Manualshelf

OSF DCE Application Development Guide--Introduction and Style Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
41424344454647484950
OSF DCE Application Development Guide—Introduction and Style Guide
Nothing. The client chooses not to provide any authorization information.
From now on, it is the server’s decision, as implemented by the developer, how to
respond to the client’s requests for services and resources, depending on the security
information the server has learned about it. A non-ACL-based strategy may be
implemented using the client’s principal name string for lookups. The ACL-based
strategy, which is supported by a DCE interface, is described further in the next step.
1.7.2 Getting the Object’s ACL
This step is reached if the client requests access to any object, resource, or service that is
managed by the server, to which ACLs are attached. As previously mentioned, the
application must implement its own ACL manager if it wants to use ACLs to control
access to its resources. For further details on how to go about creating an ACL manager,
see Chapter 3.
In order to allow applications to as easily as possible offer an ACL interface that is
uniform with that used by the DCE components themselves, the remote ACL interface
has been built into the DCE library, and client applications can perform operations on
ACLs through another interface, also part of the DCE library, which calls through the
remote interface to the appropriate manager. The remote interface, consisting of
rdacl_*()calls, must be implemented by the server application; clients execute the local
sec_acl_*()routines, which are linked to every DCE application as part of libdce.
For the client, all that is necessary is to possess a binding to the object whose ACL is to
be operated on. As long as the application exposes the resources it manages as
accessible objects (via the namespace), then the DCE ACL interface provides for a
client’s being able to bind to the object by calling sec_acl_bind( ). (In fact, this kind of
object-oriented binding model can be very useful, and is discussed in further detail in
Chapter 4.) Note that the sec_acl_*() routines use an ACL handle to specify the object
whose ACL is to be accessed, so sec_acl_bind( ) must always be called to obtain this
handle, even if the client is already bound to the object’s server.
There is a user interface into the ACL operations, embodied in the acl_edit command.
For further information, see the OSF DCE Administration Reference.
Server applications can use the DCE ACL library routines to implement ACL
managers. The DCE ACL library is an implementation of the remote ACL (rdacl)
interface, designed in such a way as to allow any DCE application to use it instead of
having to implement the interface itself. In DCE 1.0, applications that wished to use the
DCE ACL functionality had to implement the full remote interface themselves; in DCE
1.1 this is no longer necessary. For further information, see Chapter 3.
1.7.3 Making the Authorization Decision
In this step, the server’s ACL manager inspects the ACL of the resource (object) under
question, determines whether the client is authorized for the requested access, and takes
1 32 Tandem Computers Incorporated 124246