Access Control List

An Access Control List (ACL) is a list of permissions that are attached to an object. The list defines who can access the object (an agent) and what actions the agent can perform on the object.

An ACL is expressed in terms of operations that are permitted to an agent acting on the object. An agent may be a USER (login account), an OS group (OSGROUP), a FairShare group (FSGROUP), a machine (HOST) or one of the symbolic agents EVERYBODY, OWNER, ADMIN. The most powerful agent is the SERVER. For more information, please refer to the table below.

For the agents that are groups, membership in the group confers the operations permitted by that ACL. For example, if the login joe is a member of the OS group dvregr, and OSGROUP dvregr has APPEND on a fsgroup, then joe may add ACLs to that fsgroup.

To bypass the ACL, you must be the logged in on the host running vovserver as the user that is running vovserver, and you must change VOV_HOST_NAME to "localhost".

ACL Management

To perform ACL management, use a utility with the following syntax:
% vovacl [OPTIONS]  <Objects>

The following utilities are available for ACL management:

Utility Description
vovacl Script to manage ACLs in VOV.

ACL Commands

ACL management consists of the following commands:

Command Description
GET Get current ACLs on an object
RESET Reset ACLs on an object to defaults (see below)
APPEND Add ACLs to an object
DELETE Delete an ACL element from an object

The GET operation shows you the current ACLs that are associated with an object, if the ACL permits you to VIEW it.

The RESET operation removes all the object's current ACLs and replaces them with the default values.
ACL  1: OWNER      ""   ATTACH DETACH EDIT VIEW FORGET DELEGATE EXISTS
ACL  2: EVERYBODY  ""   ATTACH VIEW 

The APPEND operation adds a new ACL to an object.

The DELETE operation removes an ACL element from an object. The element is identified by the agent and name fields.

ACL Agents

Access control is performed each time a client tries to perform a controlled action. The following types of agents that can perform the authorized actions:

Agent Description
SERVER The vovserver binary and the vovserver owner connected to the server on the loopback port (localhost = 127.0.0.1). This is the most powerful agent and has the ability to change owner of some objects
ADMIN All users that have been assigned as project administrators
EVERYBODY All users in the system
OWNER The project owner
HOST name All users coming from a specific host
USER name A specific user
OSGROUP name All users in a specific OSgroup
FSGROUP name All users in a specific FairShare group

ACL Actions

Following are the actions that can be controlled via ACLs:

Action Description
EXIST The agent is aware of the existence of the object
VIEW View properties of an object
ATTACH Create a relationship between objects
DETACH Destroy a relationship between objects
EDIT Modify properties of an object
RETRACE Retrace an object
STOP Stop an object
SUSPEND Suspend an object
FORGET Forget an object
DELEGATE Assign ACLs on an object
Note: Not all actions apply to all objects. In the case of FairShare groups, applicable actions include: ATTACH, EDIT, VIEW, DELEGATE. The actions RETRACE, STOP, SUSPEND, FORGET are reserved for use with jobs in future releases.

Obtain SERVER Credentials

For some ACL operations, you will need the most powerful credentials, i.e. SERVER, which are only available to the owner of the vovserver process when connected on the loopback interface.
  • Login on the vovserver host as the user that is running vovserver
  • Enable the project with vovproject enable PROJECTNAME
  • Change the VOV_HOST_NAME to localhost
    % setenv VOV_HOST_NAME localhost
  • Now your clients act as the SERVER agent with respect to the ACL

vovacl

vovacl: Usage Message

 DESCRIPTION:
  Preliminary version of a script to manage ACL's in VOV.
  NOTE:
    Command line arguments and options are likely to change
    in future versions.
    Feedback welcome.

 USAGE:

    % vovacl [OPTIONS]  <Objects>
 OPTIONS:
    -h        -- This help
    -v        -- Increase verbosity
    -agent   [ ADMIN | USER name | EVERYBODY ]
    -actions [ VIEW | EXISTS | RETRACE | STOP | ... ]
    -append
    -set
    -delete
    -show     -- Show current ACL for specified objects.
    -reset    -- Reset acl to default values

 OBJECTS:
     <setName>
     <fairshareGroupName>
     <vovId>

 EXAMPLES:
   % vovacl -agent ADMIN -append -actions VIEW,RETRACE,STOP,FORGET MySetName
   % vovacl -agent "USER cadmgr" -append -actions STOP  /system/processcontrol
   % vovacl -agent "OSGROUP designers" -append -actions STOP  00123456
   % vovacl -reset 00123456