blob: 4e19d45d02208e37a9879f1378a686e96c4edffc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
Agent of cynagora
=================
Cynagora provide a mechanism called agent that allows to add logic of
autorization to cynagora. It can be used for example to query a user
to autorize or not a permission ponctually.
Cynagora server implements a predefined agent named the `at` agent that
implements a simple redirection of a query.
General principle
-----------------
Rules of the database have a RESULT. That result is either `yes`, `no` or
an agent query. An agent query is of the form:
NAME:VALUE
where NAME is the name of the agent, VALUE is a value attached to the rule
and passed to the agent when querying it.
The colon between the NAME and the VALUE is mandatory.
The agent is queried to give a result with the following values:
VALUE CLIENT SESSION USER PERMISSION
Example of the agent AT
-----------------------
The file `cynagora.initial` that provides a default initialisation file
has the following lines:
* * @ADMIN * yes forever
* * 0 * @:%c:%s:@ADMIN:%p forever
The first line defines a special user `@ADMIN` that always has the permission.
The special user can be seen as a group: the admin group. Remember that strings
of the database are conventionnal, that is that the meaning of the USER part
is conventionnal. A common convention is to use the decimal representation of
the UID of the unix account to check. That convention is used on the second
line. That second line defines that the user root (UID 0) is in the group
admin. To achieve that it uses the agent-AT mecanism.
So if no other rule was selected for the user `0` then cynagora find at least
the rule that requires to query the predefined agent `@` (AT) with the value
`%c:%s:@ADMIN:%p`.
The agent is asked with the following values:
- `%c:%s:@ADMIN:%p` the value
- `CLIENT`, `SESSION`, `USER` and `PERMISSION`, the values of original request
The AT-agent use the value `%c:%s:@ADMIN:%p` to compose a check query.
it interpret the value as a colon separated rule query of cynagora, in the
order: client, session, user, permission. Then it replaces any occurency of:
- `%c` with value of `CLIENT` of original request
- `%s` with value of `SESSION` of original request
- `%u` with value of `USER` of original request
- `%p` with value of `PERMISSION` of original request
- `%%` with `%`
- `%:` with `:`
So for the given value, the result at the end is the result of querying
cynagora for the result of:
- client: %c that is substituted by CLIENT
- session: %s that is substituted by SESSION
- user: @ADMIN
- permission: %p that is substituted by PERMISSION
The query to cynagora with CLIENT SESSION @ADMIN PERMMISSION must be done using
sub-query of agents.
|