OSF DCE Application Development Guide--Introduction and Style Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

241

242

243

244

245

246

247

248

249

250

A Sample Application

/* by calling dce_db_fetch_by_uuid(). */

/* */

/* 3. Extract the ACL UUID from the correct field in the object */

/* data structure. */

/* */

/* ...These steps can be seen in sample_resolve_by_name(), the */

/* purpose of which is to return an ACL UUID when given an object */

/* name; the permission lists in effect for the object can then be */

/* accessed and checked against some set of permissions presented */

/* by a prospective accessor. */

/* */

/* Once the ACL library has gotten from us the UUID that identifies */

/* the ACL on the object it wants to investigate the permissions */

/* on, it’s up to it to go on to retrieve the ACL itself, using */

/* the UUID to do so. It is able to do this because we have reg- */

/* istered our ACL database via the dce_acl_register_object_type() */

/* call (this is also, by the way, where our *(resolver)() routine */

/* is registered). So the runtime can extract the ACL information, */

/* compare it with the permissions presented by the entity that’s */

/* trying to access the object in question, and allow, or not al- */

/* low, the operation to proceed accordingly. */

/* */

/* The way to test whether our sample ACLs have been set up cor- */

/* rectly or not would be to try to do various things to them via */

/* acl_edit. */

/* */

/* Note that the registration procedures described here are only to */

/* set up an application’s ACL manager so that it is accessible */

/* via acl_edit (and, I suppose, dced and dcecp). In situations */

/* where a client in contact with the application server itself is */

/* trying to perform some operation, it is the responsibility of */

/* the application code itself to check the client’s authorization */

/* and make the correct decision as to access. Note though that it */

/* does this through the dce_acl_is_client_authorized() call, */

/* which again can work only if you have correctly registered the */

/* application’s manager. For an example of using this call see */

/* the sample_call() code in sample_manager.c; it is also called */

/* by sample_mgmt_auth(), below in this file. */

/* */

/* To sum up, then, there are basically three avenues of access */

/* that an application has to provide for when setting up an ACL */

/* manager: */

/* */

/* 1. Access by clients to the server via the remote mgmt */

/* interface. This is handled by setting up a mgmt call- */

/* back routine that will be automatically invoked by the */

/* runtime whenever a remote mgmt access is attempted. Our */

/* callback routine is sample_mgmt_auth(), below, and it is */

/* registered by a call to rpc_mgmt_set_authorization(). */

/* */

/* 2. Access by entities of any kind via acl_edit. This is */

/* handled by the mechanisms described above, which are */

/* set up by the call to dce_acl_register_object_type(). */

/* */

124246 Tandem Computers Incorporated A− 39