diff options
| author | Russ Allbery <rra@stanford.edu> | 2013-02-05 19:51:00 -0800 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2013-02-05 20:22:52 -0800 |
| commit | 271896c3a9dee9108e021519e340e4547ef5ab93 (patch) | |
| tree | 214e36e8e60596e67fddfd456a72376d817255cd /perl/Wallet | |
| parent | 7001e303c51b1b18f07fb764c91b5ff67b2318f8 (diff) | |
Separate legacy groups from new groups in Stanford policy
Add all the new group names for the Stanford naming policy and
associate them with default ACLs (not yet used). Distinguish
them from the legacy group names, and use the appropriate ones
for naming policy enforcement.
Change-Id: I4b87ff48d34d82195245798f41afefff26efa95d
Reviewed-on: https://gerrit.stanford.edu/758
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'perl/Wallet')
| -rw-r--r-- | perl/Wallet/Policy/Stanford.pm | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/perl/Wallet/Policy/Stanford.pm b/perl/Wallet/Policy/Stanford.pm index 0183df8..840f5f3 100644 --- a/perl/Wallet/Policy/Stanford.pm +++ b/perl/Wallet/Policy/Stanford.pm @@ -39,9 +39,19 @@ BEGIN { # The domain to append to hostnames to fully-qualify them. our $DOMAIN = 'stanford.edu'; -# Groups for file object naming. This default is entirely Stanford-specific, -# even more so than the rest of this file. -our @GROUPS = qw(apps crcsg gsb idg sysadmin sulair vast); +# Groups for file object naming, each mapped to the ACL to use for +# non-host-based objects owned by that group. This default is entirely +# Stanford-specific, even more so than the rest of this file. +our %GROUPS = ( + 'its-apps' => 'group/sharedapps', + 'its-crc-sg' => 'group/crcsg', + 'its-idg' => 'group/its-idg', + 'its-rc' => 'group/its-rc', + 'its-sa-core' => 'group/its-sa-core', +); + +# Legacy group names for older file objects. +our @GROUPS_LEGACY = qw(apps crcsg gsb idg sysadmin sulair vast); # File object types. Each type can have one or more parameters: whether it is # host-based (host), whether it takes a qualifier after the host or service @@ -233,7 +243,6 @@ sub verify_name { # Check file object naming conventions. if ($type eq 'file') { - my %groups = map { $_ => 1 } @GROUPS; if ($name =~ m{ / }xms) { my @name = split('/', $name); @@ -274,7 +283,7 @@ sub verify_name { my ($group, $service, $extra) = @name; # Check the group. - if (!$groups{$group}) { + if (!$GROUPS{$group}) { return "unknown group $group"; } @@ -296,6 +305,7 @@ sub verify_name { return; } else { # Legacy naming scheme. + my %groups = map { $_ => 1 } @GROUPS_LEGACY; my %types = map { $_ => 1 } @FILE_TYPES_LEGACY; if ($name !~ m,^[a-zA-Z0-9_.-]+$,) { return "invalid file object $name"; |