summaryrefslogtreecommitdiff
path: root/perl/Wallet/ACL.pm
diff options
context:
space:
mode:
Diffstat (limited to 'perl/Wallet/ACL.pm')
-rw-r--r--perl/Wallet/ACL.pm111
1 files changed, 58 insertions, 53 deletions
diff --git a/perl/Wallet/ACL.pm b/perl/Wallet/ACL.pm
index b96d2ac..76e7354 100644
--- a/perl/Wallet/ACL.pm
+++ b/perl/Wallet/ACL.pm
@@ -1,8 +1,7 @@
# Wallet::ACL -- Implementation of ACLs in the wallet system.
-# $Id$
#
# Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+# Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
#
# See LICENSE for licensing terms.
@@ -22,7 +21,7 @@ use POSIX qw(strftime);
# This version should be increased on any code change to this module. Always
# use two digits for the minor version with a leading zero if necessary so
# that it will sort properly.
-$VERSION = '0.05';
+$VERSION = '0.06';
##############################################################################
# Constructors
@@ -428,6 +427,9 @@ __END__
Wallet::ACL - Implementation of ACLs in the wallet system
+=for stopwords
+ACL DBH metadata HOSTNAME DATETIME timestamp Allbery
+
=head1 SYNOPSIS
my $acl = Wallet::ACL->create ('group:sysadmin');
@@ -446,22 +448,22 @@ Wallet::ACL - Implementation of ACLs in the wallet system
=head1 DESCRIPTION
-Wallet::ACL implements the ACL system for the wallet: the methods to create,
-find, rename, and destroy ACLs; the methods to add and remove entries from
-an ACL; and the methods to list the contents of an ACL and check a principal
-against it.
+Wallet::ACL implements the ACL system for the wallet: the methods to
+create, find, rename, and destroy ACLs; the methods to add and remove
+entries from an ACL; and the methods to list the contents of an ACL and
+check a principal against it.
An ACL is a list of zero or more ACL entries, each of which consists of a
-scheme and an identifier. Each scheme is associated with a verifier module
-that checks Kerberos principals against identifiers for that scheme and
-returns whether the principal should be permitted access by that identifier.
-The interpretation of the identifier is entirely left to the scheme. This
-module maintains the ACLs and dispatches check operations to the appropriate
-verifier module.
-
-Each ACL is identified by a human-readable name and a persistant unique
-numeric identifier. The numeric identifier (ID) should be used to refer to
-the ACL so that it can be renamed as needed without breaking external
+scheme and an identifier. Each scheme is associated with a verifier
+module that checks Kerberos principals against identifiers for that scheme
+and returns whether the principal should be permitted access by that
+identifier. The interpretation of the identifier is entirely left to the
+scheme. This module maintains the ACLs and dispatches check operations to
+the appropriate verifier module.
+
+Each ACL is identified by a human-readable name and a persistent unique
+numeric identifier. The numeric identifier (ID) should be used to refer
+to the ACL so that it can be renamed as needed without breaking external
references.
=head1 CLASS METHODS
@@ -482,8 +484,8 @@ finding an existing one, creates a new ACL record in the database with the
given NAME. NAME must not be all-numeric, since that would conflict with
the automatically assigned IDs. Returns the new object on success and
throws an exception on failure. PRINCIPAL, HOSTNAME, and DATETIME are
-stored as history information. PRINCIPAL should be the user who is creating
-the ACL. If DATETIME isn't given, the current time is used.
+stored as history information. PRINCIPAL should be the user who is
+creating the ACL. If DATETIME isn't given, the current time is used.
=back
@@ -493,42 +495,43 @@ the ACL. If DATETIME isn't given, the current time is used.
=item add(SCHEME, INSTANCE, PRINCIPAL, HOSTNAME [, DATETIME])
-Add the given ACL entry (given by SCHEME and INSTANCE) to this ACL. Returns
-true on success and false on failure. On failure, the caller should call
-error() to get the error message. PRINCIPAL, HOSTNAME, and DATETIME are
-stored as history information. PRINCIPAL should be the user who is adding
-the ACL entry. If DATETIME isn't given, the current time is used.
+Add the given ACL entry (given by SCHEME and INSTANCE) to this ACL.
+Returns true on success and false on failure. On failure, the caller
+should call error() to get the error message. PRINCIPAL, HOSTNAME, and
+DATETIME are stored as history information. PRINCIPAL should be the user
+who is adding the ACL entry. If DATETIME isn't given, the current time is
+used.
=item check(PRINCIPAL)
Checks whether the given PRINCIPAL should be allowed access given ACL.
