ACL handling

This chapter details the way access control is handled within the clacks core engine, from the clacks-shell (clacksh) and from the command line using the acl-admin.py tool.

First of all, here is a small graphic that shows how the Acl-objects are used internally in the agent.

How an ACL assigment could look like

>>> ACLSet
>>>  |-> ACL
>>>  |-> ACL
>>>  |-> ACL -> ACLRole (test1)
>>>  |-> ACL
>>> ACLRole (test1)
>>>  |-> ACLRoleEntry
>>>  |-> ACLRoleEntry

Internal ACL handling - A short explanation

This section describes how ACLs are defined and used internally in the clacks core, a normal user will not use ACLs this way, but I guess it helps understanding how things work. The use of the acl-admin.py tool and the use of acls in the clacks-shell will follow a few lines below.

As the small graph above shows, ACLs are represented by a set of classes. One of these is the ACLSet class, which combines a list of ACL entries into a set of effective ACLs.

The ACLSet has a base property which specifies the base, this set of acls is valid for. E.g. dc=example,dc=net

>>> aclset = ACLSet("dc=example,dc=de")

The ACL object describes a set of actions/objects/topics that can be accessed in a given scope, by a list of users.

>>> acl = ACL(scope=ACL.ONE)
>>> acl.set_members([u'tester1', u'tester2'])
>>> acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')
>>> acl.set_priority(100)

The classes ACLRole and ACLRoleEntry allow to build up roles that can then be used in ACLSets to simplify the use ACL that are frequently used.

>>> aclrole = ACLRole('role1')
>>> acl = ACLRoleEntry(scope=ACL.SUB)
>>> acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')
>>> aclrole.add(acl)

Once you’ve created an ACLSet or ACLRole object and want to activate it, you’ve to attach it to the ACLResolver object.

>>> resolver = PluginRegistry.getInstance("ACLResolver")
>>> resolver.add(aclset1)
>>> resolver.add(role1)

Now you can check for permissions like this:

>>> resolver = PluginRegistry.getInstance("ACLResolver")
>>> resolver.check('user1', 'org.clacks.event.ClientLeave', 'x')

ACLs in detail

As the explanation above shows how acls are used, this section explains each option in detail.

ACLSet

The ACLSet is initialized with a base parameter:

>>> aclset = ACLSet("dc=example,dc=net")

The base given for an ACLSet specifies which objects are affected by the ACLSet. All objects, beneath and including “dc=exmaple,dc=net”, will be affected by the acl ACLSet above.

If you want to set an ACL for a single object, e.g. a single User, then you’ve to use the users dn for the ACLset.

ACLSet can contain multiple ACL objects:

>>> aclset.add(acl1)
>>> aclset.add(acl2)
>>> aclset.add(acl3)

And you can remove ACLs in different ways:

>>> aclset.remove_acl(acl_object)
>>> aclset.remove_acls_for_user(user_name)

ACL

ACL objects contain the real acl definitions that will later by applied to a base using the ACLSet.

ACL - scopes

They are initialized by a scope parameter, which defines how the containing acls take affect:

>>> acl = ACL(scope=ACL.ONE)

Here is a list of all available scopes:

Scope values - internal use - agent-core:

    * ``ACL.ONE`` for one level.
    * ``ACL.SUB`` for all sub-level. This can be revoked using ``ACL.RESET``
    * ``ACL.RESET`` revokes the actions described in this ``ACL`` object for all sub-levels of the tree.
    * ``ACL.PSUB`` for all sub-level, cannot be revoked using ``ACL.RESET``

Scope values - external use, e.g. when executing commands using the clacksh or from the agent-acl.py tool:

    * ``"one"`` for one level.
    * ``"sub"`` for all sub-level. This can be revoked using ``ACL.RESET``
    * ``"reset"`` revokes the actions described in this ``ACL`` object for all sub-levels of the tree.
    * ``"psub"`` for all sub-level, cannot be revoked using ``ACL.RESET``

The scope “one” or ACL.ONE used in the example above, will apply to the base we used in the ACLSet and all objects one level below to base.

ACL - members

>>> acl.set_members([u'tester1', u'tester2'])

ACL members can also contain regular expressions, like this:

>>> acl.set_members([u"user1", u"^user[0-9]*$"])

ACL - actions

The permission an ACL contains are defined in actions, each action contains a topic, a set of acls-flags and some optional options.

