Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI This information is Copyright 2009 Sun Microsystems 1. Introduction 1.1. Project/Component Working Name: Python interface to privileges(5) & rbac(5) 1.2. Name of Document Author/Supplier: Author: John Sonnenschein 1.3 Date of This Document: 05 October, 2009 4. Technical Description 4.1. Introduction Forthcoming work requires access to the privileges(5) and family of functions and user/exec/auth attr databases from Python. This case introduces the privileges and rbac Python modules. This case will deliver for Python 2.6 as well as 2.4 despite it's obsolescence, such that it may be used in projects depending on 2.4 ( such as pkg(5) ) minor binding is requested. 4.2. Python docstrings will reflect the following interface descriptions: Python 'privileges' module -------------------------- Classification is 'Committed'. Provides functions for interacting with the Solaris privileges(5) framework FUNCTIONS setppriv: Facilitates setting the permitted/inheritable/limit/effective privileges set Arguments: one of (PRIV_ON|PRIV_OFF|PRIV_SET), one of (PRIV_PERMITTED|PRIV_INHERITABLE|PRIV_LIMIT|PRIV_EFFECTIVE), set of privileges: a Python list of strings Returns: True on success, False on failure getppriv: Arguments: one of (PRIV_PERMITTED|PRIV_INHERITABLE|PRIV_LIMIT|PRIV_EFFECTIVE) Returns: a Python list of strings priv_ineffect: Arguments: a Python string Returns: True if the privilege is in effect, False otherwise priv_inverse: Arguments: a Python list of strings Returns: a Python list of strings, an inverted priv set from argument 0 Many of the privileges(5) functions are not provided, as standard Python set operations provide the functionality natively. Python 'rbac' module -------------------- Classification is 'Committed' Provides functions for interacting with the Solaris RBAC(5) framework via interfacing with the user_attr, auth_attr & exec_attr databases CLASSES authattr - provides interfaces to the auth_attr database may be iterated over to return all auth_attr entries, ie "for entry in authattr:" FUNCTIONS setauthattr: "rewinds" the auth_attr functions to the first entry in the db. Called automatically by the constructor Arguments: None Returns: None endauthattr: closes the auth_attr database, cleans up storage. called automatically by the destructor Arguments: None Returns: None chkauthattr: verifies if a user has a given authorization. Arguments: 2 Python strings, 'authname' and 'username' Returns: True if the user is authorized, False otherwise getauthattr: return one entry from the auth_attr database Arguments: None Returns: a dict representing the authattr_t struct, explained thusly: "name": Authorization Name, "res1": reserved, "res2": reserved, "short": Short Description, "long": Long Description, "attributes": A Python dict keyed by attribute & valued as either a list or a string depending on value getauthnam: searches the auth_attr database for a given authorization name Arguments: a Python string containing the auth name Returns: an auth_attr entry in the form of a dict, explained as above execattr - provides interfaces to the exec_attr database may be iterated over to return all exec_attr entries FUNCTIONS setexecattr: "rewinds" the exec_attr functions to the first entry in the db. Called automatically by the constructor Arguments: None Returns: None endexecattr: closes the exec_attr database, cleans up storage. called automatically by the destructor Arguments: None Returns: None getexecattr: return a single exec_attr entry Arguments: None Returns: a dict representation of an execattr_t struct: "name": Authorization Name, "type": Profile Type "policy": Policy attributes are relevant in "res1": reserved, "res2": reserved, "id": unique identifier, "attributes": A Python dict keyed by attribute & valued as either a list or a string depending on value getexecuser: returns a list of entries that match the type and id arguments and have a profile that has been assigned to the user specified by username Arguments: 3 Python strings, 'username', 'type', and 'id' Returns: a Python list with elements of the dict described above getexecprof:returns a linked list of entries that match the type and id arguments and have the profile specified by the profname argument. Arguments: 3 Python strings, 'profname', 'type', and 'id' Returns: a Python list with elements of the dict described above userattr - provides interfaces to the user_attr database may be iterated over to return all user_attr entries FUNCTIONS setuserattr: "rewinds" the user_attr functions to the first entry in the db. Called automatically by the constructor Arguments: None Returns: None enduserattr: closes the user_attr database, cleans up storage. called automatically by the destructor Arguments: None Returns: None getuserattr: return a single user_attr entry Arguments: None Returns: a dict representation of a userattr_t struct: "name": username "qualifier": reserved "res1": reserved "res2": reserved "attributes": A Python dict keyed by attribute & valued as either a list or a string depending on value fgetuserattr: return a single user_attr entry from a file, bypassing nsswitch.conf Arguments: a Python string representing the path of the file Returns: a userattr_t struct dict as above getusernam: searches for a user_attr entry with a given user name Arguments: a Python string Returns: a userattr_t struct dict as above getuseruid: searches for a user_attr entry with a given uid Arguments: a Python Int Returns: a userattr_t struct dict as above 4.3. References PSARC/2005/532 - Python migration from /usr/sfw to /usr and upgrade to v2.4.x PSARC/2008/243 - Python interface to ucred_get(3C)/getpeerucred(3C) PSARC/2008/514 Python interface to dlpi(7P) 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: JDS 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open