acps_api.3 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

acps_api(3) acps_api(3)

The subsequent calls to to acps_setX() and

acps_addX() essentially encode information into the

handle in preparation for a call to acps_checkauth(). The ﬁve pieces of information encoded are as

follows:

Identity Subject identiﬁcation (for example a username , uid, or X.500 DN) and associ-

ated attributes (for example, role, groups).

Credentials Subject credentials (for example, a password and/or Kerberos token).

Operation Operation and associated attributes.

Object Object and associated attributes.

Environment Environment attributes (for example, compartment ID, processor usage, and so

forth).

For this information the

acps_setX()

interfaces encode a single value into the handle. Subsequent

calls to the same interface will overwrite the previously written value. This is in contrast to the

acps_addX() interfaces that append the value to a chain of values. The

acps_setX() interfaces are

used for the values that uniquely identify an access control request. The

acps_addX() interfaces are

used for credentials and attributes, of which any number may be present.

The call to

acps_checkauth()

triggers an authorization request to be marshaled to the back-end

modules based on the ACPS conﬁguration. The backend modules are able to retrieve the information

stored in the handle as indicated in acps_spi (3).

One additional interface not shown in the above code fragment is the following optional interface that an

application may choose to call if it receives

ACPS_NEED_AUTHENTICATION

from the

acps_checkauth()

call:

char *acps_getreqcred(acp_handle_t h);

This function returns a string that indicates the type of credential that the policy requires. It is expected

that an application may use this interface to request additional credentials from the user (when needed).

The application can then add the credentials to the handle using acps_addsubcred()

and then re-call

acps_checkauth.

The ACPS API only accept strings encoded in the C locale.

RETURN VALUE

The values returned by the ACPS API (as well as the ACPS SPI) are deﬁned in acps (3).

EXAMPLES

The following example illustrates the use of of the simpliﬁed interface in a sample application:

#include <stdio.h>

#include <libacps_api.h>

int

main(int argc, char **argv)

{

int ret;

if(argc != 4) {

fprintf(stderr, "Usage: chkauth username operation object\n");

exit(1);

}

ret = acps_simplecheckauth(argv[1], argv[2], argv[3]);

if(ret == ACPS_ALLOW) {

printf("Access Allowed\n");

}

else if(ret == ACPS_DENY) {

printf("Access Denied\n");

}

else {

printf("Error returned: %d\n", ret);

}

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010