Here is an example which allows to (r)ead (w)rite and e(x)ecute the topic org.clacks.event.ClientLeave.

>>> acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')
>>> acl.add_action(**Topic**, **permissions**, **options**)

Topic

Topics are defined as regular expressions, which gives a huge flexibility.

For example ^clacks\.[^\.]*\.factory$ would match for:
  • clacks.test.factory
  • clacks.hallo.factory
but not for:
  • clacks.factory
  • clacks.level1.level2.factory
Where ^clacks\..*\.factory$ matches for:
  • clacks.factory
  • clacks.level1.factory
  • clacks.level1.level2.factory

Acl - flags

The acl parameter describes the action we can perform on a given topic. Possible actions are:

  • r - Read
  • w - Write
  • c - Create
  • d - Delete
  • o - Onwer only, this acl affects only loggedin user itself.
  • m - Manager, this acl applies for the manager of on object.
  • s - Search - or beeing found
  • x - Execute
  • e - Receive event

The actions have to passed as a string, which contains all actions at once

>>> add_action(``topic``, "rwcdm", ``options``)

Options

Options are additional check parameters that have to be fullfilled to get this acl to match.

The options parameter is a dictionary which contains a key and a value for each additional option we want to check for, e.g.

>>> add_action('topic', 'acls', {'uid': 'hanspeter', 'ou': 'technik'})

If you’ve got a user object (user1) as dictionary, then you can check permissions like this

>>> resolver.check('some.topic', 'rwcdm', user1)

The resolver will then check if the keys uid and ou are present in the user1 dictionary and then check if the values match. If not all options match, the ACL will not match.

Priority

Priorities can be given from -100 up to 100, where -100 is the highest.

>>> acl.set_priority(100)

Examples

A simple acl defintion.

Add an acl for user ‘tester1’ and ‘tester2’ for one-level on base ‘dc=example,dc=net’ to topic org.clacks.event.notify with acls ‘rwx’:

>>> aclset = ACLSet("dc=example,dc=net")
>>> acl = ACL(scope=ACL.ONE)
>>> acl.set_members([u'tester1', u'tester2'])
>>> acl.add_action('^org\.clacks\.event\.notify$', 'rwx')
>>> acl.set_priority(100)
>>> aclset.add(acl)

You can also use regular expressions for topics:

>>> acl.add_action('^org\.clacks\.event\.[^\.]*$', 'rwx')
"[^\.]*" means everything one level

Remove all acls for user tester1:

>>> aclset.remove_acls_for_user('tester1')

Using a acl-role

>>> # Create an ACLRole object
>>> aclrole = ACLRole('role1')
>>> acl = ACLRoleEntry(scope=ACL.SUB)
>>> acl.add_action(...)
>>> aclrole.add(acl)
>>> # Now add the role to the resolver
>>> resolver = ACLResolver()
>>> resolver.add_acl_set(aclrole)
>>> # You can use this role like this in ACL entries of an ACLset:
>>> aclset = ACLSet()
>>> acl = ACL(role=aclrole)
>>> aclset.add(acl)
>>> resolver.add_acl_set(aclset)

Setting ACLs from the Clacks-shell

Listing ACLs

You can use the following command in the clacks shell to build up ACL defintions. The schema is the same as describes above with slight differences.

List all defined ACLs, you can filter by base and topic.

>>> getACls(base='dc=gonicus,dc=de')
>>> getACls(topic=r'^com\.gonicus\.factory$')

List all defined roles

>>> getACLRoles()

Adding ACLs

>>> addACL('dc=gonicus,dc=de', 'sub', 0, [u'tester1'], [{'topic': r'^some\.topic.*$', 'acls': 'rwcdm'}])

or with some options:

>>> resolver.addACL('dc=gonicus,dc=de', 'sub', 0, [u'tester1'], [{'topic': r'^some\.topic.*$', 'acls': 'rwcdm', 'options': {'uid': '^u[0-9]'}}])

Adding roles

>>> addACLRole('role1')
>>> addACLtoRole('role1', 'sub', 0, {...})

Removing an acl

The id of an ACL entry can found in the ACL itself, just get all defined ACLSets and then interate through them and use the id of the ACL.

