Access Control List

An Access Control List (ACL) is a list of permissions that are attached to an object. The list defines who can access the object (an agent) and what actions the agent can perform on the object.

Overview

The VOV software implements compartmentalized access control with Access Control Lists (ACLs). Each ACLs is a triplet:
  • A VOV object
  • An agent, which is VOV security role name or an individual user name
  • A capability, which is a controlled activity

For any user to be authorized to perform a controlled capability or action on a VOV object, an ACL must exist that contains that user or role, the controlled action, and the VOV object.

Objects

Every ACL is associated with a VOV object. Types of objects currently include:
  • FairShare groups
  • Resource maps
  • Nodes (transitions, aka jobs, places, aka files)
  • Node sets
  • Reservations

Agents

Permission to perform a controlled action depends on the user ID, and the VOV role associated with that user. The SWD/security.tcl file defines the association of Users with Roles.

VOV's roles serve two purposes:
  1. Control queue/instance/project operations (via the VOV protocol)
  2. Establish high-level permissions on VOV objects
VOV has these named roles:
ADMIN
Can do just about anything. By default, the "owner" of the queue/instance/project is the only admin.
LEADER
Can do lots of things, but not everything an ADMIN can.
USER
Can create and manage their own objects.
READONLY
Can view most things, but not create.
ANYBODY
Very limited, mainly used for testing.
NOBODY
Nothing, mainly used for testing.
UNKNOWN
The last resort, in case we somehow encounter someone who doesn't fall into any of the above roles, also can do nothing.

An ACL is expressed in terms of operations that are permitted to an agent acting on the object. An agent may be a USER (login account), an OS group (OSGROUP), a FairShare group (FSGROUP), a machine (HOST) or one of the symbolic agents EVERYBODY, OWNER, ADMIN. The most powerful agent is the SERVER.

ACLs support the following "agents", which provide the identities of the persons involved:
USER name
OS authorized user
OWNER - role
The queue/instance/project owner
USER - role
The user that owns the VOV object
OSGROUP name
Members of the specified OS group
FSGROUP name
Members of the specified FairShare group
HOST
Anyone with a client connected from a specific host
EVERYBODY - role
Everybody
ADMIN - role
Anyone with the ADMIN role
SERVER
The vovserver process, specifically
LEADER
Anyone with the LEADER role
USERGROUP name
Members of the specified VOV user group
UNDEF
The last resort, in case there is someone who doesn't fall into any of the above agent types.

For the agents that are groups, membership in the group confers the operations permitted by that ACL. For example, if the login joe is a member of the OS group dvregr, and OSGROUP dvregr has APPEND on a fsgroup, then joe may add ACLs to that fsgroup.

To bypass the ACL, you must be the logged in on the host running vovserver as the user that is running vovserver, and you must change VOV_HOST_NAME to "localhost".

ACL Management

To perform ACL management, use a utility with the following syntax:
% vovacl [OPTIONS]  <Objects>

The following utilities are available for ACL management:

Utility Description
vovacl Script to manage ACLs in VOV.

ACL Commands

ACL management consists of the following commands:

Command Description
APPEND Add ACLs to an object.
DELETE Delete an ACL element from an object. The element is identified by the agent and name fields.
GET Get current ACLs on an object. It shows you the current ACLs that are associated with an object, if the ACL permits you to VIEW it.
RESET Reset ACLs on an object to defaults. It removes all the object's current ACLs and replaces them with the default values.
ACL  1: OWNER      ""   ATTACH DETACH EDIT VIEW FORGET DELEGATE EXISTS
ACL  2: EVERYBODY  ""   ATTACH VIEW 

ACL Actions

Following are the actions that can be controlled via ACLs:

Action Description
ATTACH Create a relationship between objects
CHOWN Change ownership of an object
CREATE Create an object
DELEGATE Assign ACLs on an object
DETACH Destroy a relationship between objects
EDIT Modify properties of an object
EXIST The agent is aware of the existence of the object
FORGET Forget an object
RESUME Resume a suspended job
SIGNAL Send a signal to a job.
STOP Stop an object.
SUSPEND Suspend an object
VIEW View properties of an object
Note: Not all actions apply to all objects. In the case of FairShare groups, applicable actions include: ATTACH, EDIT, VIEW, DELEGATE. The actions RETRACE, STOP, SUSPEND, FORGET are reserved for use with jobs in future releases.

Obtain SERVER Credentials

For some ACL operations, you will need the most powerful credentials, i.e. SERVER, which are only available to the owner of the vovserver process when connected on the loopback interface.
  • Login on the vovserver host as the user that is running vovserver.
  • Enable the project with vovproject enable PROJECTNAME.
  • Change the VOV_HOST_NAME to localhost
    % setenv VOV_HOST_NAME localhost
  • Now your clients act as the SERVER agent with respect to the ACL.