- PlugAuth::Plugin::FlatAuthz->can_user_action_resource( $user, $action, $resource )
- PlugAuth::Plugin::FlatAuthz->match_resources( $regex )
- PlugAuth::Plugin::FlatAuthz->host_has_tag( $host, $tag )
- PlugAuth::Plugin::FlatAuthz->groups_for_user( $user )
- PlugAuth::Plugin::FlatAuthz->users_in_group( $group )
- PlugAuth::Plugin::FlatAuthz->create_group( $group, $users )
- PlugAuth::Plugin::FlatAuthz->delete_group( $group )
- PlugAuth::Plugin::FlatAuthz->update_group( $group, $users )
- PlugAuth::Plugin::FlatAuthz->grant( $group, $action, $resource )
- PlugAuth::Plugin::FlatAuthz->revoke( $group, $action, $resource )
- SEE ALSO
- COPYRIGHT AND LICENSE
PlugAuth::Plugin::FlatAuthz - Authorization using flat files for PlugAuth
In your /etc/PlugAuth.conf
--- url: http://localhost:1234 group_file: /etc/plugauth/group.txt resource_file: /etc/plugauth/resource.txt host_file: /etc/plugauth/host.txt
touch the storage files:
% touch /etc/plugauth/group.txt \ /etc/plugauth/resource.txt \ /etc/plugauth/host.txt
% plugauth start
This plugin provides storage for groups, hosts and access control for PlugAuth. In addition it provides a mechanism for PlugAuth to alter the group, host and access control databases.
The group file looks similar to a standard UNIX /etc/group file. Entries can be changed using either your favorite editor, or by using PlugAuth::Client. In this example there is a group both to which both bob and alice belong:
both: alice, bob
Group members can be specified using a glob (see Text::Glob) which match against the set of all users:
Each user automatically gets his own group, so if there are users named bob and alice, this is unnecessary:
alice: alice bob: bob
Each line of resource.txt has a resource, an action (in parentheses), and then a list of users or groups. The line grants permission for those groups to perform that action on that resource :
/house/door (enter) : alice, bob /house/backdoor (enter) : both /house/window (break) : alice /house (GET) : bob
The host file /etc/pluginauth/host.txt looks like this :
The IP addresses on the right represent hosts from which authorization should succeed.
Refresh the data (checks the files, and re-reads if necessary).
If $user can perform $action on $resource, return a string containing the group and resource that permits this. Otherwise, return false.
Given a regex, return all resources that match that regex.
Returns true if the given host has the given tag.
Returns a list of actions.
Returns the groups the given user belongs to as a list ref. Returns undef if the user does not exist.
Returns a list of all groups.
Return the list of users (as an array ref) that belong to the given group. Each user belongs to a special group that is the same as their user name and just contains themselves, and this will be included in the list.
Returns undef if the group does not exist.
Create a new group with the given users. $users is a comma separated list of user names.
Delete the given group.
Update the given group, setting the set of users that belong to that group. The existing group membership will be replaced with the new one. $users is a comma separated list of user names.
Grant the given group or user ($group) the authorization to perform the given action ($action) on the given resource ($resource).
Revoke the given group or user ($group) the authorization to perform the given action ($action) on the given resource ($resource).
Returns a list of granted permissions
Graham Ollis <firstname.lastname@example.org>
This software is copyright (c) 2012 by NASA GSFC.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.