diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2016-03-05 15:14:24 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2016-03-05 15:22:55 +0200 |
commit | ad5bd6e401657b9cb0fed04d15cdc6feeef91e15 (patch) | |
tree | 59838ad72680ba73145708c7a30a765ec2afdba0 /doc | |
parent | e558ab9db422cfd2bd59a07b72119b67a7598896 (diff) | |
download | pies-ad5bd6e401657b9cb0fed04d15cdc6feeef91e15.tar.gz pies-ad5bd6e401657b9cb0fed04d15cdc6feeef91e15.tar.bz2 |
ACL reference statements.
All ACL keywords can be used in simple statement as well as in block form.
As simple statements, they take a name of an already defined named ACL. E.g.:
defacl forbid {
deny any;
}
component foo {
list-acl forbid;
}
This commit also fixes some eventual double-frees.
* doc/pies.texi: Update.
* src/acl.c (pies_acl)<refcnt>: New member.
(pies_acl_use): New function.
(pies_acl_create): Initialize refcnt.
(pies_acl_destroy): New function.
(pies_acl_free): Rewrite as a wrapper over pies_acl_destroy.
(_parse_sub_acl): Call pies_acl_use when installing a named ACL.
(_acl_common_section_parser): Handle grecs_callback_set_value.
* src/acl.h (pies_acl_destroy)
(pies_acl_use): New function.
* src/comp.c (component_free): Free acl.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/pies.texi | 46 |
1 files changed, 36 insertions, 10 deletions
diff --git a/doc/pies.texi b/doc/pies.texi index 8e25e76..ae4a56a 100644 --- a/doc/pies.texi +++ b/doc/pies.texi | |||
@@ -862,16 +862,6 @@ process instead. | |||
862 | @end table | 862 | @end table |
863 | @end deffn | 863 | @end deffn |
864 | 864 | ||
865 | @deffn {Config: component} user-acl @{ @dots{} @} | ||
866 | ACL controlling read-only access to this component. | ||
867 | @FIXME-pxref{Access to Components}. | ||
868 | @end deffn | ||
869 | |||
870 | @deffn {Config: component} admin-acl @{ @dots{} @} | ||
871 | ACL controlling administrative (write) access to this component. | ||
872 | @FIXME-pxref{Access to Components}. | ||
873 | @end deffn | ||
874 | |||
875 | The following subsections describe the rest of @samp{component} | 865 | The following subsections describe the rest of @samp{component} |
876 | substatements. | 866 | substatements. |
877 | 867 | ||
@@ -884,6 +874,7 @@ substatements. | |||
884 | * Output Redirectors:: | 874 | * Output Redirectors:: |
885 | * Inetd-Style Components:: | 875 | * Inetd-Style Components:: |
886 | * Meta1-Style Components:: | 876 | * Meta1-Style Components:: |
877 | * Visibility:: | ||
887 | * Component Syntax Summary:: | 878 | * Component Syntax Summary:: |
888 | @end menu | 879 | @end menu |
889 | 880 | ||
@@ -1603,6 +1594,34 @@ This socket file is supposed to be created by the component binary | |||
1603 | upon its startup. | 1594 | upon its startup. |
1604 | @end deffn | 1595 | @end deffn |
1605 | 1596 | ||
1597 | @node Visibility | ||
1598 | @subsection Component Visibility ACLs | ||
1599 | |||
1600 | Pies control interface allows certain users to list and modify | ||
1601 | components of a running @command{pies} instance. Two access control | ||
1602 | lists define who can list and modify the particular component. | ||
1603 | |||
1604 | @deffn {Config: component} list-acl @var{name} | ||
1605 | @deffnx {Config: component} list-acl @{ @dots{} @} | ||
1606 | This list controls who can get listing of this component | ||
1607 | (@FIXME-pxref{component listing}). | ||
1608 | |||
1609 | In the first form, @var{name} refers to the name of an already defined | ||
1610 | global ACL (@pxref{defacl}). | ||
1611 | |||
1612 | The second form defines new unnamed ACL. The syntax is described in | ||
1613 | detail in @ref{ACL}. | ||
1614 | @end deffn | ||
1615 | |||
1616 | @deffn {Config: component} admin-acl @var{name} | ||
1617 | @deffnx {Config: component} admin-acl @{ @dots{} @} | ||
1618 | This list controls who can stop, restart or otherwise modify this | ||
1619 | component (@FIXME-pxref{component management}). | ||
1620 | |||
1621 | As above, two forms are available: the first one for using an already | ||
1622 | defined named ACL, and the second one, for defining a new ACL in place. | ||
1623 | @end deffn | ||
1624 | |||
1606 | @node Component Syntax Summary | 1625 | @node Component Syntax Summary |
1607 | @subsection Component Syntax Summary | 1626 | @subsection Component Syntax Summary |
1608 | This subsection summarizes the @code{component} statements. For each | 1627 | This subsection summarizes the @code{component} statements. For each |
@@ -1687,14 +1706,20 @@ component @var{tag} @{ | |||
1687 | 1706 | ||
1688 | # @r{ACL for administrative access to this component.} | 1707 | # @r{ACL for administrative access to this component.} |
1689 | # @FIXME-xref{Access to Components}. | 1708 | # @FIXME-xref{Access to Components}. |
1709 | admin-acl @var{name}; | ||
1710 | # @r{or:} | ||
1690 | admin-acl @{ @dots{} @} | 1711 | admin-acl @{ @dots{} @} |
1691 | 1712 | ||
1692 | # @r{ACL for read-only access to this component.} | 1713 | # @r{ACL for read-only access to this component.} |
1693 | # @FIXME-xref{Access to Components}. | 1714 | # @FIXME-xref{Access to Components}. |
1715 | list-acl @var{name}; | ||
1716 | # @r{or:} | ||
1694 | list-acl @{ @dots{} @} | 1717 | list-acl @{ @dots{} @} |
1695 | 1718 | ||
1696 | # @r{ACL for this component.} | 1719 | # @r{ACL for this component.} |
1697 | # @xref{ACL}. | 1720 | # @xref{ACL}. |
1721 | acl @var{name}; | ||
1722 | # @r{or:} | ||
1698 | acl @{ @dots{} @} | 1723 | acl @{ @dots{} @} |
1699 | 1724 | ||
1700 | # @r{Override default syslog facility for this component.} | 1725 | # @r{Override default syslog facility for this component.} |
@@ -1925,6 +1950,7 @@ acl @{ | |||
1925 | component @acronym{ACL} is consulted. As a result, access is | 1950 | component @acronym{ACL} is consulted. As a result, access is |
1926 | granted only if both lists allow it. | 1951 | granted only if both lists allow it. |
1927 | 1952 | ||
1953 | @anchor{defacl} | ||
1928 | A @dfn{named @acronym{ACL}} is an access control list which is | 1954 | A @dfn{named @acronym{ACL}} is an access control list which is |
1929 | assigned its own name. Named @acronym{ACL}s are defined using | 1955 | assigned its own name. Named @acronym{ACL}s are defined using |
1930 | the @samp{defacl} statement: | 1956 | the @samp{defacl} statement: |