Access Control component
|
Functions | |
dyn_mapping | fwAccessControl_queryLdapCern (string baseDN, string filter, dyn_string &exceptionInfo, dyn_string attrs="", bool exceptionOnTooMuchResults=true) |
dyn_mapping | fwAccessControl_queryLdapCernRecursive (string egroup, dyn_string attrNames, dyn_string &exceptionInfo, bool exceptionOnTooMuchResults=true) |
private dyn_mapping | _fwAccessControl_recursiveLdapQuery (string egroup, dyn_string attrNames, dyn_string &searchedEgroups, dyn_string &exceptionInfo, mapping connInfo, bool exceptionOnTooMuchResults=true) |
dyn_mapping | fwAccessControl_queryLdapFor (string queryTarget, string egroup, dyn_string ldapAttrNames, dyn_string &exceptionInfo, mapping connInfo, bool exceptionOnTooMuchResults=true) |
void | fwAccessControl_setEgroupSyncForGroup (string groupName, string egroupName, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex) |
void | fwAccessControl_getEgroupSyncForGroup (string groupName, string &egroupName, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex) |
void | fwAccessControl_getEgroupDetails (string egroupName, string &egroupDescription, dyn_string &includedGroupNames, dyn_string &includedUserNames, mapping &otherInfo, dyn_string &exceptionInfo, bool recursive=false) |
dyn_mapping | fwAccessControl_getEgroupSubgroups (string egroupName, dyn_string &exceptionInfo, string attrNames="", string childType="", dyn_string otherFilters=makeDynString()) |
dyn_string | fwAccessControl_getEgroupList (dyn_string &exceptionInfo, string nameFilter="", dyn_string otherFilters=makeDynString()) |
string | fwAccessControl_egroupToDomainName (string egroupName) |
string | fwAccessControl_egroupToRoleName (string egroupName) |
string | fwAccessControl_domainNameToEgroup (string domainName, dyn_string &exceptionInfo) |
string | fwAccessControl_roleNameToEgroup (string roleName, dyn_string &exceptionInfo) |
void | fwAccessControl_egroupToAccessRight (string egroupName, string &accessRight, int &privNumber, dyn_string &exceptionInfo) |
string | fwAccessControl_accessRightToEgroup (string accessRight, dyn_string &exceptionInfo) |
void | fwAccessControl_egroupGetDomainPrivileges (string domainEgroup, dyn_string &privilegeNames, dyn_string &privilegeEgroups, dyn_string &exceptionInfo) |
void | fwAccessControl_getConfigurationFromEgroup (string configurationEgroup, dyn_string &domainEgroups, dyn_string &domainNames, dyn_string &roleEgroups, dyn_string &roleNames, dyn_string &exceptionInfo) |
void | fwAccessControl_getDomainFromEgroup (string domainEgroup, string &domainName, string &domainComment, dyn_string &privilegeEgroups, dyn_string &privilegeNames, dyn_string &exceptionInfo) |
void | fwAccessControl_getRoleFromEgroup (string roleEgroup, string &roleName, string &roleComment, dyn_string &accessRights, dyn_string &privilegeEgroups, dyn_string &memberEgroups, dyn_string &childRoleEgroups, dyn_string &exceptionInfo) |
Variables | |
const string | fwAccessControl_egroupsBaseDN ="OU=e-groups,OU=Workgroups,DC=cern,DC=ch" |
const string | fwAccessControl_EgroupLookup_Configurations = "CONFIGURATIONS" |
const string | fwAccessControl_Egroup_FullNamePrefix = "EGROUP:" |
const string | fwAccessControl_Egroup_topicConfiguration = "fwAccessControl configuration" |
dyn_mapping fwAccessControl_queryLdapCern | ( | string | baseDN, |
string | filter, | ||
dyn_string & | exceptionInfo, | ||
dyn_string | attrs = "" , |
||
bool | exceptionOnTooMuchResults = true |
||
) |
Query data from CERN LDAP Server
baseDN | (string) IN BaseDN for LDAP query |
filter | (string) IN Filter for LDAP query |
exceptionInfo | (dyn_string) IN/OUT standard exception-handling variable |
attrs | (dyn_string) IN is optional with default value '""' a list of LDAP attributes to be queried. When empty (or default), all the attributes will be returned |
exceptionOnTooMuchResults | (bool) IN is optional with default value 'true' specifies what happens if ldapSearch returns with error code 4 (Size limit exceeded); if set to true, a framework exception is thrown into the exceptionInfo and possibly also a mesage in the log is placed, or PVSS exception is thrown; if set to false, then no framework/PVSS exception is thrown - instead, the exceptionInfo parameter will be set to ("INFO","Too many search results","4"), which would allow to catch this situation in the code upstream) |
dyn_mapping fwAccessControl_queryLdapCernRecursive | ( | string | egroup, |
dyn_string | attrNames, | ||
dyn_string & | exceptionInfo, | ||
bool | exceptionOnTooMuchResults = true |
||
) |
Alternative recursive method to LDAP query
Recursive processing is implemented on client-side in CTRL, instead of the server, for the reasons of performance. Each child-entry (eg. a egroup) is queries separately