>>> removeACL(id)

Removing a role

>>> removeRole('role1')

ACLs using the acl_admin.py tool

List acls

>>> ./acl-admin list acls

Add acls to an object

>>> ./acl-admin add roleacl with-actions "name=TEST,dc=example,dc=net" 1 sub "^net\.example\.objects\.Group\..*$:s"

Add a new role

>>> ./acl-admin add role dc=example,dc=net TEST

Add acls to a role

>>> ./acl-admin add roleacl with-actions "name=TEST,dc=example,dc=net" 1 sub "^net\.example\.command\.core\.(getSessionUser|get_error|getBase|search|openObject|dispatchObjectMethod|setObjectProperty|closeObject|reloadObject)$:x"
>>> ./acl-admin add add roleacl with-actions "name=TEST,dc=example,dc=net" 1 sub "^net\.example\.command\.gosa\.(getTemplateI18N|getAvailableObjectNames|getGuiTemplates|getUserDetails|search|getObjectDetails|searchForObjectDetails|loadUserPreferences|saveUserPreferences)$:x"

Remove a role

>>> ./acl-admin remove role "name=TEST,dc=example,dc=net"

Remove all acls from a base

>>> ./acl-admin remove acls "dc=example,dc=net"

Remove all acls from a role

>>> ./acl-admin remove roleacls "name=TEST,dc=example,dc=net"

For details take a look at the ACL module

ACL management

This chapter details the way access control is handled within the clacks core engine.

How an ACL assigment could look like
ACLRole (test1)
 |-> ACLRoleEntry
 |-> ACLRoleEntry

ACLSet
 |-> ACL
 |-> ACL
 |-> ACL -> ACLRole (test1)
 |-> ACL

class clacks.agent.acl.ACL(scope=2, role=None)

The ACL object describes a set of actions that can be accessed in a given scope. ACL classes can then be bundled in ACLSet objects and attached to base.

Key Description
scope The scope this acl is valid for.
role You can either define permission actions directly or you can use an ACLRole instead

Scope values - internal use:

  • ACL.ONE for one level.
  • ACL.SUB for all sub-level. This can be revoked using ACL.RESET
  • ACL.RESET revokes the actions described in this ACL object for all sub-levels of the tree.
  • ACL.PSUB for all sub-level, cannot be revoked using ACL.RESET

Scope values - external use, e.g. when executing commands using the clacksh:

  • "one" for one level.
  • "sub" for all sub-level. This can be revoked using ACL.RESET
  • "reset" revokes the actions described in this ACL object for all sub-levels of the tree.
  • "psub" for all sub-level, cannot be revoked using ACL.RESET

The ACL class contains list of actions for a set of members. These ACL classes can then be bundled and attached to a base base using the ACLSet class.

Type Description
Scope The scope specifies where the ACL is valid for, e.g. ONE-level, all SUB-levels or RESET previous ACLs
Members A list of users this acl is valid for.
Role Instead of actions you can also refer to a ACLRole object.
Actions You can have multiple actions, where one action is described by a topic, a set of acls and additional options that have to be checked while ACLs are resolved.
>>> # Create an ACLSet object
>>> aclset = ACLSet()
>>> # Create an ACL object and attach it to the ACLSet
>>> acl = ACL()
>>> acl.set_priority(0)
>>> acl.set_members([u"user1", u"user2"])
>>> acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')
>>> aclset.add(acl)
>>> # Now add the set to the resolver
>>> resolver = ACLResolver()
>>> resolver.add_acl_set(aclset)
>>> # You can now check for acls, both should return True now.
>>> resolver.check('user1', 'org.clacks.event.ClientLeave', 'r')
>>> resolver.check('user1', 'org.clacks.event.ClientLeave', 'rwx')

ACL members can also contain regular expressions, like this:

>>> acl.set_members([u"user1", u"^user[0-9]*$"])
>>> ...
>>> resolver.check('user45', 'org.clacks.event.ClientLeave', 'r')
add_action(topic, acls, options=None)

Adds a new action to this ACL object.

Key Description
topic The topic action we want to create ACLs for. E.g. ‘org.clacks.factory.Person’
acls The acls this action contain. E.g. ‘rwcdm’.
options Special additional options that have to be checked.

Topic

Topics are defined as regular expressions, which gives a huge flexibility.

For example ^clacks\.[^\.]*\.factory$ would match for:
  • clacks.test.factory
  • clacks.hallo.factory
but not for:
  • clacks.factory
  • clacks.level1.level2.factory
Where ^clacks\..*\.factory$ matches for:
  • clacks.factory
  • clacks.level1.factory
  • clacks.level1.level2.factory

Acls

The acls paramter describes the action we can perform on a given topic. Possible actions are:

  • r - Read
  • w - Write
  • c - Create
  • d - Delete
  • o - Onwer only, this acl affects only loggedin user itself.
  • m - Manager, this acl applies for the manager of on object.
  • s - Search - or beeing found
  • x - Execute
  • e - Receive event
The actions have to passed as a string, which contains all actions at once::
>>> add_action(``topic``, "rwcdm", ``options``)

Options

Options are additional check parameters that have to be fullfilled to get this acl to match.

The options parameter is a dictionary which contains a key and a value for each additional option we want to check for, e.g. ::
>>> add_action('topic', 'acls', {'uid': 'hanspeter', 'ou': 'technik'})
If you’ve got a user object (user1) as dictionary, then you can check permissions like this::
>>> resolver.check('some.topic', 'rwcdm', user1)

The resolver will then check if the keys uid and ou are present in the user1 dictionary and then check if the values match. If not all options match, the ACL will not match.

clear_actions()

This method removes all defined actions from this acl.

get_members()

Returns the list of members this ACL is valid for.

get_scope()

Returns the scope of an ACL. SUB, PSUB, RESET, ...

match(user, topic, acls, targetBase, options=None, skip_user_check=False, used_roles=None, override_users=None)

Check if this ACL object matches the given criteria.

Warning

Do NOT use this to validate permissions. Use ACLResolver->check() instead

Key Description
user The user we want to check for. E.g. ‘hans’
topic The topic action we want to check for. E.g. ‘org.clacks.factory’
acls A string containing the acls we want to check for.
options Special additional options that have to be checked.
skip_user_check Skips checks for users, this is required to resolve roles.
used_roles A list of roles used in this recursion, to be able to check for endless-recursions.
override_users If an acl ises a role, then the original user list will be passed to the roles-match method to ensure that we can match for the correct list of users.
targetBase To object that was initially checked for (DN)
repr_self(indent=0)

Generates a human readable representation of the ACL-object.

set_members(members)

Set the members for this acl

Key Description
members A list of usernames

Example:

aclset = ACLSet()
acl = ACL(scope=ACL.ONE)

acl.set_members([u'peter', u'klaus'])
set_priority(priority)

Sets the priority of this ACL object. Lower values mean higher priority.

If no priority is given, a priority of 0 will be used when this ACL gets added to an ACLSet, the next will get 1, then 2 aso.

Key Description
priority The new priority value for this ACl.

Example:

aclset = ACLSet()
acl = ACL(scope=ACL.ONE)
acl.set_members([u'tester1', u'tester2'])
acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')

acl.set_priority(100)
set_scope(scope)

This methods updates the ACLs scope level.

See clacks.agent.acl.ACL for details on the scope-levels.

Key Description
priority The new priority value for this ACl.
use_role(rolename)

Mark this ACL to use a role instead of direkt permission settings.

Key Description
rolename The name of the role to use.
class clacks.agent.acl.ACLResolver

The ACLResolver is responsible for loading, saving and resolving permission:

>>> resolver = ACLResolver()
>>> self.resolver.check('user1','org.clacks.factory','r')
>>> self.resolver.check('user1','org.clacks.factory','rwx', 'dc=example,dc=net')

If no base is given (last parameter of check), the default base will be used. (The default base is the configured LDAP base).

To list all defined roles and acls you can use:

>>> resolver = ACLResolver()
>>> resolver.list_roles()
>>> resolver.list_acls()

To print a human readable output of an ACLSet just use the string repesentation:

>>> acls = ACLSet('...')
>>> acl = ACL(scope=ACL.ONE)
>>> acls.add(acl)
>>> acls
aclset_exists_by_base(base)

Checks if a ACLSet for the given base exists or not.

Key Description
base The base we want to check for.
addACL(user, base, priority, members, actions=None, scope=None, rolename=None)

Note

This method will be exported by the CommandRegistry.

Adds a new acl-rule to the active acls.

Key Description
base The base this acl works on. E.g. ‘dc=example,dc=de’
priority An integer value to prioritize this acl-rule. (Lower values mean higher priority)
members A list of members this acl affects. E.g. [u’Herbert’, u’klaus’]
actions A dictionary which includes the topic and the acls this rule includes.
scope The ‘scope’ defines how an acl is inherited by sub-bases. See Scope values for details.
rolename The name of the role to use.

The actions parameter is dictionary with three items topic, acls and options.

For details about scope, topic, options and acls, click here: Scope values, Topic, ACLs and Options

Example:

>>> resolver.addACL('dc=gonicus,dc=de', 'sub', 0, [u'tester1'], [{'topic': r'^some\.topic.*$', 'acls': 'rwcdm'}])

or with some options:

>>> resolver.addACL('dc=gonicus,dc=de', 'sub', 0, [u'tester1'], [{'topic': r'^some\.topic.*$', 'acls': 'rwcdm', 'options': {'uid': '^u[0-9]'}}])
addACLRole(user, rolename)

Note

This method will be exported by the CommandRegistry.

Creates a new acl-role.

Key Description
rolename The name of the new role.

Example:

>>> addACLRole('role1')
>>> addACLtoRole('role1', 'sub', 0, {...})
addACLToRole(user, rolename, priority, actions=None, scope=None, use_role=None)

Note

This method will be exported by the CommandRegistry.

Adds a new acl to an existing role.

Key Description
rolename The name of the acl-role we want to add to.
priority An integer value to prioritize this acl-rule. (Lower values mean higher priority)
actions A dictionary which includes the topic and the acls this rule includes.
scope The ‘scope’ defines how an acl is inherited by sub-bases. See Scope values for details.
use_role The role-name to use if we do not assign actions directly using the actions parameter.

For details about scope, topic, options and acls, click here: Scope values, Topic, ACLs and Options

Example:

>>> resolver.addACLtoRole('rolle1', 'sub', 0, [{'topic': r'^some\.topic.*$', 'acls': 'rwcdm'}])

or with some options:

>>> resolver.addACLtoRole('rolle1', 'sub', 0, [{'topic': r'^some\.topic.*$', 'acls': 'rwcdm', 'options': {'uid': '^u[0-9]'}}])
add_acl_role(role)

Adds a new ACLRole-object to the ACLResolver class.

Key Description
role The ACLRole object we want to add.
add_acl_set(acl)

Adds an ACLSet object to the list of active-acl rules.

add_acl_to_base(base, acl)

Adds an ACL object to an existing ACLSet which is identified by its base.

Key Description
base The base we want to add an acl to.
acl The ‘ACL’ object we want to add.
add_acl_to_role(rolename, acl)

Adds an ACLRoleEntry-object to an existing ACLRole.

Key Description
rolename The name of the role we want to add this ACLRoleEntry to.
acl The ACLRoleEntry object we want to add.
add_acl_to_set(base, acl)

Adds an ACL-object to an existing ACLSet.

Key Description
base The base we want to add an ACL object to.
acl The ACL object we want to add.
check(user, topic, acls, options=None, base=None)

Check permission for a given user and a base.

Key Description
user The user we want to check for.
topic The topic string, e.g. ‘org.clacks.factory’
acls The list of acls, we want to check for, e.g. ‘rcwdm’
options A dictionary containing extra options to check for.
base The base we want to check acls in.

For details about topic, options and acls, click here: Scope values, Topic, ACLs and Options

Example::
>>> resolver = ACLResolver()
>>> self.resolver.check('user1','org.clacks.factory','r')
>>> self.resolver.check('user1','org.clacks.factory','rwx', 'dc=example,dc=net')
clear()

Clears all information abouts roles and acls. This is called during initialization of the ACLResolver class.

getACLRoles(user)

Note

This method will be exported by the CommandRegistry.

This command returns a lists of all defined ACLRoles.

Example:

>>> getAClRoles()
getACLs(user, base=None, topic=None)

Note

This method will be exported by the CommandRegistry.

This command returns a lists of defined ACLs, including hard coded system-admins (configuration file).

You can filter the result by using the topic and base parameters. The base parameter will only list permissions defined for the given base, where the topic parameter will list all acls that match the given topic value.

Example:

>>> getACls(base='dc=gonicus,dc=de')
>>> getACls(topic=r'^com\.gonicus\.factory$')
Key Description
base (optional) The base we want to list the permissions for.
topic (optional) The topic we want to list acls for.
get_aclset_by_base(base)

Returns an acl set by base.

Key Description
base The base we want to return the ACLSets for.
get_next_acl_id()

Generate a uniqe ID for each AclEntry used in Sets or Roles.

is_role_used(rolename)

Checks whether the given ACLRole object is used or not.

