XRootD
Loading...
Searching...
No Matches
XrdAccAccess Class Reference

#include <XrdAccAccess.hh>

Inheritance diagram for XrdAccAccess:
Collaboration diagram for XrdAccAccess:

Public Member Functions

 XrdAccAccess (XrdSysError *erp)
 ~XrdAccAccess ()
XrdAccPrivs Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)
int Audit (const int accok, const XrdSecEntity *Entity, const char *path, const Access_Operation oper, XrdOucEnv *Env=0)
void SwapTabs (struct XrdAccAccess_Tables &newtab)
int Test (const XrdAccPrivs priv, const Access_Operation oper)
Public Member Functions inherited from XrdAccAuthorize
 XrdAccAuthorize ()
 Constructor.
virtual ~XrdAccAuthorize ()
 Destructor.
virtual XrdAccPrivs Access (const XrdSecEntity *Entity, const char *path, const Access_Operation oper, std::string &eInfo, XrdOucEnv *Env=0)

Static Public Member Functions

static const char * Resolve (const XrdSecEntity *Entity)

Friends

class XrdAccConfig

Detailed Description

Definition at line 127 of file XrdAccAccess.hh.

Constructor & Destructor Documentation

◆ XrdAccAccess()

XrdAccAccess::XrdAccAccess ( XrdSysError * erp)

Definition at line 94 of file XrdAccAccess.cc.

95{
96// Get the audit option that we should use
97//
98 Auditor = XrdAccAuditObject(erp);
99}
XrdAccAuditObject
XrdAccAudit * XrdAccAuditObject(XrdSysError *erp)
Definition XrdAccAudit.cc:92

References XrdAccAuditObject().

Here is the call graph for this function:

◆ ~XrdAccAccess()

XrdAccAccess::~XrdAccAccess ( )
inline

Definition at line 156 of file XrdAccAccess.hh.

156{} // The access object is never deleted

Member Function Documentation

◆ Access()

XrdAccPrivs XrdAccAccess::Access ( const XrdSecEntity * Entity,
const char * path,
const Access_Operation oper,
XrdOucEnv * Env = 0 )
virtual

Check whether or not the client is permitted specified access to a path.

Parameters
Entity-> Authentication information
path-> The logical path which is the target of oper
oper-> The operation being attempted (see the enum above). If the oper is AOP_Any, then the actual privileges are returned and the caller may make subsequent tests using Test().
Env-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.
Returns
Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 105 of file XrdAccAccess.cc.