egroup | (string) IN the name of the object being queried |
attrNames | (dyn_string) IN |
exceptionInfo | (dyn_string) IN/OUT |
exceptionOnTooMuchResults | (bool) IN is optional with default value 'true' |
private dyn_mapping _fwAccessControl_recursiveLdapQuery | ( | string | egroup, |
dyn_string | attrNames, | ||
dyn_string & | searchedEgroups, | ||
dyn_string & | exceptionInfo, | ||
mapping | connInfo, | ||
bool | exceptionOnTooMuchResults = true |
||
) |
Recursively query users from an egroup (internal)
egroup | (string) IN the name of egroup being queried |
attrNames | (dyn_string) IN the list of LDAP attributes to query |
searchedEgroups | (dyn_string) IN/OUT can be used to exclude e-groups from the search by placing items in it when initially calling the function |
exceptionInfo | (dyn_string) IN/OUT standard exception-handling variable |
connInfo | (mapping) IN parameters for LDAP connection; should contain the keys/values "hostName", "authMethod","userName","password" |
exceptionOnTooMuchResults | (bool) IN is optional with default value 'true' |
dyn_mapping fwAccessControl_queryLdapFor | ( | string | queryTarget, |
string | egroup, | ||
dyn_string | ldapAttrNames, | ||
dyn_string & | exceptionInfo, | ||
mapping | connInfo, | ||
bool | exceptionOnTooMuchResults = true |
||
) |
Execute a single query to an LDAP e-group to get either its members or other e-groups in it.
Not recursive, returns either a list of members or e-groups on the "top level"!
queryTarget | (string) IN what to query; "members" will query the members of egroup, "egroups": list of egroups, yet not being fwAccessControl Roles/Configs/Privileges/Domains any other string means the egroup information itself |
egroup | (string) IN the name of the egroup |
ldapAttrNames | (dyn_string) IN the list of attributes to be queries |
exceptionInfo | (dyn_string) IN/OUT standard exception-handling library |
connInfo | (mapping) IN parameters for LDAP connection |
exceptionOnTooMuchResults | (bool) IN is optional with default value 'true', specifies if exception should be raised if LDAP responses with information "too much results" |
void fwAccessControl_setEgroupSyncForGroup | ( | string | groupName, |
string | egroupName, | ||
dyn_string & | exceptionInfo | ||
) |
Modifies the configuration of egroup-synchronization mapping
Please note that this function does check if egroup actually exists, if only LDAP extension is loaded. To disable the synchronization for the egroup, use an empty string as egroupName
groupName | (string) IN the name for which the mapping-to-egroup is modified |
egroupName | (string) IN the name of egroup to be synchronized into the groupName |
exceptionInfo | (dyn_string) IN/OUT standard exception-handling variable |
void fwAccessControl_getEgroupSyncForGroup | ( | string | groupName, |
string & | egroupName, | ||
dyn_string & | exceptionInfo | ||
) |
Retrieves the configuration of egroup-synchronization mapping
groupName | (string) IN the name of the group for which the mapping is retrieved |
egroupName | (string) OUT on return will contain the egroup name mapped to the group |
exceptionInfo | (dyn_string) OUT standard exception-handling variable |
void fwAccessControl_getEgroupDetails | ( | string | egroupName, |
string & | egroupDescription, | ||
dyn_string & | includedGroupNames, | ||
dyn_string & | includedUserNames, | ||
mapping & | otherInfo, | ||
dyn_string & | exceptionInfo, | ||
bool | recursive = false |
||
) |
Retrieve details about a egroup using a LDAP lookup.
egroupName | (string) IN the name of egroup to query |
egroupDescription | (string) OUT on return will contain the "Description" field of egroup |
includedGroupNames | (dyn_string) OUT on return will contain the list of included egroups (only direct children, no recursive query!) |
includedUserNames | (dyn_string) OUT on return will contain the list of users (only direct children, no recursive query) |
otherInfo | (mapping) OUT on return will contain all the other information about the egroup; keys are the LDAP attribute names |
exceptionInfo | (dyn_string) OUT standard exception-handling variable |
recursive | (bool) IN is optional with default value 'false' (NOT IMPLEMENTED YET) allows to query groups and members recursively |
dyn_mapping fwAccessControl_getEgroupSubgroups | ( | string | egroupName, |
dyn_string & | exceptionInfo, | ||
string | attrNames = "" , |
||
string | childType = "" , |
||
dyn_string | otherFilters = makeDynString() |
||
) |
Extracts the list of child egroups for specified egroup, allowing to specify the types of children, attributes and filters.
