daos_security.h

Go to the documentation of this file.

/*
 * (C) Copyright 2019-2023 Intel Corporation.
 *
 * SPDX-License-Identifier: BSD-2-Clause-Patent
 */
 
#ifndef __DAOS_SECURITY_H__
#define __DAOS_SECURITY_H__
 
#if defined(__cplusplus)
extern "C" {
#endif
 
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/types.h>
#include <daos_prop.h>
 
#define DAOS_ACL_VERSION        (1)
 
#define DAOS_ACL_MAX_PRINCIPAL_LEN  (255)
#define DAOS_ACL_MAX_PRINCIPAL_BUF_LEN  (DAOS_ACL_MAX_PRINCIPAL_LEN + 1)
 
#define DAOS_ACL_PRINCIPAL_OWNER    "OWNER@"
#define DAOS_ACL_PRINCIPAL_OWNER_GRP    "GROUP@"
#define DAOS_ACL_PRINCIPAL_EVERYONE "EVERYONE@"
 
#define DAOS_ACL_MAX_ACE_LEN        (65536)
 
#define DAOS_ACL_MAX_ACE_STR_LEN    (DAOS_ACL_MAX_PRINCIPAL_LEN + 64)
 
struct daos_acl {
    uint16_t    dal_ver;
    uint16_t    dal_reserv;
    uint32_t    dal_len;
    uint8_t     dal_ace[];
};
 
enum daos_acl_principal_type {
    DAOS_ACL_OWNER,     
    DAOS_ACL_USER,      
    DAOS_ACL_OWNER_GROUP,   
    DAOS_ACL_GROUP,     
    DAOS_ACL_EVERYONE,  
    NUM_DAOS_ACL_TYPES  
};
 
enum daos_acl_access_type {
    DAOS_ACL_ACCESS_ALLOW = (1U << 0),  
    DAOS_ACL_ACCESS_AUDIT = (1U << 1),  
    DAOS_ACL_ACCESS_ALARM = (1U << 2)   
};
 
#define DAOS_ACL_ACCESS_ALL (DAOS_ACL_ACCESS_ALLOW |        \
                 DAOS_ACL_ACCESS_AUDIT |        \
                 DAOS_ACL_ACCESS_ALARM)
 
enum daos_acl_flags {
    DAOS_ACL_FLAG_GROUP     = (1U << 0),
    DAOS_ACL_FLAG_POOL_INHERIT  = (1U << 1),
    DAOS_ACL_FLAG_ACCESS_FAIL   = (1U << 2),
    DAOS_ACL_FLAG_ACCESS_SUCCESS    = (1U << 3)
};
 
#define DAOS_ACL_FLAG_ALL   (DAOS_ACL_FLAG_GROUP |          \
                 DAOS_ACL_FLAG_POOL_INHERIT |       \
                 DAOS_ACL_FLAG_ACCESS_FAIL |        \
                 DAOS_ACL_FLAG_ACCESS_SUCCESS)
 
enum daos_acl_perm {
    DAOS_ACL_PERM_READ      = (1U << 0),
    DAOS_ACL_PERM_WRITE     = (1U << 1),
    DAOS_ACL_PERM_CREATE_CONT   = (1U << 2),
    DAOS_ACL_PERM_DEL_CONT      = (1U << 3),
    DAOS_ACL_PERM_GET_PROP      = (1U << 4),
    DAOS_ACL_PERM_SET_PROP      = (1U << 5),
    DAOS_ACL_PERM_GET_ACL       = (1U << 6),
    DAOS_ACL_PERM_SET_ACL       = (1U << 7),
    DAOS_ACL_PERM_SET_OWNER     = (1U << 8),
};
 
#define DAOS_ACL_PERM_POOL_ALL  (DAOS_ACL_PERM_READ |           \
                 DAOS_ACL_PERM_GET_PROP |       \
                 DAOS_ACL_PERM_WRITE |          \
                 DAOS_ACL_PERM_CREATE_CONT |        \
                 DAOS_ACL_PERM_DEL_CONT)
 
