Printer Policies for the Web Interface

Kurt Pfeifle kurt.pfeifle at infotec.com
Thu Jul 5 03:19:00 PDT 2007 

> On Wednesday 04 July 2007 16:40:08 Kurt Pfeifle wrote:
>
> > What exactly do you mean by "a central (clustered) CUPS server" ??
> > What type of cluster?
>
> it's a heartbeat cluster with a drbd device used as cups spool.
>
> > What you describe should be possible with the standard CUPS 1.2
> > functionality provided by the "Policy" keyword in cupsd.conf.
> >
> > All you have to do is define the exact policies you want to use for
> > different users/groups and give them the policy names you like.
>
> i have read the policy document a couple of times and am already using it.
>
> > > Is it possible to apply rules like the operation policies (which are for
> > > IPP printing only) to the web interface?
> >
> > Huh?
>
> ok. maybe i didn't express myself correctly. i know what i can do with the
> webinterface. and of course the policies apply correctly.

"of course" ??   :-)

Allow me to have my doubts.

Not knowing exactly how your clustering stuff works, it could well be
changing the IP addresses your requests appear to be coming from, and
hence also invalidate whatever "Allow from ..." statements you may be
using....

> here is a snippet
> of cupsd.conf:
>
> <Policy SYNOP>
>         # print related tasks. no login required
>         <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
> Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
> Suspend-Current-Job Resume-Job CUPS-Move-Job Cancel-Job
> CUPS-Authenticate-Job>
>                 Require user @OWNER @SYSTEM
>                 Order allow,deny
>                 Allow from 138.22.179.0/24
>         </Limit>
>         <Limit Pause-Printer Resume-Printer Set-Printer-Attributes
> Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs
> Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer
> Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After
> CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
>                 AuthType Basic
>                 Require user sysman @SYSTEM
>                 Order allow,deny
>                 Allow from 138.22.129.112
>         </Limit>
>         <Limit All>
>                 Order allow,deny
>                 Allow from 138.22.179.0/24
>         </Limit>
> </Policy>
>
> so printers with the policy SYNOP should be allowed to be printed to from the
> net 138.22.179.0/24 and administered by the user "sysman" coming from
> 138.22.129.112. what doesn't work with the web-interface are the "allow from"
> constraints because the admin.cgi makes a local ipp-connection so the source
> ip is lost for the policy check. so my question is if there is any way to
> restrict the different admins to their network?


I don't have the time to verify all the details of your policy settings right now. But here are 2 quick thoughts:

(a) enable "LogLevel debug" (and if it doesn't give you enough clues,
    "debug2"). Look for matching messages to verify which IP address
    cupsd sees for your administrators' actions being performed

(b) to be *very* sure about how they are parsed and interpreted, change
    your Allow/Order statements to s.th. like these:
               -------
                 Order deny,allow
                 Deny from all
                 Allow from 138.22.129.112
               -------
                 Order deny,allow
                 Deny from all
                 Allow from 138.22.179.0/24
               -------

--
Kurt Pfeifle
System & Network Printing Consultant ---- Linux/Unix/Windows/Samba/CUPS
Infotec Deutschland GmbH  .....................  Hedelfinger Strasse 58
A RICOH Company  ...........................  D-70327 Stuttgart/Germany

More information about the cups mailing list