Hiding printers in web interface
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Apr 7 03:33:07 PDT 2010
Hello, all. I'm feeling really stupid but after many hours, I can't seem to crack this simple problem. We are planning to host a multi-tenant environment and want users to see only their printers and only their print jobs.
We did create our printers with a lpadmin -u allow:<userid>. This works perfectly fine. Users only see their printers . . . until they go to the print server web interface and click on printers or jobs. They see all the printers and all the jobs. They can't print to them but they can see them. How do we restrict them to see only their printers and their print jobs in this interface?
Here are the restrictions and options we have:
We are comfortable with IP based security. Our environment is somewhat unique and highly resistant to spoofing - that's the good news.
We do not want to prompt the users for passwords every time they print (nor cache them) as they are casual and generally non-technical users. That's the bad news. Thankfully, IP based security is fine for us as mentioned above.
Here's the long list of what we've tried:
First attempt:
We thought the answer was simple. The cupsd.conf docs say "Note that more specific resources override the less specific ones. So the directives inside the /printers/name location will override ones from /printers." So we thought we'd add an entry for each printer like:
# Individual Printer Restrictions
<Location /printers/<user>-LocalPrinters>
Order allow,deny
Require user @TechSupport
Allow from 172.x.y.9/32
Satisfy any
</Location>
The results were bizarre. If another user browsed to the Printers page, they saw all the printers including the above protected printer! In their application print dialogs, they saw only their printer. If we force the user to authenticate at a higher level (e.g., / or /printers), it works as expected sort of. They see any unprotected printers and no protected printers. However, in their application print dialogs, they now see all the unprotected printers instead of just their printer! We could live with that except we do not want to prompt users to login in order to print because they don't do that in the environments they are migrating from - it is a deal killer.
We also tried this commenting out the Require and Satisfy directives. Same results.
Second try:
We thought we'd try limiting the printer list to show only printers owned by the user like this:
# Restrict access to printer list...
<Location /printers>
Order allow,deny
Require user @Tech-a100 @OWNER
AuthType Basic
Allow from 172.x.0.0/16
</Location>
That didn't work. Users could not see anything on the Printers page.
Third try:
Again assuming lower Location directives override higher ones, we restricted the printers directory for only Tech Services. So now we have something like:
# Restrict access to printer list...
<Location /printers>
Order allow,deny
Allow from 172.x.y.0/29
</Location>
# Individual Printer Restrictions
<Location /printers/<user>-LocalPrinters>
Order allow,deny
Require user @TechSupport
Allow from 172.x.y.9/32
Satisfy any
</Location>
That was a disaster; users could not even see their own printers.
Fourth try:
We tried using a Policy Limit so that one had to be $OWNER to do CUPS-Get-Printers or Get-Jobs. That didn't work either. They could not see the Printers of Jobs page.
We've tried a few other variations on the above themes but with no luck. How do we achieve this seemingly simple goal of allowing users to see only their printers in both their application print dialogs and the CUPS web interface? I'm sure I must be missing something simple. Thanks - John
More information about the cups
mailing list