[cups.general] Printer Policies for the Web Interface

Philipp Richter philipp.richter at linbit.com
Thu Jul 5 03:02:27 PDT 2007 

On Wednesday 04 July 2007 16:40:08 Kurt Pfeifle wrote:

> What exactly do you mean by "a central (clustered) CUPS server" ??
> What type of cluster?

it's a heartbeat cluster with a drbd device used as cups spool.

> What you describe should be possible with the standard CUPS 1.2
> functionality provided by the "Policy" keyword in cupsd.conf.
>
> All you have to do is define the exact policies you want to use for
> different users/groups and give them the policy names you like.

i have read the policy document a couple of times and am already using it.

> > Is it possible to apply rules like the operation policies (which are for
> > IPP printing only) to the web interface?
>
> Huh?

ok. maybe i didn't express myself correctly. i know what i can do with the 
webinterface. and of course the policies apply correctly. here is a snippet 
of cupsd.conf:

<Policy SYNOP>
        # print related tasks. no login required
        <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job 
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription 
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job 
Suspend-Current-Job Resume-Job CUPS-Move-Job Cancel-Job 
CUPS-Authenticate-Job>
                Require user @OWNER @SYSTEM
                Order allow,deny
                Allow from 138.22.179.0/24
        </Limit>
        <Limit Pause-Printer Resume-Printer Set-Printer-Attributes 
Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs 
Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer 
Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After 
CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
                AuthType Basic
                Require user sysman @SYSTEM
                Order allow,deny
                Allow from 138.22.129.112
        </Limit>
        <Limit All>
                Order allow,deny
                Allow from 138.22.179.0/24
        </Limit>
</Policy>

so printers with the policy SYNOP should be allowed to be printed to from the 
net 138.22.179.0/24 and administered by the user "sysman" coming from 
138.22.129.112. what doesn't work with the web-interface are the "allow from" 
constraints because the admin.cgi makes a local ipp-connection so the source 
ip is lost for the policy check. so my question is if there is any way to 
restrict the different admins to their network?

-- 
: Philipp Richter                                 Tel +43-1-8178292-51 :
: LINBIT Information Technologies GmbH            Fax +43-1-8178292-82 :
: Vivenotgasse 48, A-1120 Vienna/Europe          http://www.linbit.com :

More information about the cups mailing list