109{
110 XrdAccGroupList *glp;
111 XrdAccPrivCaps caps;
112 XrdAccCapability *cp;
113 XrdAccEntity *aeP;
114 XrdAccEntityInfo eInfo;
115 int plen = strlen(path);
116 long phash = XrdOucHashVal2(path, plen);
117 bool isuser;
118
119// Obtain an authorization entity (it will be released upon return).
120//
121 XrdAccEntityInit accEntity(Entity, aeP);
122 if (!aeP) return Access2(caps, Entity, path, oper);
123
124// Setup the id (we don't need a lock for that)
125//
126 std::string username;
127 auto got_token = Entity->eaAPI->Get("request.name", username);
128 if (got_token && !username.empty())
129 {eInfo.name = username.c_str();
130 isuser = true;
131 }
132 else if (Entity->name)
133 {eInfo.name = Entity->name;
134 isuser = (*eInfo.name != 0);
135 } else {
136 eInfo.name = "*";
137 isuser = false;
138 }
139
140// Get a shared context for these potentially long running routines
141//
142 Access_Context.Lock(xs_Shared);
143
144// Setup the host entry in the eInfo structure (it may need to be resolved)
145//
146 eInfo.host = (hostRefX ? Resolve(Entity) : "?");
147
148// Run through the exclusive list first as only one rule will apply
149//
150 if (Atab.SXList)
151 {XrdAccAccess_ID *xlP = Atab.SXList;
152 do {int aSeq = 0;
153 while(aeP->Next(aSeq, eInfo))
154 {if (xlP->Applies(eInfo))
155 {xlP->caps->Privs(caps, path, plen, phash);
156 Access_Context.UnLock(xs_Shared);
157 return Access2(caps, Entity, path, oper);
158 }
159 }
160 xlP = xlP->next;
161 } while(xlP);
162 }
163
164// Check if we really need to resolve the host name
165//
166//??? if (Atab.D_List || Atab.H_Hash || Atab.N_Hash) host = Resolve(Entity);
167 if (!hostRefX && hostRefY) eInfo.host = Resolve(Entity);
168
169// Establish default privileges
170//
171 if (Atab.Z_List) Atab.Z_List->Privs(caps, path, plen, phash);
172
173// Next add in the host domain privileges
174//
175 if (Atab.D_List && (cp = Atab.D_List->Find(eInfo.host)))
176 cp->Privs(caps, path, plen, phash);
177
178// Next add in the host-specific privileges
179//
180 if (Atab.H_Hash && (cp = Atab.H_Hash->Find(eInfo.host)))
181 cp->Privs(caps, path, plen, phash);
182
183// Now add in the netgroup privileges
184//
185 if (Atab.N_Hash && *eInfo.host != '?' &&
186 (glp = XrdAccConfiguration.GroupMaster.NetGroups(eInfo.name,eInfo.host)))
187 {char *gname;
188 while((gname = (char *)glp->Next()))
189 if ((cp = Atab.N_Hash->Find((const char *)gname)))
190 cp->Privs(caps, path, plen, phash);
191 delete glp;
192 }
193
194// Check for user fungible privileges
195//
196 if (isuser && Atab.X_List)
197 Atab.X_List->Privs(caps, path, plen, phash, eInfo.name);
198
199// Add in specific user privileges
200//
201 if (isuser && Atab.U_Hash && (cp = Atab.U_Hash->Find(eInfo.name)))
202 cp->Privs(caps, path, plen, phash);
203
204// The following privileges are based on multiple attributes. Orgs and roles
205// may be repeated but groups generally will not be.
206//
207 const char *vorgPrev = 0, *rolePrev = 0;
208 int aSeq = 0;
209
210 while(aeP->Next(aSeq, eInfo))
211 {
212 // Add in the group privileges.
213 //
214 if (Atab.G_Hash && eInfo.grup && (cp = Atab.G_Hash->Find(eInfo.grup)))
215 cp->Privs(caps, path, plen, phash);
216
217 // Add in the org-specific privileges
218 //
219 if (Atab.O_Hash && eInfo.vorg && eInfo.vorg != vorgPrev)
220 {vorgPrev = eInfo.vorg;
221 if ((cp = Atab.O_Hash->Find(eInfo.vorg)))
222 cp->Privs(caps, path, plen, phash);
223 }
224
225 // Add in the role-specific privileges
226 //
227 if (Atab.R_Hash && eInfo.role && eInfo.role != rolePrev)
228 {rolePrev = eInfo.role;
229 if ((cp = Atab.R_Hash->Find(eInfo.role)))
230 cp->Privs(caps, path, plen, phash);
231 }
232
233 // Finally run through the inclusive list and apply all relevant rules
234 //
235 XrdAccAccess_ID *ylP = Atab.SYList;
236 while (ylP)
237 {if (ylP->Applies(eInfo))
238 ylP->caps->Privs(caps, path, plen, phash);
239 ylP = ylP->next;
240 }
241 }
242
243// We are now done with looking at changeable data
244//
245 Access_Context.UnLock(xs_Shared);
246
247// Return the privileges as needed
248//
249 return Access2(caps, Entity, path, oper);
250}
XrdOucHashVal2
unsigned long XrdOucHashVal2(const char *KeyVal, int KeyLen)
Definition XrdOucHashVal.cc:40
XrdAccConfiguration
XrdAccConfig XrdAccConfiguration
Definition XrdAccConfig.cc:61
xs_Shared
@ xs_Shared
Definition XrdSysXSLock.hh:38
XrdAccAccess::Resolve
static const char * Resolve(const XrdSecEntity *Entity)
Definition XrdAccAccess.cc:339
XrdAccCapability::Privs
int Privs(XrdAccPrivCaps &pathpriv, const char *pathname, const int pathlen, const unsigned long pathhash, const char *pathsub=0)
Definition XrdAccCapability.cc:82
XrdAccConfig::GroupMaster
XrdAccGroups GroupMaster
Definition XrdAccConfig.hh:79
XrdAccEntity::Next
bool Next(int &seq, XrdAccEntityInfo &info)
Definition XrdAccEntity.hh:71
XrdAccGroupList::Next
const char * Next()
Definition XrdAccGroups.hh:49
XrdAccGroups::NetGroups
XrdAccGroupList * NetGroups(const char *user, const char *host)
Definition XrdAccGroups.cc:241
XrdSecEntityAttr::Get
XrdSecAttr * Get(const void *sigkey)
Definition XrdSecEntityAttr.cc:85
XrdSecEntity::eaAPI
XrdSecEntityAttr * eaAPI
non-const API to attributes
Definition XrdSecEntity.hh:92
XrdSecEntity::name
char * name
Entity's name.
Definition XrdSecEntity.hh:69
XrdAccAccess_ID::Applies
bool Applies(const XrdAccEntityInfo &Entity)
Definition XrdAccAccess.cc:448
XrdAccAccess_ID::caps
XrdAccCapability * caps
Definition XrdAccAccess.hh:54
XrdAccAccess_ID::next
XrdAccAccess_ID * next
Definition XrdAccAccess.hh:55
XrdAccEntityInfo::vorg
const char * vorg
Definition XrdAccEntity.hh:44
XrdAccEntityInfo::role
const char * role
Definition XrdAccEntity.hh:45
XrdAccEntityInfo::name
const char * name
Definition XrdAccEntity.hh:42
XrdAccEntityInfo::host
const char * host
Definition XrdAccEntity.hh:43
XrdAccEntityInfo::grup
const char * grup
Definition XrdAccEntity.hh:46

