diff options
| author | Russ Allbery <eagle@eyrie.org> | 2016-01-17 19:43:13 -0800 |
|---|---|---|
| committer | Russ Allbery <eagle@eyrie.org> | 2016-01-17 19:43:13 -0800 |
| commit | cf5297c4ec8815ecc7f5139ef05b9867843db2f7 (patch) | |
| tree | fef6ba149883530c7e7fba771be6ac2e59c4dfe9 /docs/design-acl | |
| parent | 7e03241ce323be7447b085a8e7b07b78c770b0dc (diff) | |
| parent | 4b3f858ef567c0d12511e7fea2a56f08f2729635 (diff) | |
Merge tag 'upstream/1.3' into debian/master
Upstream version 1.3
Diffstat (limited to 'docs/design-acl')
| -rw-r--r-- | docs/design-acl | 41 |
1 files changed, 30 insertions, 11 deletions
diff --git a/docs/design-acl b/docs/design-acl index 424b3c6..836c411 100644 --- a/docs/design-acl +++ b/docs/design-acl @@ -13,7 +13,7 @@ Introduction Syntax An ACL entry in the wallet consists of two pieces of data, a <scheme> - and an <instance>. <scheme> is one or more characters in the set + and an <identifier>. <scheme> is one or more characters in the set [a-z0-9-] that identifies the ACL backend to use when interpreting this ACL. <identifier> is zero or more characters including all printable ASCII characters except whitespace. Only the implementation @@ -31,9 +31,10 @@ Semantics used: Iterate through each ACL entry in the ACL in question. If the ACL entry is malformatted or the scheme is not recognized, skip it. Otherwise, dispatch the question to the check function of the ACL - implementation, passing it the principal identifying the client and - the <identifier> portion of the ACL entry. This function returns - either authorized or unauthorized. If authorized, end the search; if + implementation, passing it the principal identifying the client, the + <identifier> portion of the ACL entry, and the type and name of the + object the user is attempting to access. This function returns either + authorized or unauthorized. If authorized, end the search; if unauthorized, continue to the next ACL entry. There is no support in this scheme for negative ACLs. @@ -50,11 +51,35 @@ Semantics ACL Schemes + external + + The <identifier> is arguments to an external command. Access is + granted if the external command returns success. The standard remctl + environment variables are exposed to the external command. + krb5 The <identifier> is a fully-qualified Kerberos principal. Access is granted if the principal of the client matches <identifier>. + ldap-attr + + <identifier> is an an attribute followed by an equal sign and a value. + If the LDAP entry corresponding to the given principal contains the + attribute and value specified by <identifier>, access is granted. + + ldap-attr-root + + This is almost identical to netdb except that the user must be in the + form of a root instance (<user>/root) and the "/root" portion is + stripped before checking the NetDB roles. + + nested + + <identifier> is the name of another ACL, and access is granted if it + is granted by that ACL. This can be used to organize multiple ACLs + into a group and apply their union to an object. + netdb <identifier> is the name of a system. Access is granted if the user @@ -67,13 +92,6 @@ ACL Schemes form of a root instance (<user>/root) and the "/root" portion is stripped before checking the NetDB roles. - ldap-entitlement - - (Not yet implemented.) <identifier> is an entitlement. If the - entitlement attribute of the LDAP entry corresponding to the given - principal contains the entitlement specified in <identifier>, access - is granted. - pts (Not yet implemented.) <identifier> is the name of an AFS PTS group. @@ -82,6 +100,7 @@ ACL Schemes License + Copyright 2016 Russ Allbery <eagle@eyrie.org> Copyright 2006, 2007, 2008, 2013 The Board of Trustees of the Leland Stanford Junior University |