Access Control Checking

Access Control Checking — Parse ACL definitions and perform access control checks

Synopsis


#include <monitor/producer/acl.h>


            prod_acl_entry;
enum        prod_access;
            prod_acl_subject;
enum        prod_subject;
int         prod_acl_parse_entry            (const char *entry);
int         prod_acl_parse_file             (const char *filename);
int         prod_acl_entry_add              (prod_access access,
                                             mon_metric_def_domain domain,
                                             const char *name_pattern,
                                             void *constraints,
                                             prod_acl_subject *subject);
int         prod_check_metric_access        (const prod_conn *conn,
                                             const mon_metric_def *def,
                                             const mon_arg_list *metric_args);
int         prod_check_ctrl_access          (const prod_conn *conn,
                                             const mon_metric_def *def,
                                             const mon_arg_list *ctrl_args);

enum        prod_limit;
#define     PROD_LIMIT_MAX
            prod_limit_entry;
int         prod_limit_entry_add            (const char *name,
                                             int value,
                                             prod_acl_subject *subject);
int         prod_limit_check_conn           (prod_conn *conn,
                                             prod_limit code,
                                             int def_value);
int         prod_limit_check_user           (prod_user *user,
                                             prod_limit code,
                                             int def_value);

Description

Details

prod_acl_entry

typedef struct {
	prod_access		access;
	mon_metric_def_domain	domain;
	GPatternSpec		*name_pattern;
	void			*constraints;
	prod_acl_subject	*subject;
	unsigned int		id;
} prod_acl_entry;

Describes an access control list entry.

prod_access `access`;	either `PROD_ACCESS_ALLOW` or `PROD_ACCESS_DENY`.
mon_metric_def_domain `domain`;	either `MON_DOM_METRIC` or `MON_DOM_CTRL`.
GPatternSpec *`name_pattern`;	glob-style pattern for which metrics/controls this entry is valid for.
void *`constraints`;	further constraints based on metric/control arguments.
prod_acl_subject *`subject`;	the ACL's subject.
unsigned int `id`;	the rule's identifier used for debugging.

enum prod_access

typedef enum {
	PROD_ACCESS_ALLOW,
	PROD_ACCESS_DENY
} prod_access;

Access constants.

`PROD_ACCESS_ALLOW`	allow access.
`PROD_ACCESS_DENY`	deny access.

prod_acl_subject

typedef struct {
	prod_subject		type;
	void			*priv;
} prod_acl_subject;

ACL subject definition.

prod_subject `type`;	a prod_subject type.
void *`priv`;	internal data.

enum prod_subject

typedef enum {
	PROD_SUBJ_EVERYONE,
	PROD_SUBJ_USER,
	PROD_SUBJ_USER_PAT,
	PROD_SUBJ_NETADDR
} prod_subject;

ACL subject types.

`PROD_SUBJ_EVERYONE`	matches every user.
`PROD_SUBJ_USER`	exact user name matching.
`PROD_SUBJ_USER_PAT`	glob-style pattern matching for the user name.
`PROD_SUBJ_NETADDR`	connection peer address matching.

prod_acl_parse_entry ()

int         prod_acl_parse_entry            (const char *entry);

Parses a single ACL definition.

`entry` :	the entry to parse.
Returns :	0 if successful or an error code.

prod_acl_parse_file ()

int         prod_acl_parse_file             (const char *filename);

Parses an ACL definition file.

`filename` :	the name of the ACL definition file.
Returns :	0 if successful or an error code.

prod_acl_entry_add ()

int         prod_acl_entry_add              (prod_access access,
                                             mon_metric_def_domain domain,
                                             const char *name_pattern,
                                             void *constraints,
                                             prod_acl_subject *subject);

Allocates a new prod_acl_entry.

`access` :	a prod_access access code.
`domain` :	a mon_metric_def_domain domain.
`name_pattern` :	glob-style pattern that should match the name of the metric or control.
`constraints` :	metric/control constraints.
`subject` :	ACL subject.
Returns :	0 if successful or an error code.

prod_check_metric_access ()

int         prod_check_metric_access        (const prod_conn *conn,
                                             const mon_metric_def *def,
                                             const mon_arg_list *metric_args);

Checks if access to a metric should be granted or not.

`conn` :	the destination prod_conn connection handle.
`def` :	a mon_metric_def.
`metric_args` :	metric arguments.
Returns :	`PROD_ACCESS_ALLOW` if access is allowed, `PROD_ACCESS_DENY` if access is denied.

prod_check_ctrl_access ()

int         prod_check_ctrl_access          (const prod_conn *conn,
                                             const mon_metric_def *def,
                                             const mon_arg_list *ctrl_args);

Checks if access to a control should be granted or not.

`conn` :	the destination prod_conn connection handle.
`def` :	a mon_metric_def.
`ctrl_args` :	control arguments.
Returns :	`PROD_ACCESS_ALLOW` if access is allowed, `PROD_ACCESS_DENY` if access is denied.

enum prod_limit

typedef enum {
	PROD_LIMIT_CONNECTIONS,
	PROD_LIMIT_METRIC_IDS,
	PROD_LIMIT_QUEUED_MESSAGES
} prod_limit;

Describes the resources that can be restricted.

`PROD_LIMIT_CONNECTIONS`	number of connections a user might have.
`PROD_LIMIT_METRIC_IDS`	number of metric IDs a user might create.
`PROD_LIMIT_QUEUED_MESSAGES`	number of messages that might be queued on a connection.

PROD_LIMIT_MAX

#define PROD_LIMIT_MAX		PROD_LIMIT_QUEUED_MESSAGES

The largest defined prod_limit constant.

prod_limit_entry

typedef struct {
	int			value;
	prod_acl_subject	*subject;
	unsigned int		id;
} prod_limit_entry;

Describes a resource limit entry.

int `value`;	the value of the limit.
prod_acl_subject *`subject`;	the subject to apply the value on.
unsigned int `id`;	internal ID used for debugging.

prod_limit_entry_add ()

int         prod_limit_entry_add            (const char *name,
                                             int value,
                                             prod_acl_subject *subject);

Allocates a new prod_limit_entry.

`name` :	the name of the limit.
`value` :	the value of the limit.
`subject` :	limit subject.
Returns :	0 if successful or an error code.

prod_limit_check_conn ()

int         prod_limit_check_conn           (prod_conn *conn,
                                             prod_limit code,
                                             int def_value);

Checks the active limits for a per-connection resource. If there are multiple matching limit descriptors, the last one will win.

`conn` :	a prod_conn to check the limit against.
`code` :	a prod_limit resource code.
`def_value` :	the default value to use if there are no matching limit descriptors.
Returns :	the limit for the resource.

prod_limit_check_user ()

int         prod_limit_check_user           (prod_user *user,
                                             prod_limit code,
                                             int def_value);

Checks the active limits for a per-user resource. If there are multiple matching limit descriptors, the last one will win.

`user` :	a prod_user to check the limit against.
`code` :	a prod_limit resource code.
`def_value` :	the default value to use if there are no matching limit descriptors.
Returns :	the limit for the resource.