XrdAccAccess Class Reference

#include <XrdAccAccess.hh>

Inheritance diagram for XrdAccAccess:

Collaboration diagram for XrdAccAccess:

Public Member Functions
	XrdAccAccess (XrdSysError *erp)
	~XrdAccAccess ()
XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)
int	Audit (const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)
void	SwapTabs (struct XrdAccAccess_Tables &newtab)
int	Test (const XrdAccPrivs priv, const Access_Operation oper)
Public Member Functions inherited from XrdAccAuthorize
	XrdAccAuthorize ()
	Constructor. More...
virtual	~XrdAccAuthorize ()
	Destructor. More...
virtual XrdAccPrivs	Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, std::string &eInfo, XrdOucEnv *Env=0)

Static Public Member Functions
static const char *	Resolve (const XrdSecEntity *Entity)

Friends
class	XrdAccConfig

Detailed Description

Definition at line 127 of file XrdAccAccess.hh.

Constructor & Destructor Documentation

XrdAccAccess()

XrdAccAccess::XrdAccAccess

(

XrdSysError *

erp

)

Definition at line 94 of file XrdAccAccess.cc.

{
// Get the audit option that we should use
//
   Auditor = XrdAccAuditObject(erp);
}

References XrdAccAuditObject().

Here is the call graph for this function:

~XrdAccAccess()

XrdAccAccess::~XrdAccAccess ( )

inline

Definition at line 156 of file XrdAccAccess.hh.

{} // The access object is never deleted

Member Function Documentation

Access()

XrdAccPrivs XrdAccAccess::Access ( const XrdSecEntity *  Entity, const char *  path, const Access_Operation  oper, XrdOucEnv *  Env = 0  )

virtual

Check whether or not the client is permitted specified access to a path.

Parameters

Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see the enum above). If the oper is AOP_Any, then the actual privileges are returned and the caller may make subsequent tests using Test().
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 105 of file XrdAccAccess.cc.

{
   XrdAccGroupList  *glp;
   XrdAccPrivCaps    caps;
   XrdAccCapability *cp;
   XrdAccEntity     *aeP;
   XrdAccEntityInfo  eInfo;
   int plen = strlen(path);
   long phash = XrdOucHashVal2(path, plen);
   bool isuser;
 
// Obtain an authorization entity (it will be released upon return).
//
   XrdAccEntityInit accEntity(Entity, aeP);
   if (!aeP) return Access2(caps, Entity, path, oper);
 
// Setup the id (we don't need a lock for that)
//
   std::string username;
   auto got_token = Entity->eaAPI->Get("request.name", username);
   if (got_token && !username.empty())
      {eInfo.name = username.c_str();
       isuser = true;
      }
   else if (Entity->name)
      {eInfo.name = Entity->name;
       isuser = (*eInfo.name != 0);
      } else {
       eInfo.name = "*";
       isuser = false;
      }
 
// Get a shared context for these potentially long running routines
//
   Access_Context.Lock(xs_Shared);
 
// Setup the host entry in the eInfo structure (it may need to be resolved)
//
   eInfo.host = (hostRefX ? Resolve(Entity) : "?");
 
// Run through the exclusive list first as only one rule will apply
//
   if (Atab.SXList)
      {XrdAccAccess_ID *xlP = Atab.SXList;
       do {int aSeq = 0;
           while(aeP->Next(aSeq, eInfo))
                {if (xlP->Applies(eInfo))
                    {xlP->caps->Privs(caps, path, plen, phash);
                     Access_Context.UnLock(xs_Shared);
                     return Access2(caps, Entity, path, oper);
                    }
                }
           xlP = xlP->next;
          } while(xlP);
      }
 
// Check if we really need to resolve the host name
//
//???   if (Atab.D_List || Atab.H_Hash || Atab.N_Hash) host = Resolve(Entity);
   if (!hostRefX && hostRefY) eInfo.host = Resolve(Entity);
 
// Establish default privileges
//
   if (Atab.Z_List) Atab.Z_List->Privs(caps, path, plen, phash);
 
// Next add in the host domain privileges
//
   if (Atab.D_List && (cp = Atab.D_List->Find(eInfo.host)))
      cp->Privs(caps, path, plen, phash);
 
