NAME¶

Wallet::ACL::NetDB::Root - Wallet ACL verifier for NetDB roles (root instances)

SYNOPSIS¶

    my $verifier = Wallet::ACL::NetDB::Root->new;
    my $status = $verifier->check ($principal, $node);
    if (not defined $status) {
        die "Something failed: ", $verifier->error, "\n";
    } elsif ($status) {
        print "Access granted\n";
    } else {
        print "Access denied\n";
    }

DESCRIPTION¶

Wallet::ACL::NetDB::Root works identically to Wallet::ACL::NetDB except that it requires the principal to be a root instance (in other words, to be in the form <principal>/root@<realm>) and strips the "/root" portion from the principal before checking against NetDB roles. As with the base NetDB ACL verifier, the value of a "netdb-root" ACL is a node, and the ACL grants access to a given principal if and only if the that principal (with "/root" stripped) has one of the roles user, admin, or team for that node.

To use this object, the same configuration parameters must be set as for Wallet::ACL::NetDB. See Wallet::Config(3) for details on those configuration parameters and information about how to set wallet configuration.

METHODS¶

check(PRINCIPAL, ACL): Returns true if PRINCIPAL is granted access according to ACL, false if not, and undef on an error (see "DIAGNOSTICS" below). ACL is a node, and PRINCIPAL will be granted access if it has an instance of "root" and if (with "/root" stripped off and the realm stripped off if configured) has the user, admin, or team role for that node.

DIAGNOSTICS¶

Same as for Wallet::ACL::NetDB.

CAVEATS¶

The instance to strip is not currently configurable.

The list of possible NetDB roles that should be considered sufficient to grant access is not currently configurable.

AUTHOR¶

Russ Allbery <eagle@eyrie.org>

2024-08-01

perl v5.38.2

Source file:	Wallet::ACL::NetDB::Root.3pm.en.gz (from krb5-wallet-server 1.5-1.1)
Source last updated:	2024-08-01T23:29:30Z
Converted to HTML:	2024-11-12T08:56:55Z