EnglishFrenchSpanish

Ad


OnWorks favicon

dacsacl - Online in the Cloud

Run dacsacl in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command dacsacl that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


dacsacl - list, check, or re-index access control rules

SYNOPSIS


dacsacl [dacsoptions[1]] [-build | -nobuild] [-vfs vfs_uri] [...] [op-spec] [acl-name...]

DESCRIPTION


This program is part of the DACS suite.

The dacsacl utility performs administrative functions related to access control, such as:

· validating the syntax of ACL files (parsing the XML and DACS expressions);

· checking that the revocation list (VFS type revocations) exists and performing a
syntax check on it;

· creating an index (a directory data structure, as an XML file) of access control
files; and

· listing and deleting access tokens in the authorization cache (refer to
dacs_acs(8)[2]).

Please refer to dacs.acls(5)[3] for details about how access control rule files are named.

Important
Version 1.4.21 introduced important changes to the way DACS processes access control
files, introducing incompatibilities with earlier releases. Please pay special
attention to the -convert and -build flags.

Most importantly, after adding, deleting, or editing an access control file the ACL
index must be regenerated. This can be done simply by running dacsacl with no
arguments.

Notes
· So that it can be run as part of the installation procedure, dacsacl does not
require dacs.conf to exist. If it does exist, however, it must be readable and
syntactically correct.

· The program emits a warning message if it finds different ACL files that contain
identical url_pattern (or url_expr) attributes. It does not detect pairs of these
attributes that are equivalent, however; in general, it is not possible to do so
because the actual specifications used to match against a service request are not
known until run time. Two or more service elements should never apply to the same
service request (other than through wildcard matching) and the result of
authorization testing with such rules is indeterminate.

· The dacs_admin(8)[4] web service provides some of the same functionality as
dacsacl.

OPTIONS


In addition to the standard dacsoptions[1], dacsacl recognizes these options:

-build
Index rebuilding is done by default with most modes of operation, but it can be
explicitly requested with this flag. If the flag is given, it is not an error if an
index file does not exist (as when initially creating an index).

-nobuild
Suppress index rebuilding.

-vfs vfs_uri
This flag, which may be repeated, causes vfs_uri to be defined as if by a VFS[5]
directive, overriding any existing definition. This can be used to specify an
alternate location for the item types acls or dacs_acls, for instance. As a special
case, if acls (dacs_acls) is defined using this flag but not dacs_acls (acls), then
only the former's index will be rebuilt.

This option can be useful in conjunction with the -un[1] flag so that indexes can be
generated before a jurisdiction has been configured.

The optional op-spec describes one of the following operations:

-convert
This flag is used to convert from the older rule processing scheme (pre-1.4.21) to the
current scheme. It should only be needed by installations that are using custom rules
(i.e., those other than the standard rules for DACS web pages and web services). Note
that in some cases (described below) conversion is not fully automated, so the
administrator may need to do some additional work.

--
This flag is a no-op that is used to prevent any following argument from being
interpreted as a flag or operation.

-f file [...]
Each file argument is the pathname of an ACL file or a directory containing ACL files.
Since ACL files can be organized using a directory structure, directories are checked
recursively.

-l
List the full URI of each access control rule in the virtual filestore for item types
acls and dacs_acls. No error checking is performed.

-s
List the name (sans prefixes) of each access control rule in the virtual filestore for
item types acls and dacs_acls. No error checking is performed.

-tc
Clean up the authorization cache by deleting expired or otherwise invalid entries.
Note: since there may not be any concurrency control in effect, this should probably
not be done while DACS could be writing to the file.

-td # ...
Delete one or more authorization cache entries by giving their integer listing number
(starting at 1, as produced by the -tl flag). Note: since there may not be any
concurrency control in effect, this should probably not be done while DACS could be
writing to the file.

-tl
List the entries in the authorization cache.

-tt
Truncate the authorization cache, effectively deleting everything in the cache. This
is not currently implemented; in the meantime, simply delete the file or database, or
copy /dev/null to it.

If one or more acl-name arguments appear they are interpreted as ACL files accessed
through DACS's virtual filestore using item types acls and dacs_acls (both are checked).
The applicable DACS configuration for the item type determines how an acl-name will be
accessed. Note that acl-name must be the actual filename.

If no op-spec or acl-name is specified, dacsacl will examine all currently indexed ACL
files configured for the appropriate DACS jurisdiction.

EXAMPLES


The following command checks all of the access control rules belonging to the jurisdiction
associated with dss.example.com:

% dacsacl -u dss.example.com -v
Checking: /usr/local/dacs/federations/dss/acls/acl.2
Checking: /usr/local/dacs/federations/dss/acls/acl.3
Checking: /usr/local/dacs/federations/dss/acls/acl.4
Checking: /usr/local/dacs/acls/acl-auth.0
(Note: duplicate keys for "acl-auth.0" and "acl-conf.0")
Checking: /usr/local/dacs/acls/acl-conf.0
(Note: duplicate keys for "acl-conf.0" and "acl-dacs.0")
Checking: /usr/local/dacs/acls/acl-dacs.0
(Note: duplicate keys for "acl-dacs.0" and "acl-passwd.0")
Checking: /usr/local/dacs/acls/acl-passwd.0
(Note: duplicate keys for "acl-passwd.0" and "acl-stddocs.0")
Checking: /usr/local/dacs/acls/acl-stddocs.0
Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-abc.0
Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-accounts.0
...
Built index for "acls": 44 rules
Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-admin.0
Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-auth-agent.0
...
Built index for "dacs_acls": 14 rules
58 ACL files were checked (OK)

Note
While it is not an error for access control rules to have the same numeric suffix,
because the suffix partly determines the order in which roles are processed, using
equal suffix values accidentally may have unintended results.

The following command checks only one access control rule belonging to the jurisdiction
associated with dss.example.com:

% dacsacl -u dss.example.com -v acl.2
Checking: /usr/local/dacs/federations/dss/acls/acl.2
1 ACL file was checked (OK)

DIAGNOSTICS


The program exits 0 if everything was fine, 1 if an error occurred.

Use dacsacl online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

Linux commands

Ad