security-control.h File Reference

Allows the update of the Server security store, which controls roles and path permissions. More...

Data Structures
struct	security_store_role_s
struct	security_store_s
struct	get_security_store_params_s
	Structure passed when requesting the security store. More...
struct	update_security_store_params_s
	Structure passed when updating the security store. More...

Typedefs
typedef int(*	on_get_security_store_cb) (SESSION_T *session, const SECURITY_STORE_T store, void *context)
	Callback for get_security_store().
typedef struct get_security_store_params_s	GET_SECURITY_STORE_PARAMS_T
	Structure passed when requesting the security store.
typedef int(*	on_update_security_store_cb) (SESSION_T *session, const LIST_T *error_reports, void *context)
	Callback for update_security_store().
typedef struct update_security_store_params_s	UPDATE_SECURITY_STORE_PARAMS_T
	Structure passed when updating the security store.

Enumerations
enum	GLOBAL_PERMISSIONS_T {   GLOBAL_PERMISSION_AUTHENTICATE , GLOBAL_PERMISSION_VIEW_SESSION , GLOBAL_PERMISSION_MODIFY_SESSION , GLOBAL_PERMISSION_REGISTER_HANDLER ,   GLOBAL_PERMISSION_VIEW_SERVER , GLOBAL_PERMISSION_CONTROL_SERVER , GLOBAL_PERMISSION_VIEW_SECURITY , GLOBAL_PERMISSION_MODIFY_SECURITY ,   GLOBAL_PERMISSION_UNKNOWN , GLOBAL_PERMISSION_READ_TOPIC_VIEWS , GLOBAL_PERMISSION_MODIFY_TOPIC_VIEWS }
	Permissions that protect globally scoped, access-controlled operations. More...
enum	PATH_PERMISSIONS_T {   PATH_PERMISSION_READ_TOPIC , PATH_PERMISSION_UPDATE_TOPIC , PATH_PERMISSION_MODIFY_TOPIC , PATH_PERMISSION_SEND_TO_MESSAGE_HANDLER ,   PATH_PERMISSION_SEND_TO_SESSION , PATH_PERMISSION_SELECT_TOPIC , PATH_PERMISSION_QUERY_OBSOLETE_TIME_SERIES_EVENTS , PATH_PERMISSION_EDIT_TIME_SERIES_EVENTS ,   PATH_PERMISSION_EDIT_OWN_TIME_SERIES_EVENTS , PATH_PERMISSION_ACQUIRE_LOCK , PATH_PERMISSION_UNKNOWN , PATH_PERMISSION_EXPOSE_BRANCH }

Functions
SECURITY_STORE_T *	security_store_create (void)
	Create a new, empty security store structure.
void	security_store_free (SECURITY_STORE_T *store)
	Free all memory associated with a security store structure.
SECURITY_STORE_T *	security_store_dup (const SECURITY_STORE_T *store)
	The returned structure is unsynchronized, so appropriate mutexes should be use if the structure is to be used concurrently.
void	get_security_store (SESSION_T *session, const GET_SECURITY_STORE_PARAMS_T params)
	Get the server's security store.
char **	get_security_default_anonymous_roles (const SECURITY_STORE_T store)
	Get the default roles for anonymous connections.
char **	get_security_default_named_roles (const SECURITY_STORE_T store)
	Get the default roles for connections made with a principal.
char **	get_security_role_names (const SECURITY_STORE_T store)
	Get the names of all roles defined in the security store.
char **	get_security_isolated_paths (const SECURITY_STORE_T store)
	Get the isolated paths defined in the security store.
char **	get_security_included_roles (const SECURITY_STORE_T store, const char *role_name)
	Get the names of other roles that this role includes.
GLOBAL_PERMISSIONS_T **	get_security_global_permissions (const SECURITY_STORE_T store, const char *role_name)
	Get an array of global permissions assigned to a role.
PATH_PERMISSIONS_T **	get_security_default_path_permissions (const SECURITY_STORE_T store, const char *role_name)
	Get the default path permissions assigned to a role.
PATH_PERMISSIONS_T **	get_security_path_permissions (const SECURITY_STORE_T store, const char *role_name, const char *topic_name)
	Get the path permissions assigned to a role, for a specified topic.
void	update_security_store (SESSION_T *session, const UPDATE_SECURITY_STORE_PARAMS_T params)
	Send updates to the security store.
SCRIPT_T *	update_security_store_global_role_permissions (SCRIPT_T *script, const char *role_name, const SET_T *permissions)
	Updates a script to assign global permissions to a security role.
SCRIPT_T *	update_security_store_default_path_permissions (SCRIPT_T *script, const char *role_name, const SET_T *permissions)
	Updates a script to assign default path permissions to a security role.
SCRIPT_T *	update_security_store_path_permissions (SCRIPT_T *script, const char *role_name, const char *path, const SET_T *permissions)
	Updates a script to assign permissions for named role and topic.
SCRIPT_T *	update_security_store_remove_path_permissions (SCRIPT_T *script, const char *role_name, const char *path)
	Updates a script to remove permissions for a named role and topic.
SCRIPT_T *	update_security_store_include_roles (SCRIPT_T *script, const char *role_name, const LIST_T *included_roles)
	Updates a script to include other roles within a role.
SCRIPT_T *	update_security_store_role_locked_by_principal (SCRIPT_T *script, const char *role_name, const char *locking_principal)
	Updates a script to restrict a role so it can only be edited by a specific principal.
SCRIPT_T *	update_security_store_named_session_roles (SCRIPT_T *script, const LIST_T *roles)
	Updates a script to set the roles assigned to named sessions.
SCRIPT_T *	update_security_store_anonymous_session_roles (SCRIPT_T *script, const LIST_T *roles)
	Updates a script to set the roles assigned to anonymous sessions.
SCRIPT_T *	update_security_store_isolate_path (SCRIPT_T *script, const char *path)
	Set a path not to inherit path permissions from its parent paths or the default path permissions.
SCRIPT_T *	update_security_store_deisolate_path (SCRIPT_T *script, const char *path)
	Re-instate inheritance of path permission assignments from parents of the given path.