The function has two modes of operations: a lookup of egroups through a filter, or a lookup of children of a specifed egroups (also with filtering); the mode of operation is determined by the egroupName
paramater.
otherFilters
parameter; otherFilters
parameter childType
parameter otherFilters
parameter with LDAP-specific syntax for filters; we also specify that we want additional attributes to be retrieved: the description and the date of last modification of the egroup: egroupName | : (INPUT)
|
exceptionInfo,: | standard exception-handling variable |
attrNames,: | comma-separated list of LDAP attributes to be queried; note that the values for the ["DN"] and ["cn"] will always be returned;the attributes specified here, if they exist for the returned objects, will then also be queried. Special cases:
|
childType,: | allows to select child egroups of specific type (also called "topic" in the egroups web interface or "adminDescription" attribute in LDAP); by default, empty, means no filtering. The following predefined constants may be used to retrieve egroups that are applicable to the fwAccessControl egroup-synchronization:
|
otherFilters | (by default empty): list of additional LDAP filters appended to the LDAP query; these should be in form of string "ATTRIB=VALUE", without brackets, and they will be used to form the filter |
attrNames
parameter; if there are multiple attributes of the same type for the same object, the value of the concerned key will be a dyn_ list of values instead. dyn_string fwAccessControl_getEgroupList | ( | dyn_string & | exceptionInfo, |
string | nameFilter = "" , |
||
dyn_string | otherFilters = makeDynString() |
||
) |
Look up egroups matching a search criteria
By default (no filters) will return the list of all egroups.
exceptionInfo | (dyn_string) OUT standard exception-handling variable |
nameFilter | (string) IN is optional with default value '""' specify a filter on the name of the egroup; the wildcard character '*' could be used inside the filter |
otherFilters | (dyn_string) IN is optional, default empty; a list of other filters, in form of strings 'attribute=value'; the list is then converted to the LDAP filter string, with the logical "and" operator; note that there should be no brackets around the tokens passed in the list |
string fwAccessControl_egroupToDomainName | ( | string | egroupName | ) |
Extracts domain name from a egroup name
The name of the domain is the string after the last "-" character in the egroup name.
egroupName | (string) IN the name of the egroup |
string fwAccessControl_egroupToRoleName | ( | string | egroupName | ) |
Extracts role name from a egroup name
The name of the role (group) is the last strings separated by the "-" character in the egroup name. If the string found is "--", then it will be converted to a "-" in a name, instead of being treated as a separator.
Examples: A-B-C => C A-B–C -> B-C A_B-C_D-E_F -> E_F
egroupName | (string) IN the name of the egroup |
string fwAccessControl_domainNameToEgroup | ( | string | domainName, |
dyn_string & | exceptionInfo | ||
) |
Converts domain name to a egroup name
To find a matching egroup, the following methods are applied
domainName | (string) IN the name of the domain |
exceptionInfo | (dyn_string) standard exception-handling parameter |
string fwAccessControl_roleNameToEgroup | ( | string | roleName, |
dyn_string & | exceptionInfo | ||
) |
Converts role (group) name to a egroup name
To find a matching egroup, three methods are applied
roleName | (string) IN the name of the domain |
exceptionInfo | (dyn_string) OUT standard exception-handling variable |
void fwAccessControl_egroupToAccessRight | ( | string | egroupName, |
string & | accessRight, | ||
int & | privNumber, | ||
dyn_string & | exceptionInfo | ||
) |
Extracts access right from a egroup name
The lookup is done in the following way
egroupName | (string) IN the name of the egroup (needs to be of "fwAccessControl privilege" type) |
accessRight | (string) OUT on return will contain the name of the access right in form of a "Domain:Privilege" string |
privNumber | (int) OUT on return will contain the privilege number inside the domain |
exceptionInfo | (dyn_string) OUT standard exception handling variable |
string fwAccessControl_accessRightToEgroup | ( | string | accessRight, |
dyn_string & | exceptionInfo | ||
) |
Converts access right to a egroup name
