table of contents
DACSACL(1) | DACS Commands Manual | DACSACL(1) |
NAME¶
dacsacl - list, check, or re-index access control rules
SYNOPSIS¶
dacsacl [dacsoptions[1]] [-build | -nobuild] [-vfs vfs_uri] [...] [op-spec] [acl-name...]
DESCRIPTION¶
This program is part of the DACS suite.
The dacsacl utility performs administrative functions related to access control, such as:
Please refer to dacs.acls(5)[3] for details about how access control rule files are named.
Important
Version 1.4.21 introduced important changes to the way DACS processes access control files, introducing incompatibilities with earlier releases. Please pay special attention to the -convert and -build flags.
Most importantly, after adding, deleting, or editing an access control file the ACL index must be regenerated. This can be done simply by running dacsacl with no arguments.
Notes
OPTIONS¶
In addition to the standard dacsoptions[1], dacsacl recognizes these options:
-build
-nobuild
-vfs vfs_uri
This option can be useful in conjunction with the -un[1] flag so that indexes can be generated before a jurisdiction has been configured.
The optional op-spec describes one of the following operations:
-convert
--
-f file [...]
-l
-s
-tc
-td # ...
-tl
-tt
If one or more acl-name arguments appear they are interpreted as ACL files accessed through DACS's virtual filestore using item types acls and dacs_acls (both are checked). The applicable DACS configuration for the item type determines how an acl-name will be accessed. Note that acl-name must be the actual filename.
If no op-spec or acl-name is specified, dacsacl will examine all currently indexed ACL files configured for the appropriate DACS jurisdiction.
EXAMPLES¶
The following command checks all of the access control rules belonging to the jurisdiction associated with dss.example.com:
% dacsacl -u dss.example.com -v Checking: /usr/local/dacs/federations/dss/acls/acl.2 Checking: /usr/local/dacs/federations/dss/acls/acl.3 Checking: /usr/local/dacs/federations/dss/acls/acl.4 Checking: /usr/local/dacs/acls/acl-auth.0 (Note: duplicate keys for "acl-auth.0" and "acl-conf.0") Checking: /usr/local/dacs/acls/acl-conf.0 (Note: duplicate keys for "acl-conf.0" and "acl-dacs.0") Checking: /usr/local/dacs/acls/acl-dacs.0 (Note: duplicate keys for "acl-dacs.0" and "acl-passwd.0") Checking: /usr/local/dacs/acls/acl-passwd.0 (Note: duplicate keys for "acl-passwd.0" and "acl-stddocs.0") Checking: /usr/local/dacs/acls/acl-stddocs.0 Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-abc.0 Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-accounts.0 ... Built index for "acls": 44 rules Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-admin.0 Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-auth-agent.0 ... Built index for "dacs_acls": 14 rules 58 ACL files were checked (OK)
Note
While it is not an error for access control rules to have the same numeric suffix, because the suffix partly determines the order in which roles are processed, using equal suffix values accidentally may have unintended results.
The following command checks only one access control rule belonging to the jurisdiction associated with dss.example.com:
% dacsacl -u dss.example.com -v acl.2 Checking: /usr/local/dacs/federations/dss/acls/acl.2 1 ACL file was checked (OK)
In general, to validate and index a set of rules placed in the directory /tmp/rules:
% dacsacl -un -q -build -vfs "[dacs_acls]file:///tmp/rules"
DIAGNOSTICS¶
The program exits 0 if everything was fine, 1 if an error occurred.
SEE ALSO¶
dacsvfs(1)[6], dacs.acls(5)[3], dacs_acs(8)[7], dacs_admin(8)[4], dacs_vfs(8)[8]
AUTHOR¶
Distributed Systems Software (www.dss.ca[9])
COPYING¶
Copyright © 2003-2016 Distributed Systems Software. See the LICENSE[10] file that accompanies the distribution for licensing information.
NOTES¶
- 1.
- dacsoptions
- 2.
- dacs_acs(8)
- 3.
- dacs.acls(5)
- 4.
- dacs_admin(8)
- 5.
- VFS
- 6.
- dacsvfs(1)
- 7.
- dacs_acs(8)
- 8.
- dacs_vfs(8)
- 9.
- www.dss.ca
- 10.
- LICENSE
08/23/2020 | DACS 1.4.40 |