summaryrefslogtreecommitdiff
path: root/perl/lib/Wallet/Config.pm
diff options
context:
space:
mode:
authorRuss Allbery <eagle@eyrie.org>2016-01-03 19:29:20 -0800
committerRuss Allbery <eagle@eyrie.org>2016-01-03 19:29:20 -0800
commit23a6b180f975c24c8ee4190467c74b78fde0d084 (patch)
treea729417aa495ad72256d567b04cf8a0601bfa95f /perl/lib/Wallet/Config.pm
parent99c718eff041657704a50589486bde2f9e4391f7 (diff)
Add Wallet::ACL::External ACL type
A new ACL type, external (Wallet::ACL::External), is now supported. This ACL runs an external command to check if access is allowed, and passes the principal and the ACL identifier to that command. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier. Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
Diffstat (limited to 'perl/lib/Wallet/Config.pm')
-rw-r--r--perl/lib/Wallet/Config.pm35
1 files changed, 33 insertions, 2 deletions
diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm
index b3e1931..98b5dc9 100644
--- a/perl/lib/Wallet/Config.pm
+++ b/perl/lib/Wallet/Config.pm
@@ -1,7 +1,8 @@
# Wallet::Config -- Configuration handling for the wallet server.
#
# Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2007, 2008, 2010, 2013, 2014
+# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+# Copyright 2007, 2008, 2010, 2013, 2014, 2015
# The Board of Trustees of the Leland Stanford Junior University
#
# See LICENSE for licensing terms.
@@ -16,7 +17,7 @@ use vars qw($PATH $VERSION);
# This version should be increased on any code change to this module. Always
# use two digits for the minor version with a leading zero if necessary so
# that it will sort properly.
-$VERSION = '0.05';
+$VERSION = '0.06';
# Path to the config file to load.
$PATH = $ENV{WALLET_CONFIG} || '/etc/wallet/wallet.conf';
@@ -540,6 +541,36 @@ our $WAKEYRING_PURGE_INTERVAL = 60 * 60 * 24 * 90;
=back
+=head1 EXTERNAL ACL CONFIGURATION
+
+This configuration variable is only needed if you intend to use the
+C<external> ACL type (the Wallet::ACL::External class). This ACL type
+runs an external command to determine if access is granted.
+
+=over 4
+
+=item EXTERNAL_COMMAND
+
+Path to the command to run to determine whether access is granted. The
+first argument to the command will be the principal requesting access.
+The identifier of the ACL will be split on whitespace and passed in as the
+remaining arguments to this command.
+
+No other arguments are passed to the command, but the command will have
+access to all of the remctl environment variables seen by the wallet
+server (such as REMOTE_USER). For a full list of environment variables,
+see L<remctld(8)/ENVIRONMENT>.
+
+The external command should exit with a non-zero status but no output to
+indicate a normal failure to satisfy the ACL. Any output will be treated
+as an error.
+
+=cut
+
+our $EXTERNAL_COMMAND;
+
+=back
+
=head1 LDAP ACL CONFIGURATION
These configuration variables are only needed if you intend to use the