References XrdAccAccess_ID::Applies(), XrdAccAccess_ID::caps, XrdSecEntity::eaAPI, XrdSecEntityAttr::Get(), XrdAccEntityInfo::grup, XrdAccEntityInfo::host, XrdAccEntityInfo::name, XrdSecEntity::name, XrdAccEntity::Next(), XrdAccGroupList::Next(), XrdAccAccess_ID::next, XrdAccCapability::Privs(), Resolve(), XrdAccEntityInfo::role, XrdAccEntityInfo::vorg, XrdAccConfiguration, XrdOucHashVal2(), and xs_Shared.

Here is the call graph for this function:

◆ Audit()

int XrdAccAccess::Audit ( const int accok,
const XrdSecEntity * Entity,
const char * path,
const Access_Operation oper,
XrdOucEnv * Env = 0 )
virtual

Route an audit message to the appropriate audit exit routine. See XrdAccAudit.h for more information on how the default implementation works. Currently, this method is not called by the ofs but should be used by the implementation to record denials or grants, as warranted.

Parameters
accok-> True is access was grated; false otherwise.
Entity-> Authentication information
path-> The logical path which is the target of oper
oper-> The operation being attempted (see above)
Env-> Environmental information at the time of the operation as supplied by the path CGI string. This is optional and the pointer may be zero.
Returns
Success: !0 information recorded. Failure: 0 information could not be recorded.

Implements XrdAccAuthorize.

Definition at line 284 of file XrdAccAccess.cc.

289{
290// Warning! This table must be in 1-to-1 correspondence with Access_Operation
291//
292 static const char *Opername[] = {"any", // 0
293 "chmod", // 1
294 "chown", // 2
295 "create", // 3
296 "delete", // 4
297 "insert", // 5
298 "lock", // 6
299 "mkdir", // 7
300 "read", // 8
301 "readdir", // 9
302 "rename", // 10
303 "stat", // 11
304 "update", // 12
305 "excl_create", // 13
306 "excl_insert", // 14
307 "stage", // 15
308 "poll" // 16
309 };
310 const char *opname = (oper > AOP_LastOp ? "???" : Opername[oper]);
311 std::string username;
312 const char *id = "*";
313 auto got_token = Entity->eaAPI->Get("request.name", username);
314 if (got_token && !username.empty()) {
315 id = username.c_str();
316 } else if (Entity->name) id = Entity->name;
317 const char *host = (Entity->host ? (const char *)Entity->host : "?");
318 char atype[XrdSecPROTOIDSIZE+1];
319
320// Get the protocol type in a printable format
321//
322 strncpy(atype, Entity->prot, XrdSecPROTOIDSIZE);
323 atype[XrdSecPROTOIDSIZE] = '\0';
324
325// Route the message appropriately
326//
327 if (accok) Auditor->Grant(opname, Entity->tident, atype, id, host, path);
328 else Auditor->Deny( opname, Entity->tident, atype, id, host, path);
329
330// All done, finally
331//
332 return accok;
333}
AOP_LastOp
@ AOP_LastOp
Definition XrdAccAuthorize.hh:58
XrdSecPROTOIDSIZE
#define XrdSecPROTOIDSIZE
Definition XrdSecEntity.hh:47
XrdSecEntity::tident
const char * tident
Trace identifier always preset.
Definition XrdSecEntity.hh:81
XrdSecEntity::prot
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5).
Definition XrdSecEntity.hh:67
XrdSecEntity::host
char * host
Entity's host name dnr dependent.
Definition XrdSecEntity.hh:70

References AOP_LastOp, XrdSecEntity::eaAPI, XrdSecEntityAttr::Get(), XrdSecEntity::host, XrdSecEntity::name, XrdSecEntity::prot, XrdSecEntity::tident, and XrdSecPROTOIDSIZE.