Detailed Description

Allows the update of the Server security store, which controls roles and path permissions.

Typedef Documentation

on_get_security_store_cb

typedef int(* on_get_security_store_cb) (SESSION_T *session, const SECURITY_STORE_T store, void *context)

Callback for get_security_store().

Parameters

session	The current active session.
response	The response containing the security store contents. This structure will be freed on exit so a copy should be taken if it needs to be used outside of the scope of the callback.
context	User-supplied context from the get_security_store() call.

Returns

HANDLER_SUCCESS or HANDLER_FAILURE.

on_update_security_store_cb

typedef int(* on_update_security_store_cb) (SESSION_T *session, const LIST_T *error_reports, void *context)

Callback for update_security_store().

Parameters

session	The current active session.
error_reports	Any errors that have occurred while processing the updated.
context	User-supplied context from the update_security_store() call.

Returns

HANDLER_SUCCESS or HANDLER_FAILURE.

Enumeration Type Documentation

GLOBAL_PERMISSIONS_T

enum GLOBAL_PERMISSIONS_T

Permissions that protect globally scoped, access-controlled operations.

Enumerator
GLOBAL_PERMISSION_AUTHENTICATE	Add an authentication handler.
GLOBAL_PERMISSION_VIEW_SESSION	List or listen to client sessions.
GLOBAL_PERMISSION_MODIFY_SESSION	Alter a client session. This covers a range of actions including: subscribe session to a topic enable conflation for a sessioh close session
GLOBAL_PERMISSION_REGISTER_HANDLER	Required to register any server side handler.
GLOBAL_PERMISSION_VIEW_SERVER	View the server's runtime state - for example, read JMX MBeans.
GLOBAL_PERMISSION_CONTROL_SERVER	Change the server's runtime state - for example, shut it down.
GLOBAL_PERMISSION_VIEW_SECURITY	Read the security configuration.
GLOBAL_PERMISSION_MODIFY_SECURITY	Change the security configuration.
GLOBAL_PERMISSION_UNKNOWN	A permission that is unsupported by the session.
GLOBAL_PERMISSION_READ_TOPIC_VIEWS	Read topic views.
GLOBAL_PERMISSION_MODIFY_TOPIC_VIEWS	Modify topic views.

PATH_PERMISSIONS_T

enum PATH_PERMISSIONS_T

Since

6.5 Permissions protecting access-controlled operations that are evaluated for a specific path.

Enumerator
PATH_PERMISSION_READ_TOPIC	Required to receive information from a topic. If a session does not have read_topic permission for a topic, the topic will be excluded from the results of subscription or fetch operations for the session, and the topic's details cannot be retrieved by the session.
PATH_PERMISSION_UPDATE_TOPIC	Update a topic.
PATH_PERMISSION_MODIFY_TOPIC	Add a topic or remove a topic.
PATH_PERMISSION_SEND_TO_MESSAGE_HANDLER	Send a message to a handler registered with the server.
PATH_PERMISSION_SEND_TO_SESSION	Send a message to a client session.
PATH_PERMISSION_SELECT_TOPIC	Use a topic selector that selects the topic path. A session must have this permission of any topic selector used to subscribe or fetch. When the subscription or fetch request completes, the resulting topics are further filtered based on the PATH_PERMISSION_READ_TOPIC permission. A session that has PATH_PERMISSION_READ_TOPIC but not PATH_PERMISSION_SELECT_TOPIC for a particular topic path cannot subscribe directly to topics belonging to the path. However, the session can be independently subscribed by a control session that has GLOBAL_PERMISSION_MODIFY_SESSION permission in addition to the appropriate PATH_PERMISSION_SELECT_TOPIC permission.
PATH_PERMISSION_ACQUIRE_LOCK	Acquire a session lock.
PATH_PERMISSION_UNKNOWN	A permission that is unsupported by the session.