NAME
Arc::Server - Class for the standalone server for ARCv2
DESCRIPTION
ARC allows non-privileged users to run privileged commands on the server. The server decides if the user is allowed to run this command through ACL.
This file is a part of the Perl ARCv2 module suite. ARCv2 is a rewrite of ARC by R.Toebbicke, CERN, Switzerland in Perl.
ABSTRACT
From ARC by R. Toebbicke, modified by me: User requests are shipped from a client machine to a server using a SASL-authenticated socket connection. The purpose is to convey requests such as privileged commands (e.g. AFS, Crontab) to be executed on the server under appropriate privileges. Given that all privileges are confined to the server and the server can be programmed as to filter and check the command to be executed, the client machine can be less trusted than the server.
Because ARC-v1-Commands are written in perl anyway, implementing the client/server in perl makes sense. Platform-independence and "easy-to-read" source code are welcome too. This package provides two perl command line scripts (arcx, arcxd). They can be used for working with the ARC server from the command line, resp. to start the server.
SYNOPSIS
Arc::Server - Class for the standalone server for ARCv2
my $arc = new Arc::Server(
port => [4242],
loglevel => 7,
logdestination => "stderr",
daemonize => 0,
connection_type => "Arc::Connection::Server",
connection_vars => {
loglevel => 7,
logdestination => 'syslog',
timeout => 30,
sasl_mechanisms => ["GSSAPI","KERBEROS_V4","PLAIN"],
sasl_cb_getsecret => &getsecret,
sasl_cb_checkpass => &checkpass,
commands => {
'whoami' => 'Arc::Command::Whoami,
'uptime' => 'Arc::Command::Uptime,
}
service => "arc",
}
);
if (my $m = $arc->IsError()) {
die $m;
}
Class VARIABLES
PUBLIC MEMBERS
- connection_type
-
Description: Class to use for connections
Default value: 'Arc::Connection::Server'
- connection_vars
-
Description: variables passed directly to every connection handle See
Arc::Connection::Server
Default value: undef
- logfileprefix
-
Description: Logfileprefix
Default value: "mainserver"
- server
-
Description: attributes for Net::Server::PreFork
Default value: undef
- logdestination inherited from Arc
-
Description: Where should all the log output go to ('stderr','syslog')
Default value: 'syslog'
- logfileprefix inherited from Arc
-
Description: Prepended to every log entry
Default value: ""
- loglevel inherited from Arc
-
Description: loglevel is combination of bits (1=AUTH,2=USER,4=ERR,8=CMDDEBUG,16=VERBSIDE,32=DEBUG) see _Log method
Default value: 7
PROTECTED MEMBERS
- _error inherited from Arc
-
Description: contains the error message
Default value: undef
- _syslog inherited from Arc
-
Description: log to syslog or to STDERR
Default value: 1
PRIVATE MEMBERS
- __arc
-
Description: stores the Arc::Connection::Server object for optimal PreFork
Default value: undef
Class METHODS
PUBLIC METHODS
- child_init_hook ( )
- post_accept ( )
- process_request ( )
- Start ( )
-
Description: start the server This function is used by the user to start the server and enter the main accept-loop. Only by calling the
Interrupt
function this call can be aborted.Returns: return true if everything worked fine, otherwise false is returned and
IsError
should be checked.Example:
$arc->Start();
- write_to_log_hook ( )
- DESTROY ( ) inherited from Arc
-
Description: Destructor
- IsError ( ) inherited from Arc
-
Description: User function to get the error msg.
Returns: the error message if any otherwise undef
Example:
unless (my $err = $arc->IsError()) { .. } else { print STDERR $err; }
- Log ( $facility, ... (message) ) inherited from Arc
-
Description: Log function. Logs messages to 'logdestination' if 'loglevel' is is set appropriatly. loglevel behaviour has changed in the 1.0 release of ARCv2, the "Arc"-class can export LOG_AUTH (authentication information), LOG_USER (connection information), LOG_ERR (errors), LOG_CMD (ARCv2 addition internal command information), LOG_SIDE (verbose client/server-specific information), LOG_DEBUG (verbose debug information). It possible to combine the levels with or (resp. +) to allow a message to appear when not all loglevels are requested by the user. Commonly used for logging errors from application level.
Returns: always false
Example:
return $arc->Log(LOG_ERR,"Message");
- new ( %hash, key => val, ... ) inherited from Arc
-
Description: Constructor. Initializes the object and returns it blessed. For all sub classes, please override
_Init
to check the parameter which are passed to thenew
function. This is necessary because you are not able to call the the new method of a parent class, when having a class name (new $class::SUPER::new, does not work.).Returns: blessed object of the class
Example:
my $this = new Arc::Class ( key => value, key2 => value2 );
PROTECTED METHODS
- _Debug ( ... (message) ) inherited from Arc
-
Description: Debug function. Logs messages with "DEBUG"
Returns: always false
Example:
$this->_Debug("hello","world"); # message will be "hello world"
- _Init ( %hash, key => val, ... ) inherited from Arc
-
Description: Init function (initializes class context) Module dependent initialization, every subclass shall override it and call the _Init of its SUPER class. This method is called by the new method of
Arc
.Returns: true, if all passed values are in their definition scope, otherwise false
Example:
see source code of any non-abstract sub class of Arc
- _SetError ( ... (message) ) inherited from Arc
-
Description: SetError function. This function prepends the error message (@_) to an existing error message (if any) and logs the message with LOG_ERR facility. Use this function for setting an error from class level. Users should use IsError to get the message if a function failed.
Returns: always false
Example:
return $this->_SetError("User is not allowed to do this."); # breaks when an error occured
PRIVATE METHODS
SEE ALSO
Arc, Arc::Command, Arc::Connection, Arc::Connection::Server, Arc::Connection::Client, arcx, arcxd, Authen::SASL, Authen::SASL::Cyrus Net::Server::PreFork
AUTHOR
Patrick Boettcher <patrick.boettcher@desy.de>
COPYRIGHT AND LICENSE
Copyright (c) 2003-5 Patrick Boettcher <patrick.boettcher@desy.de> and others. All rights reserved. Zeuthen, Germany, (old) Europe
This program is free software; you can redistribute it and/or
modify it under the same terms as Perl itself.
Special thanks go to:
DESY Zeuthen, in particular:
- Wolfgang Friebel for bleeding edge testing and heavy bug reporting (and the idea of reimplementing ARC).
- Waltraut Niepraschk and Andreas Haupt for their help and support during the development.