Here is the call graph for this function:

◆ Resolve()

const char * XrdAccAccess::Resolve ( const XrdSecEntity * Entity)
static

Definition at line 339 of file XrdAccAccess.cc.

340{
341// Make a quick test for IPv6 (as that's the future) and a minimal one for ipV4
342// to see if we have to do a DNS lookup.
343//
344 if (Entity->host == 0 || *(Entity->host) == '[' || isdigit(*(Entity->host)))
345 return Entity->addrInfo->Name("?");
346 return Entity->host;
347}
XrdNetAddrInfo::Name
const char * Name(const char *eName=0, const char **eText=0)
Definition XrdNetAddrInfo.cc:309
XrdSecEntity::addrInfo
XrdNetAddrInfo * addrInfo
Entity's connection details.
Definition XrdSecEntity.hh:80

References XrdSecEntity::addrInfo, XrdSecEntity::host, and XrdNetAddrInfo::Name().

Referenced by Access().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SwapTabs()

void XrdAccAccess::SwapTabs ( struct XrdAccAccess_Tables & newtab)

Definition at line 356 of file XrdAccAccess.cc.

357{
358 struct XrdAccAccess_Tables oldtab;
359 bool hRefX = false, hRefY = false;
360
361// Determine if we need to resolve the host name early
362//
363 XrdAccAccess_ID *xlP = newtab.SXList;
364 while(xlP)
365 {if (xlP->host) {hRefX = true; break;}
366 xlP = xlP->next;
367 }
368
369// Determine if we need to resolve the hostname at all.
370//
371 if (!hRefX)
372 {if (newtab.D_List || newtab.H_Hash || newtab.N_Hash) hRefY = true;
373 else {XrdAccAccess_ID *ylP = newtab.SYList;
374 while (ylP)
375 {if (ylP->host) {hRefY = true; break;}
376 ylP = ylP->next;
377 }
378 }
379 }
380
381// Get an exclusive context to change the table pointers
382//
383 Access_Context.Lock(xs_Exclusive);
384
385// Save the old pointer while replacing it with the new pointer
386//
387 XrdAccSWAP(D_List);
388 XrdAccSWAP(E_List);
389 XrdAccSWAP(G_Hash);
390 XrdAccSWAP(H_Hash);
391 XrdAccSWAP(N_Hash);
392 XrdAccSWAP(O_Hash);
393 XrdAccSWAP(R_Hash);
394 XrdAccSWAP(S_Hash);
395 XrdAccSWAP(T_Hash);
396 XrdAccSWAP(U_Hash);
397 XrdAccSWAP(X_List);
398 XrdAccSWAP(Z_List);
399 XrdAccSWAP(SXList);
400 XrdAccSWAP(SYList);
401 hostRefX = hRefX;
402 hostRefY = hRefY;
403
404// When we set new access tables, we should purge the group cache
405//
406 XrdAccConfiguration.GroupMaster.PurgeCache();
407
408// We can now let loose new table searchers
409//
410 Access_Context.UnLock(xs_Exclusive);
411}
XrdAccSWAP
#define XrdAccSWAP(x)
Definition XrdAccAccess.cc:353
xs_Exclusive
@ xs_Exclusive
Definition XrdSysXSLock.hh:38
XrdAccAccess_ID::host
char * host
Definition XrdAccAccess.hh:50
XrdAccAccess_Tables::N_Hash
XrdOucHash< XrdAccCapability > * N_Hash
Definition XrdAccAccess.hh:88
XrdAccAccess_Tables::SXList
XrdAccAccess_ID * SXList
Definition XrdAccAccess.hh:98
XrdAccAccess_Tables::D_List
XrdAccCapName * D_List
Definition XrdAccAccess.hh:94
XrdAccAccess_Tables::H_Hash
XrdOucHash< XrdAccCapability > * H_Hash
Definition XrdAccAccess.hh:87
XrdAccAccess_Tables::SYList
XrdAccAccess_ID * SYList
Definition XrdAccAccess.hh:99

References XrdAccAccess_Tables::D_List, XrdAccAccess_Tables::H_Hash, XrdAccAccess_ID::host, XrdAccAccess_Tables::N_Hash, XrdAccAccess_ID::next, XrdAccAccess_Tables::SXList, XrdAccAccess_Tables::SYList, XrdAccConfiguration, XrdAccSWAP, and xs_Exclusive.

