Re: [OpenCA-Devel] Permissions to execute the commands in lib/cmds/

Fri, 15 Jul 2005 08:09:17 -0700 

Johnny Gonzalez wrote:


      <permission>
        <module>(0|1|128)</module>
        <role>.*</role>
        <operation>crr view</operation>
        <owner>.*</owner>
      </permission>

The meaning is

module 0: ca can execute it
module 1: ra can execute it
module 128: bp can execute it
if there were a 32
1. that would mean that pub can execute it, is that
right?


Yes.


I have also found, for example, taking a look at the

file rbac/cmds/viewCSR.xml: 


<openca>
    <command_config>
        <command>
            <name>viewCSR</name>
            <operation>csr view</operation>
            <owner_method>CSR_SERIAL</owner_method>
            <owner_argument>key</owner_argument>
        </command>
    </command_config>
</openca>


This is a configuration of a command.

First operation - this is the operation from acl.xml.


Second owner_method declares how the system can find the owner of the 
displayed request. CSR_SERIAL means that the access control can search 
the database for a request with the serial which is in the argument 
"key". If the request is found then the access control can get the role 
of the owner from this request. This role can be specified in the field 
"owner" of acl.xml.



The idea is that sometimes you don't want that everybody can perform an 
operation for everybody. The best example is the approval of a request 
for a new RA operator cert. Usually this operation is reserved for CA 
operators. The solution is to allow "csr approval" for RA operators only 
if the owner is a user or a normal server.



I found some other options for this tag like: CGI, 



This means that the role for the owner field is loaded directly from the 
CGI parameters. This make sense if you don't want that normal users can 
request CA operator certs via the public interface.



5. If I want, for example, that users could execute
view CSR from the pub interface, what should I
change?, just a change from CSR_SERIAL to CGI is
enough?


1. allow viewCSR on this module (module must include 32 in your case)
2. role must set to .* (because everybody can do it)
3. owner must set to .* (because you want to show all requests)


The command configuration should never be touched. I hope the 
explanation is good enough because I know a little bit too much details.


Michael
--
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
[EMAIL PROTECTED]   D-10099 Berlin
_______________________________________________________________



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to