From: Daniel KouĊ™il Date: Thu, 27 Jan 2005 14:26:59 +0000 (+0000) Subject: Added example change_acl for manipulation with ACLs X-Git-Tag: glite-lb-client_R_1_0_1~74 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=612b62863a9471b4752deb6fac75f14eaaf6319b;p=jra1mw.git Added example change_acl for manipulation with ACLs Added README-acl describing access control to information about jobs --- diff --git a/org.glite.lb.client/Makefile b/org.glite.lb.client/Makefile index 190755e..2965a76 100644 --- a/org.glite.lb.client/Makefile +++ b/org.glite.lb.client/Makefile @@ -135,7 +135,7 @@ PLUSLIB:=libglite_lb_clientpp_${nothrflavour}.la THRPLUSLIB:=libglite_lb_clientpp_${thrflavour}.la TOOLS:=dump load purge -EXAMPLES:=log_usertag_proxy job_log job_reg feed_shark notify query_ext query_seq_code stats abort_job +EXAMPLES:=log_usertag_proxy job_log job_reg feed_shark notify query_ext query_seq_code stats abort_job change_acl FAKE_EXAMPLES:=job_log_fake version_info=-version-info `echo ${version} | cut -d. -f1,2 | tr . :` diff --git a/org.glite.lb.client/doc/README-acl b/org.glite.lb.client/doc/README-acl new file mode 100644 index 0000000..44ea9dc --- /dev/null +++ b/org.glite.lb.client/doc/README-acl @@ -0,0 +1,66 @@ +By default, information about a job stored in the LB server is only available +to the user who submitted the job, i.e. the job owner. When requesting any +information about a job from the LB server, the users must authenticate +properly using their PKI certificates so the LB server can verify that they are +allowed to access this information (i.e. they submitted the job in question). + +Besides this default functionality, the LB server also allows the job owner to +share job information with another users. Each job can be assigned an access +control list (ACL) that specifies another users who are also allowed to access +the job information. The management of ACL's is entirely under control of the +job owner so she can modify the ACL arbitrarily, specifying the set of users +who have access to the job information. The users in the ACL's can be specified +using either the subject names from their X.509 certificates or names of VOMS +groups. + +Current ACL for a job is returned as part of the job status information +returned by the job_status command. The commands output ACL's in the original +XML format as specified by GACL/GridSite. + +Example of an ACL: + + + VOCE/VOCE + + + + /O=CESNET/O=Masaryk University/CN=Daniel Kouril + + + + +this ACL allows all people in the VOMS /VOCE in the VO VOCE, but deny access to +user Daniel Kouril (even if he was a member of the /VOCE group). + +The job owner herself is not specified in the ACL as she is always allowed to +access the information regardles the content of the job ACL. + +An ACL for a job can be changed using the change_acl command-line program +provided in the example subdirectory. In order to use change_acl, the LB +daemons locallogger and interlogger must be running. The usage of the command +is as follows: + +change_acl [-r] [-g] [-d] jobid user_id + + jobid specifies the job to change + user_id specifies the user to use, it can be either an X.500 name + (subject name) or a VOMS group (if the -g option is specified). + + -r Remove user/group from the ACL. + -g If this option is given, the user_id is handled as a VOMS group. It + must of the form VO:group, where VO is name of the VO (as printed out + by voms-proxy-info in the VO: field) and group is name of the group. + -d The user specified by the user_id parameter will be denied to access + information about job. + +Examples (resulting in the ACL above): + change_acl -g https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw VOCE:/VOCE + change_acl -d https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' + +LB server configuration +In order to support the VOMS groups in the ACL's, glite_lb_bkserverd must be +able to verify client's VOMS proxy certificate using a trusted VOMS service +certificate stored on a local disk. Default directory with trusted VOMS +certificates is /etc/grid-security/vomsdir, another location can be +specified using by either the -V option to glite_lb_bkserverd or setting the +VOMS_CERT_DIR environment variable. diff --git a/org.glite.lb.client/examples/change_acl.c b/org.glite.lb.client/examples/change_acl.c new file mode 100644 index 0000000..eb731cf --- /dev/null +++ b/org.glite.lb.client/examples/change_acl.c @@ -0,0 +1,78 @@ +#ident "$Header$" + +#include +#include + +#include "glite/wmsutils/jobid/cjobid.h" +#include "glite/lb/producer.h" +#include "glite/lb/authz.h" + +void +usage(const char *me) +{ + fprintf(stderr,"usage: %s [-r] [-d] [-g] jobid user_id\n" + "\t-r \tRemove\n" + "\t-d \tOperation is considered as `allow' by default, if -d is given 'deny' will be used\n" + "\t-g \tuser_id is treated as DN by default, if -g is given user_id is expectedto be of form VO:group\n", + + me); +} + +int +main(int argc, char *argv[]) +{ + edg_wll_Context ctx; + int operation = EDG_WLL_ACL_ADD; + int permission = EDG_WLL_PERM_READ; + int permission_type = EDG_WLL_PERM_ALLOW; + int user_id_type = EDG_WLL_USER_SUBJECT; + edg_wlc_JobId jobid; + int opt; + int ret; + + if (argc < 3) { + usage(argv[0]); + return 1; + } + + while ((opt=getopt(argc, argv, "rdg")) != -1) + switch(opt) { + case 'r': operation = EDG_WLL_ACL_REMOVE; break; + case 'd': permission_type = EDG_WLL_PERM_DENY; break; + case 'g': user_id_type = EDG_WLL_USER_VOMS_GROUP; break; + default: + usage(argv[0]); + return 1; + break; + } + + edg_wll_InitContext(&ctx); + + if (edg_wlc_JobIdParse(argv[optind], &jobid)) { + fprintf(stderr,"can't parse job ID\n"); + goto err; + } + + edg_wll_SetParam(ctx, EDG_WLL_PARAM_SOURCE, EDG_WLL_SOURCE_USER_INTERFACE); + + ret = edg_wll_ChangeACL(ctx, + jobid, + argv[optind+1], user_id_type, + permission, permission_type, + operation); + + if (ret) { + char *et, *ed; + edg_wll_Error(ctx, &et, &ed); + fprintf(stderr, "%s: edg_wll_LogChangeACL() failed: %s (%s)\n", + argv[0], et, ed); + goto err; + } + + edg_wll_FreeContext(ctx); + return 0; + +err: + edg_wll_FreeContext(ctx); + return 1; +}