Access Control List
An Access Control List (ACL) is a list of permissions that are attached to an object. The list defines who can access the object (an agent) and what actions the agent can perform on the object.
Overview
- A VOV object
- An agent, which is VOV security role name or an individual user name
- A capability, which is a controlled activity
For any user to be authorized to perform a controlled capability or action on a VOV object, an ACL must exist that contains that user or role, the controlled action, and the VOV object.
Objects
- FairShare groups
- Resource maps
- Nodes (transitions, aka jobs, places, aka files)
- Node sets
- Reservations
Agents
Permission to perform a controlled action depends on the user ID, and the VOV role associated with that user. The SWD/security.tcl file defines the association of Users with Roles.
- Control queue/instance/project operations (via the VOV protocol)
- Establish high-level permissions on VOV objects
- ADMIN
- Can do just about anything. By default, the "owner" of the queue/instance/project is the only admin.
- LEADER
- Can do lots of things, but not everything an ADMIN can.
- USER
- Can create and manage their own objects.
- READONLY
- Can view most things, but not create.
- ANYBODY
- Very limited, mainly used for testing.
- NOBODY
- Nothing, mainly used for testing.
- UNKNOWN
- The last resort, in case we somehow encounter someone who doesn't fall into any of the above roles, also can do nothing.
An ACL is expressed in terms of operations that are permitted to an agent acting on the object. An agent may be a USER (login account), an OS group (OSGROUP), a FairShare group (FSGROUP), a machine (HOST) or one of the symbolic agents EVERYBODY, OWNER, ADMIN. The most powerful agent is the SERVER.
- USER name
- OS authorized user
- OWNER - role
- The queue/instance/project owner
- USER - role
- The user that owns the VOV object
- OSGROUP name
- Members of the specified OS group
- FSGROUP name
- Members of the specified FairShare group
- HOST
- Anyone with a client connected from a specific host
- EVERYBODY - role
- Everybody
- ADMIN - role
- Anyone with the ADMIN role
- SERVER
- The vovserver process, specifically
- LEADER
- Anyone with the LEADER role
- USERGROUP name
- Members of the specified VOV user group
- UNDEF
- The last resort, in case there is someone who doesn't fall into any of the above agent types.
For the agents that are groups, membership in the group confers the operations
permitted by that ACL. For example, if the login joe
is a member of
the OS group dvregr
, and OSGROUP dvregr
has APPEND
on a fsgroup
, then joe
may add ACLs to that
fsgroup
.
To bypass the ACL, you must be the logged in on the host running vovserver as the user that is running vovserver, and you must change VOV_HOST_NAME to "localhost".
ACL Management
% vovacl [OPTIONS] <Objects>
The following utilities are available for ACL management:
Utility | Description |
---|---|
vovacl | Script to manage ACLs in VOV. |
ACL Commands
ACL management consists of the following commands:
Command | Description |
---|---|
APPEND | Add ACLs to an object. |
DELETE | Delete an ACL element from an object. The element is identified by the agent and name fields. |
GET | Get current ACLs on an object. It shows you the current ACLs that are associated with an object, if the ACL permits you to VIEW it. |
RESET | Reset ACLs on an object to defaults. It removes all the object's
current ACLs and replaces them with the default values.
|
ACL Actions
Following are the actions that can be controlled via ACLs:
Action | Description |
---|---|
ATTACH | Create a relationship between objects |
CHOWN | Change ownership of an object |
CREATE | Create an object |
DELEGATE | Assign ACLs on an object |
DETACH | Destroy a relationship between objects |
EDIT | Modify properties of an object |
EXIST | The agent is aware of the existence of the object |
FORGET | Forget an object |
RESUME | Resume a suspended job |
SIGNAL | Send a signal to a job. |
STOP | Stop an object. |
SUSPEND | Suspend an object |
VIEW | View properties of an object |
Obtain SERVER Credentials
- Login on the vovserver host as the user that is running vovserver.
- Enable the project with
vovproject enable PROJECTNAME
. - Change the VOV_HOST_NAME to
localhost
% setenv VOV_HOST_NAME localhost
- Now your clients act as the SERVER agent with respect to the ACL.