1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
ACL Layer Design for the Wallet
Introduction
This is a description of the ACL layer of the wallet implementation.
This is a specification of the expected behavior of the ACL
implementation and includes the syntax and semantics of ACL strings
used in the database. The ACL entries used by the wallet are intended
to be an extensible format to which additional ACL backends may be
added as needed. When new ACL backends are added, they should be
described here.
Syntax
An ACL entry in the wallet consists of two pieces of data, a <scheme>
and an <identifier>. <scheme> is one or more characters in the set
[a-z0-9-] that identifies the ACL backend to use when interpreting
this ACL. <identifier> is zero or more characters including all
printable ASCII characters except whitespace. Only the implementation
of <scheme> knows about the meaning of <identifier>. <identifier> may
include zero or more users.
Semantics
All users are authenticated to the wallet by Kerberos and are
therefore represented by a Kerberos principal, which follows the
normal Kerberos rules for string representation.
Whenever there is a question about whether a user is permitted an
action by a particular ACL, the following verification algorithm is
used: Iterate through each ACL entry in the ACL in question. If the
ACL entry is malformatted or the scheme is not recognized, skip it.
Otherwise, dispatch the question to the check function of the ACL
implementation, passing it the principal identifying the client, the
<identifier> portion of the ACL entry, and the type and name of the
object the user is attempting to access. This function returns either
authorized or unauthorized. If authorized, end the search; if
unauthorized, continue to the next ACL entry.
There is no support in this scheme for negative ACLs.
There is one slight complication, namely that some ACL methods need to
maintain persistant state for performance reasons (consider, for
example, an ACL layer implemented with LDAP queries). Therefore, each
ACL handler should be represented by an object, and when the ACL code
discovers it doesn't already have an object on hand for a given ACL
scheme, it should construct one before querying it. If construction
fails, it should fail that scheme and any ACL that uses that scheme,
but still allow access if an ACL not using that scheme grants access
to the user.
ACL Schemes
external
The <identifier> is arguments to an external command. Access is
granted if the external command returns success. The standard remctl
environment variables are exposed to the external command.
krb5
The <identifier> is a fully-qualified Kerberos principal. Access is
granted if the principal of the client matches <identifier>.
ldap-attr
<identifier> is an an attribute followed by an equal sign and a value.
If the LDAP entry corresponding to the given principal contains the
attribute and value specified by <identifier>, access is granted.
ldap-attr-root
This is almost identical to netdb except that the user must be in the
form of a root instance (<user>/root) and the "/root" portion is
stripped before checking the NetDB roles.
nested
<identifier> is the name of another ACL, and access is granted if it
is granted by that ACL. This can be used to organize multiple ACLs
into a group and apply their union to an object.
netdb
<identifier> is the name of a system. Access is granted if the user
is listed as an administrator, user, or admin team member of the host
in NetDB (Stanford's system management database).
netdb-root
This is almost identical to netdb except that the user must be in the
form of a root instance (<user>/root) and the "/root" portion is
stripped before checking the NetDB roles.
pts
(Not yet implemented.) <identifier> is the name of an AFS PTS group.
Access is granted if the principal of the user is a member of that AFS
PTS group.
License
Copyright 2016 Russ Allbery <eagle@eyrie.org>
Copyright 2006, 2007, 2008, 2013
The Board of Trustees of the Leland Stanford Junior University
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without any warranty.
|