◆ Test()

int XrdAccAccess::Test ( const XrdAccPrivs priv,
const Access_Operation oper )
virtual

Check whether the specified operation is permitted.

Parameters
priv-> the privileges as returned by Access().
oper-> The operation being attempted (see above)
Returns
Permit: a non-zero value (access is permitted) Deny: zero (access is denied)

Implements XrdAccAuthorize.

Definition at line 417 of file XrdAccAccess.cc.

418{
419
420// Warning! This table must be in 1-to-1 correspondence with Access_Operation
421//
422 static XrdAccPrivs need[] = {XrdAccPriv_None, // 0
423 XrdAccPriv_Chmod, // 1
424 XrdAccPriv_Chown, // 2
425 XrdAccPriv_Create, // 3
426 XrdAccPriv_Delete, // 4
427 XrdAccPriv_Insert, // 5
428 XrdAccPriv_Lock, // 6
429 XrdAccPriv_Mkdir, // 7
430 XrdAccPriv_Read, // 8
431 XrdAccPriv_Readdir, // 9
432 XrdAccPriv_Rename, // 10
433 XrdAccPriv_Lookup, // 11
434 XrdAccPriv_Update, // 12
435 (XrdAccPrivs)0xffff, // 13
436 (XrdAccPrivs)0xffff // 14
437 };
438 // Note AOP_Excl* does not have a corresponding XrdAccPrivs; this is on
439 // purpose as the Excl* privilege is not modelled within the AuditDB framework.
440 if (oper < 0 || oper > AOP_LastOp) return 0;
441 return (int)(need[oper] & priv) == need[oper];
442}
XrdAccPrivs
XrdAccPrivs
Definition XrdAccPrivs.hh:39
XrdAccPriv_Mkdir
@ XrdAccPriv_Mkdir
Definition XrdAccPrivs.hh:46
XrdAccPriv_Chown
@ XrdAccPriv_Chown
Definition XrdAccPrivs.hh:41
XrdAccPriv_Insert
@ XrdAccPriv_Insert
Definition XrdAccPrivs.hh:44
XrdAccPriv_Lookup
@ XrdAccPriv_Lookup
Definition XrdAccPrivs.hh:47
XrdAccPriv_Rename
@ XrdAccPriv_Rename
Definition XrdAccPrivs.hh:48
XrdAccPriv_Update
@ XrdAccPriv_Update
Definition XrdAccPrivs.hh:52
XrdAccPriv_Read
@ XrdAccPriv_Read
Definition XrdAccPrivs.hh:49
XrdAccPriv_Lock
@ XrdAccPriv_Lock
Definition XrdAccPrivs.hh:45
XrdAccPriv_None
@ XrdAccPriv_None
Definition XrdAccPrivs.hh:55
XrdAccPriv_Delete
@ XrdAccPriv_Delete
Definition XrdAccPrivs.hh:43
XrdAccPriv_Create
@ XrdAccPriv_Create
Definition XrdAccPrivs.hh:42
XrdAccPriv_Readdir
@ XrdAccPriv_Readdir
Definition XrdAccPrivs.hh:50
XrdAccPriv_Chmod
@ XrdAccPriv_Chmod
Definition XrdAccPrivs.hh:40

References AOP_LastOp, XrdAccPriv_Chmod, XrdAccPriv_Chown, XrdAccPriv_Create, XrdAccPriv_Delete, XrdAccPriv_Insert, XrdAccPriv_Lock, XrdAccPriv_Lookup, XrdAccPriv_Mkdir, XrdAccPriv_None, XrdAccPriv_Read, XrdAccPriv_Readdir, XrdAccPriv_Rename, and XrdAccPriv_Update.

◆ XrdAccConfig

friend class XrdAccConfig
friend

Definition at line 131 of file XrdAccAccess.hh.

References XrdAccConfig.

Referenced by XrdAccConfig.

The documentation for this class was generated from the following files: