Access Control List

An Access Control List (ACL) is a list of permissions that are attached to an object. The list defines who can access the object (an agent) and what actions the agent can perform on the object.

Overview

The VOV software implements compartmentalized access control with Access Control Lists (ACLs). Each ACLs is a triplet:
  • A VOV object
  • An agent, which is VOV security role name or an individual user name
  • A capability, which is a controlled activity

For any user to be authorized to perform a controlled capability or action on a VOV object, an ACL must exist that contains that user or role, the controlled action, and the VOV object.

Objects

Every ACL is associated with a VOV object. Types of objects currently include:
  • FairShare groups
  • Resource maps
  • Nodes (transitions, aka jobs, places, aka files)
  • Node sets
  • Reservations

Agents

Permission to perform a controlled action depends on the user ID, and the VOV role associated with that user. The SWD/security.tcl file defines the association of Users with Roles.

VOV's roles serve two purposes:
  1. Control queue/instance/project operations (via the VOV protocol)
  2. Establish high-level permissions on VOV objects
VOV has these named roles:
ADMIN
Can do just about anything. By default, the "owner" of the queue/instance/project is the only admin.
LEADER
Can do lots of things, but not everything an ADMIN can.
USER
Can create and manage their own objects.
READONLY
Can view most things, but not create.
ANYBODY
Very limited, mainly used for testing.
NOBODY
Nothing, mainly used for testing.
UNKNOWN
The last resort, in case we somehow encounter someone who doesn't fall into any of the above roles, also can do nothing.

An ACL is expressed in terms of operations that are permitted to an agent acting on the object. An agent may be a USER (login account), an OS group (OSGROUP), a FairShare group (FSGROUP), a machine (HOST) or one of the symbolic agents EVERYBODY, OWNER, ADMIN. The most powerful agent is the SERVER.

ACLs support the following "agents", which provide the identities of the persons involved:
USER name
OS authorized user
OWNER - role
The queue/instance/project owner
USER - role
The user that owns the VOV object
OSGROUP name
Members of the specified OS group
FSGROUP name
Members of the specified FairShare group
HOST
Anyone with a client connected from a specific host
EVERYBODY - role
Everybody
ADMIN - role
Anyone with the ADMIN role
SERVER
The vovserver process, specifically
LEADER
Anyone with the LEADER role
USERGROUP name
Members of the specified VOV user group
UNDEF
The last resort, in case there is someone who doesn't fall into any of the above agent types.

For the agents that are groups, membership in the group confers the operations permitted by that ACL. For example, if the login joe is a member of the OS group dvregr, and OSGROUP dvregr has APPEND on a fsgroup, then joe may add ACLs to that fsgroup.

To bypass the ACL, you must be the logged in on the host running vovserver as the user that is running vovserver, and you must change VOV_HOST_NAME to "localhost".

ACL Management

To perform ACL management, use a utility with the following syntax: 
% vovacl [OPTIONS]  <Objects>

The following utilities are available for ACL management:

Utility Description
vovacl Script to manage ACLs in VOV.

ACL Commands

ACL management consists of the following commands:

Command Description
APPEND Add ACLs to an object.
DELETE Delete an ACL element from an object. The element is identified by the agent and name fields.
GET Get current ACLs on an object. It shows you the current ACLs that are associated with an object, if the ACL permits you to VIEW it.
RESET Reset ACLs on an object to defaults. It removes all the object's current ACLs and replaces them with the default values. 
ACL  1: OWNER      ""   ATTACH DETACH EDIT VIEW FORGET DELEGATE EXISTS
ACL  2: EVERYBODY  ""   ATTACH VIEW

ACL Actions

Following are the actions that can be controlled via ACLs:

Action Description
ATTACH Create a relationship between objects
CHOWN Change ownership of an object
CREATE Create an object
DELEGATE Assign ACLs on an object
DETACH Destroy a relationship between objects
EDIT Modify properties of an object
EXIST The agent is aware of the existence of the object
FORGET Forget an object
RESUME Resume a suspended job
SIGNAL Send a signal to a job.
STOP Stop an object.
SUSPEND Suspend an object
VIEW View properties of an object
Note: Not all actions apply to all objects. In the case of FairShare groups, applicable actions include: ATTACH, EDIT, VIEW, DELEGATE. The actions RETRACE, STOP, SUSPEND, FORGET are reserved for use with jobs in future releases.

Obtain SERVER Credentials

For some ACL operations, you will need the most powerful credentials, i.e. SERVER, which are only available to the owner of the vovserver process when connected on the loopback interface.
  • Login on the vovserver host as the user that is running vovserver.
  • Enable the project with vovproject enable PROJECTNAME.
  • Change the VOV_HOST_NAME to localhost
    % setenv VOV_HOST_NAME localhost
  • Now your clients act as the SERVER agent with respect to the ACL.

vovacl

vovacl: Usage Message

 DESCRIPTION:
  Manage access control lists (ACLs).

 USAGE:
    % vovacl [OPTIONS] <Object>

 OPTIONS:
    -h        -- This help
    -v        -- Increase verbosity 
    -agent    -- Association of specified ACL. One of the following types and 
                 formats. ACL capabilities for ALL pertinent agents for a 
                 given user are aggregated.
                     "USER name"             OS user name 
                     "FSGROUP name"          VOV FairShare group 
                     "USERGROUP" name        A VOV user group
                     "OSGROUP" name          Unix primary group (Linux only)
                      OWNER
                      ADMIN
                      LEADER 
                 Different VOV object types honor different subsets of the 
                 agents listed above. To see which apply, see the Agents Table 
                 below.     

    -actions  -- Capabilities list for this ACL, space delimited. A list of 
                 access control capabilities is shown in the Capabilities
                 Table below. 
    -append   -- Add specified capabilities to ACL for specified agent
    -set      -- Replace existing ACLs for specified agent
    -delete   -- Remove specified capabilities from specified agent
    -show     -- Show current ACL for specified objects.
    -reset    -- Reset ACL to default values

 OBJECTS:
     <setName>
     <fairshareGroupName>
     <vovId>  -- Where vovId can apply to a job, set, FairShare group, or 
                 resourcemap

 AGENTS TABLE
     The agents list specified with the -agent option is one of the following 
     that is valid for the object type.

     Agent Type               Type of Object

                    Set/Job        FS Group        Resourcemap

     USER              y              y                y 
     USERGROUP         n              n                y 
     FSGROUP           n              y                n 
     OSGROUP           y              n                n 
     OWNER             y              y                y 
     ADMIN             y              y                y 
     LEADER           n/a            n/a              n/a 
     EVERYBODY         y              y                y 

 CAPABILITIES TABLE
     The capabilities list specified with the -agent option is one of the 
     following that is valid for the object type.

     Capability Name               Type of Object

                        Set/Job        FS Group        Resourcemap

     ATTACH              n/a            attach           use
     CHOWN               n/a             n/a             n/a
     CREATE              n/a          create sub-group   n/a
     DELEGATE            n/a             n/a             n/a
     DETACH              n/a           detach            n/a
     EDIT               modify          modify          modify
     EXISTS          preq-for-all       prereq          prereq
     FORGET             delete          delete          delete
     RESUME             resume           n/a             n/a
     RETRACE             run             n/a             n/a
     SIGNAL             signal           n/a             n/a
     STOP              job stop          n/a             n/a
     SUSPEND           suspend           n/a             n/a
     VIEW               view             view            view               

 EXAMPLES:
   % vovacl -agent ADMIN -append -actions "VIEW RETRACE STOP FORGET" MySetName
   % vovacl -agent "USER cadmgr" -append -actions STOP  /system/processcontrol
   % vovacl -agent "USERGROUP designers" -append -actions STOP,FORGET DesignSet
   % vovacl -agent "OSGROUP designers" -append -actions STOP  00123456
   % vovacl -reset 00123456

 NOTE: The SUSPEND action is not applicable to an FSGROUP object.