diff options
| author | Bill MacAllister <whm@dropbox.com> | 2016-01-05 08:18:37 +0000 |
|---|---|---|
| committer | Bill MacAllister <whm@dropbox.com> | 2016-01-05 08:18:37 +0000 |
| commit | 9e1b210844faaa451cee3b9c0afa738120062e79 (patch) | |
| tree | 04dc0116e6db1af234359b2f92bc6c280eb7b2ff /docs/design-acl | |
| parent | 2a03ce35be9b900cc0fd5f305dec54ebcf3fed5a (diff) | |
| parent | 802e47e8d84530d191817b2d86978a0b09803186 (diff) | |
Merge branch 'master' into ad-keytabs
Conflicts:
NEWS
Diffstat (limited to 'docs/design-acl')
| -rw-r--r-- | docs/design-acl | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/docs/design-acl b/docs/design-acl index 424b3c6..b8bb8b3 100644 --- a/docs/design-acl +++ b/docs/design-acl @@ -13,7 +13,7 @@ Introduction Syntax An ACL entry in the wallet consists of two pieces of data, a <scheme> - and an <instance>. <scheme> is one or more characters in the set + and an <identifier>. <scheme> is one or more characters in the set [a-z0-9-] that identifies the ACL backend to use when interpreting this ACL. <identifier> is zero or more characters including all printable ASCII characters except whitespace. Only the implementation @@ -50,11 +50,35 @@ Semantics ACL Schemes + external + + The <identifier> is arguments to an external command. Access is + granted if the external command returns success. The standard remctl + environment variables are exposed to the external command. + krb5 The <identifier> is a fully-qualified Kerberos principal. Access is granted if the principal of the client matches <identifier>. + ldap-attr + + <identifier> is an an attribute followed by an equal sign and a value. + If the LDAP entry corresponding to the given principal contains the + attribute and value specified by <identifier>, access is granted. + + ldap-attr-root + + This is almost identical to netdb except that the user must be in the + form of a root instance (<user>/root) and the "/root" portion is + stripped before checking the NetDB roles. + + nested + + <identifier> is the name of another ACL, and access is granted if it + is granted by that ACL. This can be used to organize multiple ACLs + into a group and apply their union to an object. + netdb <identifier> is the name of a system. Access is granted if the user @@ -67,13 +91,6 @@ ACL Schemes form of a root instance (<user>/root) and the "/root" portion is stripped before checking the NetDB roles. - ldap-entitlement - - (Not yet implemented.) <identifier> is an entitlement. If the - entitlement attribute of the LDAP entry corresponding to the given - principal contains the entitlement specified in <identifier>, access - is granted. - pts (Not yet implemented.) <identifier> is the name of an AFS PTS group. @@ -82,6 +99,7 @@ ACL Schemes License + Copyright 2016 Russ Allbery <eagle@eyrie.org> Copyright 2006, 2007, 2008, 2013 The Board of Trustees of the Leland Stanford Junior University |