Key Description
rolename The name of the role we want to check for.
list_acl_bases()

Returns all bases we’ve acls attached to

list_acls()

Returns all ACLSets attached to the resolver

list_admin_accounts()

Returns the list of admins accounts. Those hardcoded in the clacks config.

list_roles()

Returns all ACLRoles attached to the resolver

load_acls()

Load acls definitions from backend

load_from_object_database()

Loads acl definitions from the object databases

removeACL(user, acl_id)

Note

This method will be exported by the CommandRegistry.

This command removes an acl definition by its id.

Key Description
acl_id The id of the acl to remove.

Return: Boolean True on success else False

Example: >>> getACls(base=’dc=gonicus,dc=de’) >>> getACls(topic=r’com.gonicus.factory’)

removeRole(user, rolename)

Note

This method will be exported by the CommandRegistry.

Removes a defined role by its name.

Key Description
rolename The name of the role.
removeRoleACL(user, role_id)

Note

This method will be exported by the CommandRegistry.

Removes a defined role ACL by its id.

(You can use getACLRoles() to list the role-acl IDs)

Key Description
role_id The ID of the role-acl to remove.
remove_acls_for_user(user)

Removes all permission for the given user!

Key Description
user The username to remove acls for.

Example:

aclset = ACLSet()
acl = ACL(scope=ACL.ONE)
acl.set_members([u'tester1', u'tester2'])
acl.add_action('...', 'rwx')
acl.set_priority(100)
aclset.add(acl)
resolver.add(aclset)

resolver.remove_acls_for_user('tester1')

...
remove_aclset_by_base(base)

Removes a given ACLSet by base.

Key Description
base The base we want to delete ACLSets for.
remove_role(name)

Removes an acl role by name.

Key Description
name The name of the role that have to be removed.
serve()

Load ACL definitions once all plugins are loaded.

updateACL(user, acl_id, scope=None, priority=None, members=None, actions=None, rolename=None)

Note

This method will be exported by the CommandRegistry.

Updates an acl by ID.

Key Description
id The ID of the acl we want to update.
scope The ‘scope’ defines how an acl is inherited by sub-bases. See Scope values for details.
priority An integer value to prioritize this acl-rule. (Lower values mean higher priority)
members A new list of members.
actions A dictionary which includes the topic and the acls this rule includes.
rolename The name of the role to use.

For details about scope, topic, options and acls, click here: Scope values, Topic, ACLs and Options

Example:

>>> resolver.addACLtoRole('rolle1', 'sub', 0, ['peter'], [{'topic': '^some\.topic.*$', 'acls': 'rwcdm'}])

or with some options:

>>> resolver.addACLtoRole('rolle1', 'sub', 0, ['peter'], [{'topic': '^some\.topic.*$', 'acls': 'rwcdm', 'options': {'uid': '^u[0-9]'}}])
updateACLRole(user, acl_id, scope=None, priority=None, actions=None, use_role=None)

Note

This method will be exported by the CommandRegistry.

Updates an role-acl by ID.

Key Description
id The ID of the role-acl we want to update.
scope The ‘scope’ defines how an acl is inherited by sub-bases. See Scope values for details.
priority An integer value to prioritize this acl-rule. (Lower values mean higher priority)
actions A dictionary which includes the topic and the acls this rule includes.
use_role The role-name to use if we do not assign actions directly using the actions parameter.

For details about scope, topic, options and acls, click here: Scope values, Topic, ACLs and Options

Example:

>>> resolver.updateACLRole(1, 'sub', 0, ['peter'], [{'topic': '^some\.topic.*$', 'acls': 'rwcdm'}])

or with some options:

>>> resolver.updateACLRole(1, 'sub', 0, ['peter'], [{'topic': '^some\.topic.*$', 'acls': 'rwcdm', 'options': {'uid': '^u[0-9]'}}])
class clacks.agent.acl.ACLRole(name, dn=None)

This is a container for ACLRoleEntries entries that should act like a role. An ACLRole has a name which can be used in ACL objects to use the role.

Key Description
name The name of the role we want to create.

This class equals the ACLSet class, but in details it does not have a base, instead it has name. This name can be used later in ‘ACL’ classes to refer to this acl role.