// Next add in the host-specific privileges
//
   if (Atab.H_Hash && (cp = Atab.H_Hash->Find(eInfo.host)))
      cp->Privs(caps, path, plen, phash);
 
// Now add in the netgroup privileges
//
   if (Atab.N_Hash && *eInfo.host != '?' &&
       (glp = XrdAccConfiguration.GroupMaster.NetGroups(eInfo.name,eInfo.host)))
      {char *gname;
       while((gname = (char *)glp->Next()))
            if ((cp = Atab.N_Hash->Find((const char *)gname)))
               cp->Privs(caps, path, plen, phash);
       delete glp;
      }
 
// Check for user fungible privileges
//
   if (isuser && Atab.X_List)
      Atab.X_List->Privs(caps, path, plen, phash, eInfo.name);
 
// Add in specific user privileges
//
   if (isuser && Atab.U_Hash && (cp = Atab.U_Hash->Find(eInfo.name)))
      cp->Privs(caps, path, plen, phash);
 
// The following privileges are based on multiple attributes. Orgs and roles
// may be repeated but groups generally will not be.
//
   const char *vorgPrev = 0, *rolePrev = 0;
   int aSeq = 0;
 
   while(aeP->Next(aSeq, eInfo))
        {
         // Add in the group privileges.
         //
         if (Atab.G_Hash && eInfo.grup && (cp = Atab.G_Hash->Find(eInfo.grup)))
            cp->Privs(caps, path, plen, phash);
 
         // Add in the org-specific privileges
         //
         if (Atab.O_Hash && eInfo.vorg && eInfo.vorg != vorgPrev)
            {vorgPrev = eInfo.vorg;
             if ((cp = Atab.O_Hash->Find(eInfo.vorg)))
                cp->Privs(caps, path, plen, phash);
            }
 
         // Add in the role-specific privileges
         //
         if (Atab.R_Hash && eInfo.role && eInfo.role != rolePrev)
            {rolePrev = eInfo.role;
             if ((cp = Atab.R_Hash->Find(eInfo.role)))
                cp->Privs(caps, path, plen, phash);
            }
 
         // Finally run through the inclusive list and apply all relevant rules
         //
         XrdAccAccess_ID *ylP = Atab.SYList;
         while (ylP)
               {if (ylP->Applies(eInfo))
                   ylP->caps->Privs(caps, path, plen, phash);
                ylP = ylP->next;
               }
        }
 
// We are now done with looking at changeable data
//
   Access_Context.UnLock(xs_Shared);
 
// Return the privileges as needed
//
   return Access2(caps, Entity, path, oper);
}

References XrdAccAccess_ID::Applies(), XrdAccAccess_ID::caps, XrdAccAccess_Tables::D_List, XrdSecEntity::eaAPI, XrdOucHash< T >::Find(), XrdAccCapName::Find(), XrdAccAccess_Tables::G_Hash, XrdSecEntityAttr::Get(), XrdAccConfig::GroupMaster, XrdAccEntityInfo::grup, XrdAccAccess_Tables::H_Hash, XrdAccEntityInfo::host, XrdSysXSLock::Lock(), XrdAccAccess_Tables::N_Hash, XrdAccEntityInfo::name, XrdSecEntity::name, XrdAccGroups::NetGroups(), XrdAccAccess_ID::next, XrdAccGroupList::Next(), XrdAccEntity::Next(), XrdAccAccess_Tables::O_Hash, XrdAccCapability::Privs(), XrdAccAccess_Tables::R_Hash, Resolve(), XrdAccEntityInfo::role, XrdAccAccess_Tables::SXList, XrdAccAccess_Tables::SYList, XrdAccAccess_Tables::U_Hash, XrdSysXSLock::UnLock(), XrdAccEntityInfo::vorg, XrdAccAccess_Tables::X_List, XrdAccConfiguration, XrdOucHashVal2(), xs_Shared, and XrdAccAccess_Tables::Z_List.

Here is the call graph for this function:

Audit()

int XrdAccAccess::Audit ( const int  accok, const XrdSecEntity *  Entity, const char *  path, const Access_Operation  oper, XrdOucEnv *  Env = 0  )

virtual

Route an audit message to the appropriate audit exit routine. See XrdAccAudit.h for more information on how the default implementation works. Currently, this method is not called by the ofs but should be used by the implementation to record denials or grants, as warranted.

