xrootd
XrdAccAuthorize.hh
Go to the documentation of this file.
1 #ifndef __ACC_AUTHORIZE__
2 #define __ACC_AUTHORIZE__
3 /******************************************************************************/
4 /* */
5 /* X r d A c c A u t h o r i z e . h h */
6 /* */
7 /* (c) 2000 by the Board of Trustees of the Leland Stanford, Jr., University */
8 /* All Rights Reserved */
9 /* Produced by Andrew Hanushevsky for Stanford University under contract */
10 /* DE-AC03-76-SFO0515 with the Department of Energy */
11 /******************************************************************************/
12 
13 #include "XrdAcc/XrdAccPrivs.hh"
14 
15 /******************************************************************************/
16 /* A c c e s s _ O p e r a t i o n */
17 /******************************************************************************/
18 
19 // The following are supported operations
20 //
21 enum Access_Operation {AOP_Any = 0, // Special for getting privs
22  AOP_Chmod = 1, // chmod()
23  AOP_Chown = 2, // chown()
24  AOP_Create = 3, // open() with create
25  AOP_Delete = 4, // rm() or rmdir()
26  AOP_Insert = 5, // mv() for target
27  AOP_Lock = 6, // n/a
28  AOP_Mkdir = 7, // mkdir()
29  AOP_Read = 8, // open() r/o, prepare()
30  AOP_Readdir = 9, // opendir()
31  AOP_Rename = 10, // mv() for source
32  AOP_Stat = 11, // exists(), stat()
33  AOP_Update = 12, // open() r/w or append
34  AOP_LastOp = 12 // For limits testing
35  };
36 
37 /******************************************************************************/
38 /* X r d A c c A u t h o r i z e */
39 /******************************************************************************/
40 
41 class XrdOucEnv;
42 class XrdSecEntity;
43 
44 class XrdAccAuthorize
45 {
46 public:
47 
48 /* Access() indicates whether or not the user/host is permitted access to the
49  path for the specified operation. The default implementation that is
50  statically linked determines privileges by combining user, host, user group,
51  and user/host netgroup privileges. If the operation is AOP_Any, then the
52  actual privileges are returned and the caller may make subsequent tests using
53  Test(). Otherwise, a non-zero value is returned if access is permitted or a
54  zero value is returned is access is to be denied. Other iplementations may
55  use other decision making schemes but the return values must mean the same.
56 
57  Parameters: Entity -> Authentication information
58  path -> The logical path which is the target of oper
59  oper -> The operation being attempted (see above)
60  Env -> Environmental information at the time of the
61  operation as supplied by the path CGI string.
62  This is optional and the pointer may be zero.
63 */
64 
65 virtual XrdAccPrivs Access(const XrdSecEntity *Entity,
66  const char *path,
67  const Access_Operation oper,
68  XrdOucEnv *Env=0) = 0;
69 
70 /* Audit() routes an audit message to the appropriate audit exit routine. See
71  XrdAccAudit.h for more information on how the default implementation works.
72  Currently, this method is not called by the ofs but should be used by the
73  implementation to record denials or grants, as warrented.
74 
75  Parameters: accok -> True is access was grated; false otherwise.
76  Entity -> Authentication information
77  path -> The logical path which is the target of oper
78  oper -> The operation being attempted (see above)
79  Env -> Environmental information at the time of the
80  operation as supplied by the path CGI string.
81  This is optional and the pointer may be zero.
82 */
83 
84 virtual int Audit(const int accok,
85  const XrdSecEntity *Entity,
86  const char *path,
87  const Access_Operation oper,
88  XrdOucEnv *Env=0) = 0;
89 
90 // Test() check whether the specified operation is permitted. If permitted it
91 // returns a non-zero. Otherwise, zero is returned.
92 //
93 virtual int Test(const XrdAccPrivs priv,
94  const Access_Operation oper) = 0;
95 
96  XrdAccAuthorize() {}
97 
98 virtual ~XrdAccAuthorize() {}
99 };
100 
101 /******************************************************************************/
102 /* X r d A c c A u t h o r i z e O b j e c t */
103 /******************************************************************************/
104 
105 /* XrdAccAuthorizeObject() is called to obtain an instance of the auth object
106  that will be used for all subsequent authorization decisions. If it returns
107  a null pointer; initialization fails and the program exits. It must be
108  declared as follows:
109 
110  extern "C" XrdAccAuthorize *XrdAccAuthorizeObject(XrdSysLogger *lp,
111  const char *cfn,
112  const char *parm);
113 
114  where:
115  lp -> XrdSysLogger to be tied to an XrdSysError object for messages
116  cfn -> The name of the configuration file
117  parm -> Parameters specified on the authlib directive. If none it is zero.
118 
119  For the default statically linked authorization framework, the non-extern C
120  XrdAccDefaultAuthorizeObject() is called instead so as to not conflict with
121  that symbol in a shared library plug-in, otherwise (depending on the loader)
122  we might not be able to get its address in the shared segment. Normally,
123  the difference between extern C and not should be all that matters. This
124  mechanism here just makes sure we don't rely on that assumption.
125 */
126 #endif
Generated by   doxygen 1.8.1.2