I've not actually tested it, just shortly
>checked against the available docu), put this in cupsd.conf (the 
>actual policy names are arbitrary). It is the most simple way to
>define a Policy with "Limit All". In essence, the following does
>not give a different outcome than the "old2 1.1 syntax does:
>
>
>-------- snip --------------------------
><Policy my_policy_for_PrinterNameA>
>   <Limit All>
>      Order Deny,Allow
>      Deny From All
>      Allow From 192.168.1.*
>      Allow From 192.168.2.*
>   </Limit>
></Policy>
>
><Policy my_policy_for_PrinterNameB>
>   <Limit All>
>      Order Deny,Allow
>      Deny From All
>      Allow From 192.168.2.*
>      Allow From 192.168.3.*
>      Allow From 192.168.4.*
>   </Limit>
></Policy>
>-------- snap --------------------------
>
>
>After you've defined a policy in cupsd.conf and re-started cupsd,
>you can assign an OpPolicy to a printer, either with the lpadmin 
>command:
>
>  lpadmin -p PrinterNameA -o printer-op-policy=my_policy_for_PrinterNameA
>  lpadmin -p PrinterNameb -o printer-op-policy=my_policy_for_PrinterNameB
>
>or through the web interface shown in the "Policies" section at the 
>bottom of:
>
>  http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameA
>  http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameB
>
>Of course, with the concept of policies, you can have very finely
>grained control structures. You can do things that are beyond what
>the CUPS-1.1.x "Location" syntax could do.... 
>
>Consider something like this (note that lineendings noted with "\"s 
>are only used here for readability; you should put these one one 
>single line) -- I'm not saying this is particularly clever way of 
>setting things up:
>
>
>-------- snip -------------------------------------------------------
><Policy policy_for_PrinterNameC>  
>   # Job-related operations must be done by job owner or an 
>   # administrator, and only if connecting from an IP address 
>   # like 10.162.3.[0-255] or from localhost...
>   <Limit Send-Document Hold-Job Release-Job Restart-Job \
>           Purge-Jobs Set-Job-Attributes Create-Job-Subscription \
>           Renew-Subscription Cancel-Subscription Get-Notifications \
>           Suspend-Current-Job CUPS-Move-Job>
>      Require user @OWNER @SYSTEM
>      Order deny,allow
>      Allow from 127.0.0.1
>      Allow from 10.162.3.*
>      Satisfy all
>      Encryption Required
>   </Limit>
>
>   # Stop/start/pause/resume printer operations as well as listing \
>   # all printers and classes may be done by any valid user, from \
>   # any client that can access CUPS...
>   <Limit Enable-Printer Disable-Printer Pause-Printer \
>           Resume-Printer CUPS-Get-Classes CUPS-Get-Printers \
>           Resume-Printer>
>      Require valid-user
>      Order deny,allow
>      Allow from All
>      Deny from None
>      Encryption Required
>   </Limit>
>
>   # All other operations can only be done by an administrator
>   # connecting from localhost and using Digest authentication...
>   <Limit All>
>      AuthType Digest
>      Require user @SYSTEM
>      Order Deny,Allow
>      Deny From All
>      Allow from 127.0.0.1
>      Satisfy all
>      Encryption Required
>   </Limit>
></Policy>
>-------- snap -------------------------------------------------------
>
>
>Hope this helps. Hope also that I didn't put any major flaws into
>my examples.
>
>Cheers,
>Kurt
>  
>
Hi, Thanks Kurt. Amazing granularity. Yes, this what I was think of
when I said available, i.e, be able to use. I assume that these
printers are still visible on networks that do not satisfy the Allow
from directives?
I guess that is how Michael was interpreting my question. It would be
cool if
one could put in the directives BrowseAddress, BrowseAllow, etc in a printer
definition....which would allow one to control where the printer packets are
sent per printer...


walter

More information about the cups mailing list