Parameters

accok	-> True is access was grated; false otherwise.
Entity	-> Authentication information
path	-> The logical path which is the target of oper
oper	-> The operation being attempted (see above)
Env	-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.

Returns

Success: !0 information recorded. Failure: 0 information could not be recorded.

Implements XrdAccAuthorize.

Definition at line 284 of file XrdAccAccess.cc.

{
// Warning! This table must be in 1-to-1 correspondence with Access_Operation
//
   static const char *Opername[] = {"any",             // 0
                                    "chmod",           // 1
                                    "chown",           // 2
                                    "create",          // 3
                                    "delete",          // 4
                                    "insert",          // 5
                                    "lock",            // 6
                                    "mkdir",           // 7
                                    "read",            // 8
                                    "readdir",         // 9
                                    "rename",          // 10
                                    "stat",            // 11
                                    "update",          // 12
                                    "excl_create",     // 13
                                    "excl_insert",     // 14
                                    "stage",           // 15
                                    "poll"             // 16
                             };
   const char *opname = (oper > AOP_LastOp ? "???" : Opername[oper]);
   std::string username;
   const char *id = "*";
   auto got_token = Entity->eaAPI->Get("request.name", username);
   if (got_token && !username.empty()) {
       id = username.c_str();
   } else if (Entity->name) id = Entity->name;
   const char *host = (Entity->host ? (const char *)Entity->host : "?");
   char atype[XrdSecPROTOIDSIZE+1];
 
// Get the protocol type in a printable format
//
   strncpy(atype, Entity->prot, XrdSecPROTOIDSIZE);
   atype[XrdSecPROTOIDSIZE] = '\0';
 
// Route the message appropriately
//
    if (accok) Auditor->Grant(opname, Entity->tident, atype, id, host, path);
       else    Auditor->Deny( opname, Entity->tident, atype, id, host, path);
 
// All done, finally
//
   return accok;
}

References AOP_LastOp, XrdAccAudit::Deny(), XrdSecEntity::eaAPI, XrdSecEntityAttr::Get(), XrdAccAudit::Grant(), XrdSecEntity::host, XrdSecEntity::name, XrdSecEntity::prot, XrdSecEntity::tident, and XrdSecPROTOIDSIZE.

Here is the call graph for this function:

Resolve()

const char * XrdAccAccess::Resolve ( const XrdSecEntity *  Entity )

static

Definition at line 339 of file XrdAccAccess.cc.

{
// Make a quick test for IPv6 (as that's the future) and a minimal one for ipV4
// to see if we have to do a DNS lookup.
//
   if (Entity->host == 0 || *(Entity->host) == '[' || isdigit(*(Entity->host)))
      return  Entity->addrInfo->Name("?");
   return Entity->host;
}

References XrdSecEntity::addrInfo, XrdSecEntity::host, and XrdNetAddrInfo::Name().

Referenced by Access().

Here is the call graph for this function:

Here is the caller graph for this function:

SwapTabs()

void XrdAccAccess::SwapTabs

(

struct XrdAccAccess_Tables &

newtab

)

Definition at line 356 of file XrdAccAccess.cc.

{
   struct XrdAccAccess_Tables oldtab;
   bool hRefX = false, hRefY = false;
 
// Determine if we need to resolve the host name early
//
   XrdAccAccess_ID *xlP = newtab.SXList;
   while(xlP)
        {if (xlP->host) {hRefX = true; break;}
         xlP = xlP->next;
        }
 
// Determine if we need to resolve the hostname at all.
//
   if (!hRefX)
      {if (newtab.D_List || newtab.H_Hash || newtab.N_Hash) hRefY = true;
          else {XrdAccAccess_ID *ylP = newtab.SYList;
                while (ylP)
                      {if (ylP->host) {hRefY = true; break;}
                       ylP = ylP->next;
                      }
               }
      }
 
// Get an exclusive context to change the table pointers
//
   Access_Context.Lock(xs_Exclusive);
 