To find a matching egroup the following is done
accessRight | (string) IN the name of the access right, in the format "Domain:Privilege"; spaces in pivilege name are replaced to "__" |
exceptionInfo | (dyn_string) OUT standard exception handling variable |
void fwAccessControl_egroupGetDomainPrivileges | ( | string | domainEgroup, |
dyn_string & | privilegeNames, | ||
dyn_string & | privilegeEgroups, | ||
dyn_string & | exceptionInfo | ||
) |
Retrieves the list of privileges of a domain using LDAP query
Note that the egroups that are privileges need to :
domainEgroup | (string) IN the name of the egroup for the domain |
privilegeNames | (dyn_string) OUT on return will contain the list of privilege names, sorting according to their numbers spaces in pivilege name are replaced to "__" in egroup names |
privilegeEgroups | (dyn_string) OUT on return will contain the list of egroup names corresponsing to the list in the privilegeNames |
exceptionInfo | (dyn_string) OUT standard exception-handling variable |
void fwAccessControl_getConfigurationFromEgroup | ( | string | configurationEgroup, |
dyn_string & | domainEgroups, | ||
dyn_string & | domainNames, | ||
dyn_string & | roleEgroups, | ||
dyn_string & | roleNames, | ||
dyn_string & | exceptionInfo | ||
) |
Retrieve the EgroupSynchronization Configuration from LDAP
configurationEgroup | (string) IN the name of the configuration egroup |
domainEgroups | (dyn_string) OUT list of egroups defining domains in this configuration |
domainNames | (dyn_string) OUT list of names of the domains corresponding to domanEgroups |
roleEgroups | (dyn_string) OUT list of role (group) egroups in this configuration |
roleNames | (dyn_string) OUT list of role (group) banes corresponding to roleEgroups |
exceptionInfo | (dyn_string) OUT standard exception-handling variable |
void fwAccessControl_getDomainFromEgroup | ( | string | domainEgroup, |
string & | domainName, | ||
string & | domainComment, | ||
dyn_string & | privilegeEgroups, | ||
dyn_string & | privilegeNames, | ||
dyn_string & | exceptionInfo | ||
) |
Retrieve domain information from a egroup using a LDAP query
domainEgroup | (string) IN the name of the domain egroup being queried |
domainName | (string) OUT returns the name of the domain |
domainComment | (string) OUT returns the comment of the domain as defined in the "description" attribute |
privilegeEgroups | (dyn_string) OUT returns the list of egroups for privileges inside the domain |
privilegeNames | (dyn_string) OUT returns the list of privilege names inside the domain (corresponding to privilegeEgroups ) |
exceptionInfo | (dyn_string) OUT standard exception handling variable |
A useful LDAP query that does the data extraction from the commandline:
void fwAccessControl_getRoleFromEgroup | ( | string | roleEgroup, |
string & | roleName, | ||
string & | roleComment, | ||
dyn_string & | accessRights, | ||
dyn_string & | privilegeEgroups, | ||
dyn_string & | memberEgroups, | ||
dyn_string & | childRoleEgroups, | ||
dyn_string & | exceptionInfo | ||
) |
Retrieve role information from a egroup using a LDAP query
roleEgroup | (string) IN the name of the role (group) egroup being queried |
roleName | (string) OUT returns the name of the role (group) |
roleComment | (string) OUT returns the comment of the role as defined in the "description" attribute |
accessRights | (dyn_string) OUT returns the list of access rights granted to this role; access rights are in the form "Domain:Privilege" |
privilegeEgroups | (dyn_string) OUT returns the list of egroups corresponding to accessRights |
memberEgroups | (dyn_string) OUT returns the list of member egroups (egroups that define lists of users) |
childRoleEgroups | (dyn_string) OUT returns the list of child role egroups (for role-inheritance) |
exceptionInfo | (dyn_string) OUT standard exception handling variable |
const string fwAccessControl_egroupsBaseDN ="OU=e-groups,OU=Workgroups,DC=cern,DC=ch" |
LDAP Base DN where egroups information is stored
const string fwAccessControl_EgroupLookup_Configurations = "CONFIGURATIONS" |
const string fwAccessControl_Egroup_FullNamePrefix = "EGROUP:" |
prefix in the full name of the role or domain specifying the egroup name
const string fwAccessControl_Egroup_topicConfiguration = "fwAccessControl configuration" |
names of egroups "topics" used to distinguish the special egroups here