And instead of ACL-objects it uses ACLRoleEntry-objects to assemble a set of acls:

>>> # Create an ACLRole object
>>> aclrole = ACLRole('role1')
>>> acl = ACLRoleEntry(scope=ACL.SUB)
>>> acl.add_action(...)
>>> aclrole.add(acl)

>>> # Now add the role to the resolver
>>> resolver = ACLResolver()
>>> resolver.add_acl_set(aclrole)

>>> # You can use this role like this in ACL entries of an ACLset:
>>> aclset = ACLSet()
>>> acl = ACL(role=aclrole)
>>> aclset.add(acl)
>>> resolver.add_acl_set(aclset)

Or you can use this role within another role like this:

>>> # Create an ACLRole object
>>> aclrole1 = ACLRole('role1')
>>> acl = ACLRoleEntry(scope=ACL.SUB)
>>> acl.add_action(...)
>>> aclrole1.add(acl)

>>> # Now add the role to the resolver
>>> resolver = ACLResolver()
>>> resolver.add_acl_set(aclrole1)

>>> # Create antoher role which refers to role1
>>> aclrole2 = ACLRole('role2')
>>> acl = ACLRoleEntry(role=role1)
>>> aclrole2.add(acl)
>>> resolver = ACLResolver()
>>> resolver.add_acl_set(aclrole2)

>>> # Now use the role2 in an ACL defintion. (Role2 point to Role1 now.)
>>> aclset = ACLSet()
>>> acl = ACL(role=aclrole2)
>>> aclset.add(acl)
>>> resolver.add_acl_set(aclset)
add(item)

Add a new ACLRoleEntry object to this ACLRole.

Key Description
item The ACLRoleEntry item to add to this role.

Example:

# Create an ACLRole
role = ACLRole('role1')
acl = ACLRoleEntry(scope=ACL.ONE)
acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')

role.add(acl)
get_name()

Returns the name of the role.

repr_self(indent=0)

Create a human readable reprentation of this ACLRole object.

class clacks.agent.acl.ACLRoleEntry(scope=2, role=None)

The ACLRoleEntry object describes a set of actions that can be accessed in a given scope. ACLRoleEntry classes can then be bundled in ACLRole objects, to build up roles.

This class interits most methods from clacks.agent.acl.ACL, except for methods that manage members, due to the fact that ACLRoleEntries do not have members!

Take a look at clacks.agent.acl.ACLRole to get an idea aobut how roles are created.

set_members(member)

An overloaded method from ACL which disallows to add users.

class clacks.agent.acl.ACLSet(base=None)

The base class of all ACL assignments is the ‘ACLSet’ class which combines a list of ACL entries into a set of effective ACLs.

The ACLSet has a base property which specifies the base, this set of acls, is valid for. E.g. dc=example,dc=net

Key Description
base The base this ACLSet is created for.
>>> # Create an ACLSet for base 'dc=example,dc=net'
>>> # (if you do not pass the base, the default of your ldap setup will be used)
>>> aclset = ACLSet('dc=example,dc=net')
>>> resolver = ACLResolver()
>>> resolver.add_acl_set(aclset)
add(item)

Adds a new ACL object to this ACLSet.

Key Description
acl The ACL object to add.

Example:

aclset = ACLSet()
acl = ACL(scope=ACL.ONE)
acl.set_members([u'tester1', u'tester2'])
acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')
acl.set_priority(100)

aclset.add(acl)
get_base()

Returns the base for this ACLSet.

remove_acl(acl)

Removes an acl entry fromt this ACLSet.

Key Description
acl The ACL object to remove.

Example:

aclset = ACLSet()
acl = ACL(scope=ACL.ONE)
acl.set_members([u'tester1', u'tester2'])
acl.add_action('^org\.clacks\.event\.ClientLeave$', 'rwx')
acl.set_priority(100)
aclset.add(acl)

aclset.remove_acl(acl)
remove_acls_for_user(user)

Removes all permission for the given user form this ACLSet.

Key Description
user The username to remove acls for.

Example:

aclset = ACLSet()
acl = ACL(scope=ACL.ONE)
acl.set_members([u'tester1', u'tester2'])

# "[^\.]*" means everything one level
acl.add_action('^org\.clacks\.event\.[^\.]*$', 'rwx')
acl.set_priority(100)
aclset.add(acl)

aclset.remove_acls_for_user('tester1')

...
repr_self(indent=0)

Create a human readable reprentation of this ACLSet object.