// Save the old pointer while replacing it with the new pointer
//
   XrdAccSWAP(D_List);
   XrdAccSWAP(E_List);
   XrdAccSWAP(G_Hash);
   XrdAccSWAP(H_Hash);
   XrdAccSWAP(N_Hash);
   XrdAccSWAP(O_Hash);
   XrdAccSWAP(R_Hash);
   XrdAccSWAP(S_Hash);
   XrdAccSWAP(T_Hash);
   XrdAccSWAP(U_Hash);
   XrdAccSWAP(X_List);
   XrdAccSWAP(Z_List);
   XrdAccSWAP(SXList);
   XrdAccSWAP(SYList);
   hostRefX = hRefX;
   hostRefY = hRefY;
 
// When we set new access tables, we should purge the group cache
//
   XrdAccConfiguration.GroupMaster.PurgeCache();
 
// We can now let loose new table searchers
//
   Access_Context.UnLock(xs_Exclusive);
}

References XrdAccAccess_Tables::D_List, XrdAccAccess_Tables::E_List, XrdAccAccess_Tables::G_Hash, XrdAccConfig::GroupMaster, XrdAccAccess_Tables::H_Hash, XrdAccAccess_ID::host, XrdSysXSLock::Lock(), XrdAccAccess_Tables::N_Hash, XrdAccAccess_ID::next, XrdAccAccess_Tables::O_Hash, XrdAccGroups::PurgeCache(), XrdAccAccess_Tables::R_Hash, XrdAccAccess_Tables::S_Hash, XrdAccAccess_Tables::SXList, XrdAccAccess_Tables::SYList, XrdAccAccess_Tables::T_Hash, XrdAccAccess_Tables::U_Hash, XrdSysXSLock::UnLock(), XrdAccAccess_Tables::X_List, XrdAccConfiguration, XrdAccSWAP, xs_Exclusive, and XrdAccAccess_Tables::Z_List.

Referenced by XrdAccConfig::ConfigDB().

Here is the call graph for this function:

Here is the caller graph for this function:

Test()

int XrdAccAccess::Test ( const XrdAccPrivs  priv, const Access_Operation  oper  )

virtual

Check whether the specified operation is permitted.

Parameters

priv	-> the privileges as returned by Access().
oper	-> The operation being attempted (see above)

Returns

Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 417 of file XrdAccAccess.cc.

{
 
// Warning! This table must be in 1-to-1 correspondence with Access_Operation
//
   static XrdAccPrivs need[] = {XrdAccPriv_None,                 // 0
                                XrdAccPriv_Chmod,                // 1
                                XrdAccPriv_Chown,                // 2
                                XrdAccPriv_Create,               // 3
                                XrdAccPriv_Delete,               // 4
                                XrdAccPriv_Insert,               // 5
                                XrdAccPriv_Lock,                 // 6
                                XrdAccPriv_Mkdir,                // 7
                                XrdAccPriv_Read,                 // 8
                                XrdAccPriv_Readdir,              // 9
                                XrdAccPriv_Rename,               // 10
                                XrdAccPriv_Lookup,               // 11
                                XrdAccPriv_Update,               // 12
                                (XrdAccPrivs)0xffff,             // 13
                                (XrdAccPrivs)0xffff              // 14
                               };
   // Note AOP_Excl* does not have a corresponding XrdAccPrivs; this is on
   // purpose as the Excl* privilege is not modelled within the AuditDB framework.
   if (oper < 0 || oper > AOP_LastOp) return 0;
   return (int)(need[oper] & priv) == need[oper];
}

References AOP_LastOp, XrdAccPriv_Chmod, XrdAccPriv_Chown, XrdAccPriv_Create, XrdAccPriv_Delete, XrdAccPriv_Insert, XrdAccPriv_Lock, XrdAccPriv_Lookup, XrdAccPriv_Mkdir, XrdAccPriv_None, XrdAccPriv_Read, XrdAccPriv_Readdir, XrdAccPriv_Rename, and XrdAccPriv_Update.

Friends And Related Function Documentation

XrdAccConfig

friend class XrdAccConfig

friend

Definition at line 131 of file XrdAccAccess.hh.

---

The documentation for this class was generated from the following files:

• XrdAccAccess.hh
• XrdAccAccess.cc