00001 #ifndef __ACC_AUTHORIZE__ 00002 #define __ACC_AUTHORIZE__ 00003 /******************************************************************************/ 00004 /* */ 00005 /* X r d A c c A u t h o r i z e . h h */ 00006 /* */ 00007 /* (c) 2000 by the Board of Trustees of the Leland Stanford, Jr., University */ 00008 /* All Rights Reserved */ 00009 /* Produced by Andrew Hanushevsky for Stanford University under contract */ 00010 /* DE-AC03-76-SFO0515 with the Department of Energy */ 00011 /******************************************************************************/ 00012 00013 #include "XrdAcc/XrdAccPrivs.hh" 00014 00015 /******************************************************************************/ 00016 /* A c c e s s _ O p e r a t i o n */ 00017 /******************************************************************************/ 00018 00019 // The following are supported operations 00020 // 00021 enum Access_Operation {AOP_Any = 0, // Special for getting privs 00022 AOP_Chmod = 1, // chmod() 00023 AOP_Chown = 2, // chown() 00024 AOP_Create = 3, // open() with create 00025 AOP_Delete = 4, // rm() or rmdir() 00026 AOP_Insert = 5, // mv() for target 00027 AOP_Lock = 6, // n/a 00028 AOP_Mkdir = 7, // mkdir() 00029 AOP_Read = 8, // open() r/o, prepare() 00030 AOP_Readdir = 9, // opendir() 00031 AOP_Rename = 10, // mv() for source 00032 AOP_Stat = 11, // exists(), stat() 00033 AOP_Update = 12, // open() r/w or append 00034 AOP_LastOp = 12 // For limits testing 00035 }; 00036 00037 /******************************************************************************/ 00038 /* X r d A c c A u t h o r i z e */ 00039 /******************************************************************************/ 00040 00041 class XrdOucEnv; 00042 class XrdSecEntity; 00043 00044 class XrdAccAuthorize 00045 { 00046 public: 00047 00048 /* Access() indicates whether or not the user/host is permitted access to the 00049 path for the specified operation. The default implementation that is 00050 statically linked determines privileges by combining user, host, user group, 00051 and user/host netgroup privileges. If the operation is AOP_Any, then the 00052 actual privileges are returned and the caller may make subsequent tests using 00053 Test(). Otherwise, a non-zero value is returned if access is permitted or a 00054 zero value is returned is access is to be denied. Other iplementations may 00055 use other decision making schemes but the return values must mean the same. 00056 00057 Parameters: Entity -> Authentication information 00058 path -> The logical path which is the target of oper 00059 oper -> The operation being attempted (see above) 00060 Env -> Environmental information at the time of the 00061 operation as supplied by the path CGI string. 00062 This is optional and the pointer may be zero. 00063 */ 00064 00065 virtual XrdAccPrivs Access(const XrdSecEntity *Entity, 00066 const char *path, 00067 const Access_Operation oper, 00068 XrdOucEnv *Env=0) = 0; 00069 00070 /* Audit() routes an audit message to the appropriate audit exit routine. See 00071 XrdAccAudit.h for more information on how the default implementation works. 00072 Currently, this method is not called by the ofs but should be used by the 00073 implementation to record denials or grants, as warrented. 00074 00075 Parameters: accok -> True is access was grated; false otherwise. 00076 Entity -> Authentication information 00077 path -> The logical path which is the target of oper 00078 oper -> The operation being attempted (see above) 00079 Env -> Environmental information at the time of the 00080 operation as supplied by the path CGI string. 00081 This is optional and the pointer may be zero. 00082 */ 00083 00084 virtual int Audit(const int accok, 00085 const XrdSecEntity *Entity, 00086 const char *path, 00087 const Access_Operation oper, 00088 XrdOucEnv *Env=0) = 0; 00089 00090 // Test() check whether the specified operation is permitted. If permitted it 00091 // returns a non-zero. Otherwise, zero is returned. 00092 // 00093 virtual int Test(const XrdAccPrivs priv, 00094 const Access_Operation oper) = 0; 00095 00096 XrdAccAuthorize() {} 00097 00098 virtual ~XrdAccAuthorize() {} 00099 }; 00100 00101 /******************************************************************************/ 00102 /* X r d A c c A u t h o r i z e O b j e c t */ 00103 /******************************************************************************/ 00104 00105 /* XrdAccAuthorizeObject() is called to obtain an instance of the auth object 00106 that will be used for all subsequent authorization decisions. If it returns 00107 a null pointer; initialization fails and the program exits. It must be 00108 declared as follows: 00109 00110 extern "C" XrdAccAuthorize *XrdAccAuthorizeObject(XrdSysLogger *lp, 00111 const char *cfn, 00112 const char *parm); 00113 00114 where: 00115 lp -> XrdSysLogger to be tied to an XrdSysError object for messages 00116 cfn -> The name of the configuration file 00117 parm -> Parameters specified on the authlib directive. If none it is zero. 00118 00119 For the default statically linked authorization framework, the non-extern C 00120 XrdAccDefaultAuthorizeObject() is called instead so as to not conflict with 00121 that symbol in a shared library plug-in, otherwise (depending on the loader) 00122 we might not be able to get its address in the shared segment. Normally, 00123 the difference between extern C and not should be all that matters. This 00124 mechanism here just makes sure we don't rely on that assumption. 00125 */ 00126 #endif
1.5.1