table of contents
DACSACL(1) | DACS Commands Manual | DACSACL(1) |
NAME¶
dacsacl - list, check, or re-index access control rulesSYNOPSIS¶
dacsacl [dacsoptions[1]] [-build |
-nobuild] [-vfs vfs_uri] [...]
[op-spec] [ acl-name...]
DESCRIPTION¶
This program is part of the DACS suite. The dacsacl utility performs administrative functions related to access control, such as:•validating the syntax of ACL files (parsing the
XML and DACS expressions);
•checking that the revocation list (VFS type
revocations) exists and performing a syntax check on it;
•creating an index (a directory data structure, as
an XML file) of access control files; and
•listing and deleting access tokens in the
authorization cache (refer to dacs_acs(8)[2]).
Please refer to dacs.acls(5)[3] for details about how access control rule
files are named.
•So that it can be run as part of the installation
procedure, dacsacl does not require dacs.conf to exist. If it does
exist, however, it must be readable and syntactically correct.
•The program emits a warning message if it finds
different ACL files that contain identical url_pattern (or url_expr)
attributes. It does not detect pairs of these attributes that are equivalent,
however; in general, it is not possible to do so because the actual
specifications used to match against a service request are not known until run
time. Two or more service elements should never apply to the same service
request (other than through wildcard matching) and the result of authorization
testing with such rules is indeterminate.
•The dacs_admin(8)[4] web service provides
some of the same functionality as dacsacl.
OPTIONS¶
In addition to the standard dacsoptions[1], dacsacl recognizes these options: -buildIndex rebuilding is done by default with most modes of
operation, but it can be explicitly requested with this flag. If the flag is
given, it is not an error if an index file does not exist (as when initially
creating an index).
-nobuild
Suppress index rebuilding.
-vfs vfs_uri
This flag, which may be repeated, causes vfs_uri
to be defined as if by a VFS[5] directive, overriding any existing
definition. This can be used to specify an alternate location for the item
types acls or dacs_acls, for instance. As a special case, if acls (dacs_acls)
is defined using this flag but not dacs_acls (acls), then only the former's
index will be rebuilt.
This option can be useful in conjunction with the -un[1] flag so
that indexes can be generated before a jurisdiction has been configured.
The optional op-spec describes one of the following operations:
-convert
This flag is used to convert from the older rule
processing scheme (pre-1.4.21) to the current scheme. It should only be needed
by installations that are using custom rules (i.e., those other than the
standard rules for DACS web pages and web services). Note that in some
cases (described below) conversion is not fully automated, so the
administrator may need to do some additional work.
--
This flag is a no-op that is used to prevent any
following argument from being interpreted as a flag or operation.
-f file [...]
Each file argument is the pathname of an ACL file
or a directory containing ACL files. Since ACL files can be organized using a
directory structure, directories are checked recursively.
-l
List the full URI of each access control rule in the
virtual filestore for item types acls and dacs_acls. No error checking is
performed.
-s
List the name (sans prefixes) of each access control rule
in the virtual filestore for item types acls and dacs_acls. No error checking
is performed.
-tc
Clean up the authorization cache by deleting expired or
otherwise invalid entries. Note: since there may not be any concurrency
control in effect, this should probably not be done while DACS could be
writing to the file.
-td # ...
Delete one or more authorization cache entries by giving
their integer listing number (starting at 1, as produced by the -tl
flag). Note: since there may not be any concurrency control in effect, this
should probably not be done while DACS could be writing to the
file.
-tl
List the entries in the authorization cache.
-tt
Truncate the authorization cache, effectively deleting
everything in the cache. This is not currently implemented; in the meantime,
simply delete the file or database, or copy /dev/null to it.
If one or more acl-name arguments appear they are interpreted as ACL
files accessed through DACS's virtual filestore using item types acls
and dacs_acls (both are checked). The applicable DACS configuration for
the item type determines how an acl-name will be accessed. Note that
acl-name must be the actual filename.
If no op-spec or acl-name is specified, dacsacl will
examine all currently indexed ACL files configured for the appropriate
DACS jurisdiction.
EXAMPLES¶
The following command checks all of the access control rules belonging to the jurisdiction associated with dss.example.com:% dacsacl -u dss.example.com -v Checking: /usr/local/dacs/federations/dss/acls/acl.2 Checking: /usr/local/dacs/federations/dss/acls/acl.3 Checking: /usr/local/dacs/federations/dss/acls/acl.4 Checking: /usr/local/dacs/acls/acl-auth.0 (Note: duplicate keys for "acl-auth.0" and "acl-conf.0") Checking: /usr/local/dacs/acls/acl-conf.0 (Note: duplicate keys for "acl-conf.0" and "acl-dacs.0") Checking: /usr/local/dacs/acls/acl-dacs.0 (Note: duplicate keys for "acl-dacs.0" and "acl-passwd.0") Checking: /usr/local/dacs/acls/acl-passwd.0 (Note: duplicate keys for "acl-passwd.0" and "acl-stddocs.0") Checking: /usr/local/dacs/acls/acl-stddocs.0 Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-abc.0 Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-accounts.0 ... Built index for "acls": 44 rules Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-admin.0 Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-auth-agent.0 ... Built index for "dacs_acls": 14 rules 58 ACL files were checked (OK)
% dacsacl -u dss.example.com -v acl.2 Checking: /usr/local/dacs/federations/dss/acls/acl.2 1 ACL file was checked (OK)
DIAGNOSTICS¶
The program exits 0 if everything was fine, 1 if an error occurred.SEE ALSO¶
dacsvfs(1)[6], dacs.acls(5)[3], dacs_acs(8)[7], dacs_admin(8)[4], dacs_vfs(8)[8]AUTHOR¶
Distributed Systems Software ( www.dss.ca[9])COPYING¶
Copyright2003-2013 Distributed Systems Software. See the LICENSE[10] file that accompanies the distribution for licensing information.NOTES¶
- 1.
- dacsoptions
- 2.
- dacs_acs(8)
- 3.
- dacs.acls(5)
- 5.
- VFS
- 6.
- dacsvfs(1)
- 7.
- dacs_acs(8)
- 8.
- dacs_vfs(8)
- 9.
- www.dss.ca
- 10.
- LICENSE
07/17/2013 | DACS 1.4.28b |