From 6ab69d850ec27889ebc21da0bacc4aa5adf7ce97 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 16 Jul 2012 16:54:47 -0700 Subject: Add objects-and-schemes to EXTRA_DIST, rename --- docs/objects-and-schemes | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 docs/objects-and-schemes (limited to 'docs/objects-and-schemes') diff --git a/docs/objects-and-schemes b/docs/objects-and-schemes new file mode 100644 index 0000000..9d92c7b --- /dev/null +++ b/docs/objects-and-schemes @@ -0,0 +1,90 @@ + Supported Object Types and ACL Schemes + +Introduction + + This is a list of all supported wallet object types and ACL schemes in + the current version of wallet, with some brief information about the + properties of each one. For more detailed documentation, see the + documentation of the underlying Wallet::Object::* class or + Wallet::ACL::* class referenced here. + +Object Types + + file + + Stores an arbitrary file and allows retrieval of that file. The file + must be stored before it can be retrieved. All files are stored on + the local file system of the wallet server in a directory organized by + a hash of the name of the file object. The size of file objects is + limited by wallet server configuration. File contents may include nul + characters. + + Implemented via Wallet::Object::File. + + keytab + + Stores a keytab representing private keys for a given Kerberos + principal. The object name is the Kerberos principal (without the + realm). On object creation, the Kerberos principal is created in the + underlying KDC; on object destruction, the Kerberos principal is also + deleted. Normally, any retrieval of the object creates new random + keys for all supported enctypes and then returns a new keytab + containing those keys. Store is not supported. + + Keytab objects with the unchanging flag set will retrieve the existing + keys from the Kerberos KDC instead of randomizing the keys. For MIT + Kerberos, this requires a custom backend be installed on the KDC. + + The enctypes of the returned keys can be restricted by setting the + enctypes attribute on the wallet object. + + Implemented via Wallet::Object::Keytab. + +ACL Schemes + + krb5 + + The value is a string representation of a Kerberos principal name. + This ACL grants access if the authenticated wallet client user (as + determined by remctl or whatever other protocol is used for the wallet + transport) equals the ACL value. + + Implemented via Wallet::ACL::Krb5. + + krb5-regex + + Like krb5, but instead of taking the principal string, takes a regular + expression that is matched against the principal string. Grants + access if the regular expression matches the user identity. + + Implemented via Wallet::ACL::Krb5::Regex. + + ldap-attr + + The value is an LDAP attribute, an equal sign, and the value that + attribute must have. The LDAP entry for the user (determined via + site-local customization in the wallet configuration file) is + retrieved, and the wallet server checks that the user's LDAP entry + contains that attribute with that value. If so, access is granted. + This effectively implements an entitlement check. + + Implemented via Wallet::ACL::LDAP::Attribute. + + netdb + + The value is a hostname. NetDB (a system for managing DNS, DHCP, and + related machine information) is queried to see what roles the client + user has for that hostname. If the user has a role of user, admin, or + team, the ACL grants access. + + Implemented via Wallet::ACL::NetDB. + + netdb-root + + Identical to netdb, except that the user identity is taken as a + Kerberos principal and must be in the form of /root@. + The /root part is stripped before checking NetDB for roles. This + forces users to use /root instances for wallet operations instead of + their normal principals. + + Implemented via Wallet::ACL::NetDB::Root. -- cgit v1.2.3 From 2fdf8ac3a51bd455ae5cd2a4c0ca98e515bce3d4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 27 Feb 2013 15:41:10 -0800 Subject: Add license statements to all textual documentation in docs Change-Id: Id5af9714e3d4f516cf7391c869eff89521e145c5 Reviewed-on: https://gerrit.stanford.edu/849 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- docs/design | 10 ++++++++++ docs/design-acl | 10 ++++++++++ docs/design-api | 10 ++++++++++ docs/netdb-role-api | 10 ++++++++++ docs/notes | 10 ++++++++++ docs/objects-and-schemes | 10 ++++++++++ docs/setup | 10 ++++++++++ docs/stanford-naming | 10 ++++++++++ 8 files changed, 80 insertions(+) (limited to 'docs/objects-and-schemes') diff --git a/docs/design b/docs/design index f7faa55..4bb5587 100644 --- a/docs/design +++ b/docs/design @@ -369,3 +369,13 @@ Security Considerations operations on an object to allow retrieval of the complete history of an object. Third, all wallet operations are logged to syslog and therefore suitable for archiving, analysis, and forensics. + +License + + Copyright 2007, 2008, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/design-acl b/docs/design-acl index dde3395..424b3c6 100644 --- a/docs/design-acl +++ b/docs/design-acl @@ -79,3 +79,13 @@ ACL Schemes (Not yet implemented.) is the name of an AFS PTS group. Access is granted if the principal of the user is a member of that AFS PTS group. + +License + + Copyright 2006, 2007, 2008, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/design-api b/docs/design-api index 8fa2374..9a36e61 100644 --- a/docs/design-api +++ b/docs/design-api @@ -167,3 +167,13 @@ Registering New Implementations where or is the object type or ACL scheme and is the Perl class which implements that object type or ACL verifier. + +License + + Copyright 2006, 2007, 2008, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/netdb-role-api b/docs/netdb-role-api index 6dbcfa4..c90182a 100644 --- a/docs/netdb-role-api +++ b/docs/netdb-role-api @@ -30,3 +30,13 @@ Wallet Issues We'll need to get a principal registered to use it that can query anything for any node but isn't otherwise authorized to use NetDB. + +License + + Copyright 2006, 2007, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/notes b/docs/notes index 97cc5bd..84a82d1 100644 --- a/docs/notes +++ b/docs/notes @@ -226,3 +226,13 @@ Client Issues There are other approaches, but the other approaches all require changes to the server side as well, whereas this is self-contained in the client and can be more easily dropped when we drop K4. + +License + + Copyright 2006, 2007, 2008, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/objects-and-schemes b/docs/objects-and-schemes index 9d92c7b..57c2f9f 100644 --- a/docs/objects-and-schemes +++ b/docs/objects-and-schemes @@ -88,3 +88,13 @@ ACL Schemes their normal principals. Implemented via Wallet::ACL::NetDB::Root. + +License + + Copyright 2012, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/setup b/docs/setup index b8854fc..670cf57 100644 --- a/docs/setup +++ b/docs/setup @@ -85,3 +85,13 @@ Wallet Configuration acl create command, add the ACL entries that should own that object to that ACL with acl add, and then set that ACL as the owner of the object with the owner command. + +License + + Copyright 2007, 2008, 2010, 2012, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. diff --git a/docs/stanford-naming b/docs/stanford-naming index 5207c40..bdf5027 100644 --- a/docs/stanford-naming +++ b/docs/stanford-naming @@ -317,3 +317,13 @@ ACL Naming krb5 host/example-dev.stanford.edu@stanford.edu Such an ACL would normally be named service/example. + +License + + Copyright 2008, 2009, 2010, 2011, 2013 + The Board of Trustees of the Leland Stanford Junior University + + Copying and distribution of this file, with or without modification, + are permitted in any medium without royalty provided the copyright + notice and this notice are preserved. This file is offered as-is, + without any warranty. -- cgit v1.2.3