#define DAOS_ACL_PERM_CONT_ALL  (DAOS_ACL_PERM_READ |           \
                 DAOS_ACL_PERM_WRITE |          \
                 DAOS_ACL_PERM_DEL_CONT |       \
                 DAOS_ACL_PERM_GET_PROP |       \
                 DAOS_ACL_PERM_SET_PROP |       \
                 DAOS_ACL_PERM_GET_ACL |        \
                 DAOS_ACL_PERM_SET_ACL |        \
                 DAOS_ACL_PERM_SET_OWNER)
 
#define DAOS_ACL_PERM_ALL   (DAOS_ACL_PERM_POOL_ALL |       \
                 DAOS_ACL_PERM_CONT_ALL)
 
struct daos_ace {
    uint8_t     dae_access_types;
    uint8_t     dae_principal_type;
    uint16_t    dae_principal_len;
    uint16_t    dae_access_flags;
    uint16_t    dae_reserv;
    uint64_t    dae_allow_perms;
    uint64_t    dae_audit_perms;
    uint64_t    dae_alarm_perms;
    char        dae_principal[];
};
 
struct daos_acl *
daos_acl_create(struct daos_ace *aces[], uint16_t num_aces);
 
struct daos_acl *
daos_acl_dup(struct daos_acl *acl);
 
void
daos_acl_free(struct daos_acl *acl);
 
ssize_t
daos_acl_get_size(struct daos_acl *acl);
 
struct daos_ace *
daos_acl_get_next_ace(struct daos_acl *acl, struct daos_ace *current_ace);
 
int
daos_acl_get_ace_for_principal(struct daos_acl *acl,
                   enum daos_acl_principal_type type,
                   const char *principal, struct daos_ace **ace);
 
int
daos_acl_add_ace(struct daos_acl **acl, struct daos_ace *new_ace);
 
int
daos_acl_remove_ace(struct daos_acl **acl,
            enum daos_acl_principal_type type,
            const char *principal_name);
 
void
daos_acl_dump(struct daos_acl *acl);
 
int
daos_acl_validate(struct daos_acl *acl);
 
struct daos_ace *
daos_ace_create(enum daos_acl_principal_type type, const char *principal_name);
 
void
daos_ace_free(struct daos_ace *ace);
 
ssize_t
daos_ace_get_size(struct daos_ace *ace);
 
void
daos_ace_dump(struct daos_ace *ace, uint32_t tabs);
 
bool
daos_ace_is_valid(struct daos_ace *ace);
 
bool
daos_acl_principal_is_valid(const char *name);
 
int
daos_acl_uid_to_principal(uid_t uid, char **name);
 
int
daos_acl_gid_to_principal(gid_t gid, char **name);
 
int
daos_acl_principal_to_uid(const char *principal, uid_t *uid);
 
int
daos_acl_principal_to_gid(const char *principal, gid_t *gid);
 
const char *
daos_ace_get_principal_str(struct daos_ace *ace);
 
int
daos_ace_from_str(const char *str, struct daos_ace **ace);
 
int
daos_ace_to_str(struct daos_ace *ace, char *buf, size_t buf_len);
 
int
daos_ace_str_get_verbose(const char *ace_str, char *buf, size_t buf_len);
 
int
daos_acl_from_strs(const char **ace_strs, size_t ace_nr, struct daos_acl **acl);
 
int
daos_acl_to_strs(struct daos_acl *acl, char ***ace_strs, size_t *ace_nr);
 
int
daos_acl_principal_from_str(const char *principal_str,
                enum daos_acl_principal_type *type,
                char **name);
 
int
daos_acl_to_stream(FILE *stream, struct daos_acl *acl, bool verbose);
 
#if defined(__cplusplus)
}
#endif
#endif /* __DAOS_SECURITY_H__ */