Returns 1 if access was granted, 0 if access is declined, and undef on
-error. On error, the caller should call error() to get the error text. Any
-errors found by the individual ACL verifiers can be retrieved by calling
-check_errors(). Errors from individual ACL verifiers will not result in an
-error return from check(); instead, the check will continue with the next
-entry in the ACL.
+error. On error, the caller should call error() to get the error text.
+Any errors found by the individual ACL verifiers can be retrieved by
+calling check_errors(). Errors from individual ACL verifiers will not
+result in an error return from check(); instead, the check will continue
+with the next entry in the ACL.
check() returns success as soon as an entry in the ACL grants access to
PRINCIPAL. There is no provision for negative ACLs or exceptions.
=item check_errors()
-Return (as a list in array context and a string with newlines between errors
-and at the end of the last error in scalar context) the errors, if any,
-returned by ACL verifiers for the last check operation. If there were no
-errors from the last check() operation, returns the empty list in array
-context and undef in scalar context.
+Return (as a list in array context and a string with newlines between
+errors and at the end of the last error in scalar context) the errors, if
+any, returned by ACL verifiers for the last check operation. If there
+were no errors from the last check() operation, returns the empty list in
+array context and undef in scalar context.
=item destroy(PRINCIPAL, HOSTNAME [, DATETIME])
Destroys this ACL from the database. Note that this will fail due to
integrity constraint errors if the ACL is still referenced by any object;
-the ACL must be removed from all objects first. Returns true on success and
-false on failure. On failure, the caller should call error() to get the
-error message. PRINCIPAL, HOSTNAME, and DATETIME are stored as history
-information. PRINCIPAL should be the user who is destroying the ACL. If
-DATETIME isn't given, the current time is used.
+the ACL must be removed from all objects first. Returns true on success
+and false on failure. On failure, the caller should call error() to get
+the error message. PRINCIPAL, HOSTNAME, and DATETIME are stored as
+history information. PRINCIPAL should be the user who is destroying the
+ACL. If DATETIME isn't given, the current time is used.
=item error()
@@ -543,7 +546,8 @@ the ACL (not including changes to the name of the ACL) will be represented
by two lines. The first line will have a timestamp of the change followed
by a description of the change, and the second line will give the user who
made the change and the host from which the change was made. On failure,
-returns undef, and the caller should call error() to get the error message.
+returns undef, and the caller should call error() to get the error
+message.
=item id()
@@ -570,28 +574,29 @@ Returns the human-readable name of this ACL.
=item remove(SCHEME, INSTANCE, PRINCIPAL, HOSTNAME [, DATETIME])
Remove the given ACL line (given by SCHEME and INSTANCE) from this ACL.
-Returns true on success and false on failure. On failure, the caller should
-call error() to get the error message. PRINCIPAL, HOSTNAME, and DATETIME
-are stored as history information. PRINCIPAL should be the user who is
-removing the ACL entry. If DATETIME isn't given, the current time is used.
+Returns true on success and false on failure. On failure, the caller
+should call error() to get the error message. PRINCIPAL, HOSTNAME, and
+DATETIME are stored as history information. PRINCIPAL should be the user
+who is removing the ACL entry. If DATETIME isn't given, the current time
+is used.
=item rename(NAME)
Rename this ACL. This changes the name used for human convenience but not
the system-generated ACL ID that is used to reference this ACL. The new
NAME must not be all-numeric, since that would conflict with
-system-generated ACL IDs. Returns true on success and false on failure. On
-failure, the caller should call error() to get the error message.
+system-generated ACL IDs. Returns true on success and false on failure.
+On failure, the caller should call error() to get the error message.
Note that rename() operations are not logged in the ACL history.
=item show()
-Returns a human-readable description of this ACL, including its membership.
-This method should only be used for display of the ACL to humans. Use the
-list(), name(), and id() methods instead to get ACL information for use in
-other code. On failure, returns undef, and the caller should call error()
-to get the error message.
+Returns a human-readable description of this ACL, including its
+membership. This method should only be used for display of the ACL to
+humans. Use the list(), name(), and id() methods instead to get ACL
+information for use in other code. On failure, returns undef, and the
+caller should call error() to get the error message.
=back
@@ -599,8 +604,8 @@ to get the error message.
Wallet::ACL::Base(3), wallet-backend(8)
-This module is part of the wallet system. The current version is available
-from L<http://www.eyrie.org/~eagle/software/wallet/>.
+This module is part of the wallet system. The current version is
+available from L<http://www.eyrie.org/~eagle/software/wallet/>.
=head1 AUTHOR
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-06 01:09:23 +0000