On 22/2/22 4:59 am, Erik Janssen wrote:
Well, the routine I wrote can handle a user, password or passphrase and
optionally an APPL to verify against.
So, even though there are a lot of options to do it different, I was more
looking for ways how such a 'service routine' that needs apf authorization
could be used from a non-authorized caller.
The __passwd routine can do it, but it requires program controlled environment
and python doesn't seem to be defined as program controlled and I don't want to
'just' enable it.
Program Control can be a PITA, but APF authorizing a service is a bag of
worms.
Also, the relation between APF authorisation and program control (if any) still
eludes me, and if there is no relation then I don't understand how __passwd can
check a password if the environment is not apf authorized.
I hope that someone can explain how that works.
AFAIK, there is no relationship. I've very leery when I see a z/OS UNIX
program APF authorized.
Zowe has a couple of components you may be interested in. All APF
authorized services are processed in the ZIS server, otherwise nown as
the cross-memory server. It's a Metal/C application that is open source
an available to
Github. It provides services via PC calls which are exploited by the ZSS
server which is a lightweight HTTP server written in C. Both have tiny
footprints and you can write your own plugins. SAF
authentication/authorization are
already provided.
Disclaimer: I'm a Zowe commiter and I mainly work on these components.
Although only for code reviews, we have devs working full time on Zowe.
https://docs.zowe.org/stable/getting-started/zowe-architecture/
https://github.com/zowe/zss
BTW, building this stuff can be tricky. You can reach out on the
OpenMainframe slack channel and one of our helpful devs can assist you.
Or just ping me offline.
Kind regards,
Erik.
On Mon, 21 Feb 2022 15:10:48 +0000, Colin Paice <[email protected]> wrote:
Erik,
Do you need to specify a password?
Could you define a RACF profile instead, and use RACF check to see if the
userid has access to that profile?
I dont think there is a Callable function for it, but you could write some
glue code to call an assembler routine to do a RACROUTE call.
You could use an existing class, such as APP.
I dont think it needs to be APF authorised... but you would need to check
this.
Colin
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
