summaryrefslogtreecommitdiff
path: root/perl/Wallet/Config.pm
diff options
context:
space:
mode:
Diffstat (limited to 'perl/Wallet/Config.pm')
-rw-r--r--perl/Wallet/Config.pm72
1 files changed, 62 insertions, 10 deletions
diff --git a/perl/Wallet/Config.pm b/perl/Wallet/Config.pm
index 396bf7d..23a051d 100644
--- a/perl/Wallet/Config.pm
+++ b/perl/Wallet/Config.pm
@@ -14,7 +14,7 @@ use vars qw($PATH $VERSION);
# This version should be increased on any code change to this module. Always
# use two digits for the minor version with a leading zero if necessary so
# that it will sort properly.
-$VERSION = '0.04';
+$VERSION = '0.05';
# Path to the config file to load.
$PATH = $ENV{WALLET_CONFIG} || '/etc/wallet/wallet.conf';
@@ -90,7 +90,7 @@ Sets the Perl database driver to use for the wallet database. Common
values would be C<SQLite> or C<MySQL>. Less common values would be
C<Oracle>, C<Sybase>, or C<ODBC>. The appropriate DBD::* Perl module for
the chosen driver must be installed and will be dynamically loaded by the
-wallet. For more information, see DBI(3).
+wallet. For more information, see L<DBI>.
This variable must be set.
@@ -104,7 +104,7 @@ Sets the remaining contents for the DBI DSN (everything after the driver).
Using this variable provides full control over the connect string passed
to DBI. When using SQLite, set this variable to the path to the SQLite
database. If this variable is set, DB_NAME, DB_HOST, and DB_PORT are
-ignored. For more information, see DBI(3) and the documentation for the
+ignored. For more information, see L<DBI> and the documentation for the
database driver you're using.
Either DB_INFO or DB_NAME must be set. If you don't need to pass any
@@ -119,7 +119,7 @@ our $DB_INFO;
If DB_INFO is not set, specifies the database name. The third part of the
DBI connect string will be set to C<database=DB_NAME>, possibly with a
host and port appended if DB_HOST and DB_PORT are set. For more
-information, see DBI(3) and the documentation for the database driver
+information, see L<DBI> and the documentation for the database driver
you're using.
Either DB_INFO or DB_NAME must be set.
@@ -131,7 +131,7 @@ our $DB_NAME;
=item DB_HOST
If DB_INFO is not set, specifies the database host. C<;host=DB_HOST> will
-be appended to the DBI connect string. For more information, see DBI(3)
+be appended to the DBI connect string. For more information, see L<DBI>
and the documentation for the database driver you're using.
=cut
@@ -142,7 +142,7 @@ our $DB_HOST;
If DB_PORT is not set, specifies the database port. C<;port=DB_PORT> will
be appended to the DBI connect string. If this variable is set, DB_HOST
-should also be set. For more information, see DBI(3) and the
+should also be set. For more information, see L<DBI> and the
documentation for the database driver you're using.
=cut
@@ -179,7 +179,7 @@ C<file> object type (the Wallet::Object::File class).
=item FILE_BUCKET
The directory into which to store file objects. File objects will be
-stored in subdirectories of this directory. See Wallet::Object::File(3)
+stored in subdirectories of this directory. See L<Wallet::Object::File>
for the full details of the naming scheme. This directory must be
writable by the wallet server and the wallet server must be able to create
subdirectories of it.
@@ -513,12 +513,21 @@ By default, wallet permits administrators to create objects of any name
(unless the object backend rejects the name). However, naming standards
for objects can be enforced, even for administrators, by defining a Perl
function in the configuration file named verify_name. If such a function
-exists, it will be called for any object creation and given the type of
-object, the object name, and the identity of the person doing the
+exists, it will be called for any object creation and will be passed the
+type of object, the object name, and the identity of the person doing the
creation. If it returns undef or the empty string, object creation will
be allowed. If it returns anything else, object creation is rejected and
the return value is used as the error message.
+This function is also called for naming audits done via Wallet::Report
+to find any existing objects that violate a (possibly updated) naming
+policy. In this case, the third argument (the identity of the person
+creating the object) will be undef. As a general rule, if the third
+argument is undef, the function should apply the most liberal accepted
+naming policy so that the audit returns only objects that violate all
+naming policies, but some sites may wish different results for their audit
+reports.
+
Please note that this return status is backwards from what one would
normally expect. A false value is success; a true value is failure with
an error message.
@@ -540,7 +549,50 @@ keytab objects for particular principals have fully-qualified hostnames:
}
Objects that aren't of type C<keytab> or which aren't for a host-based key
-have no naming requirements enforced.
+have no naming requirements enforced by this example.
+
+=head1 ACL NAMING ENFORCEMENT
+
+Similar to object names, by default wallet permits administrators to
+create ACLs with any name. However, naming standards for ACLs can be
+enforced by defining a Perl function in the configuration file named
+verify_acl_name. If such a function exists, it will be called for any ACL
+creation or rename and will be passed given the new ACL name and the
+identity of the person doing the creation. If it returns undef or the
+empty string, object creation will be allowed. If it returns anything
+else, object creation is rejected and the return value is used as the
+error message.
+
+This function is also called for naming audits done via Wallet::Report to
+find any existing objects that violate a (possibly updated) naming policy.
+In this case, the second argument (the identity of the person creating the
+ACL) will be undef. As a general rule, if the second argument is undef,
+the function should apply the most liberal accepted naming policy so that
+the audit returns only ACLs that violate all naming policies, but some
+sites may wish different results for their audit reports.
+
+Please note that this return status is backwards from what one would
+normally expect. A false value is success; a true value is failure with
+an error message.
+
+For example, the following verify_acl_name function would ensure that any
+ACLs created contain a slash and the part before the slash be one of
+C<host>, C<group>, C<user>, or C<service>.
+
+ sub verify_acl_name {
+ my ($name, $user) = @_;
+ return 'ACL names must contain a slash' unless $name =~ m,/,;
+ my ($first, $rest) = split ('/', $name, 2);
+ my %types = map { $_ => 1 } qw(host group user service);
+ unless ($types{$first}) {
+ return "unknown ACL type $first";
+ }
+ return;
+ }
+
+Obvious improvements could be made, such as checking that the part after
+the slash for a C<host/> ACL looked like a host name and the part after a
+slash for a C<user/> ACL look like a user name.
=head1 ENVIRONMENT
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-05 18:50:54 +0000