dacsacl - list, check, or re-index access control rules
[ dacsoptions] [-build | -nobuild]
[-vfs vfs_uri] [...] [op-spec]
This program is part of the DACS
utility performs administrative functions related to access
control, such as:
•validating the syntax of ACL files
(parsing the XML and DACS expressions);
•checking that the revocation list (VFS
type revocations) exists and performing a syntax check on it;
•creating an index (a directory data
structure, as an XML file) of access control files; and
•listing and deleting access tokens in
the authorization cache (refer to dacs_acs(8)).
Please refer to dacs.acls(5)
 for details about how access control rule
files are named.
Version 1.4.21 introduced important changes to the way DACS
access control files, introducing incompatibilities with earlier releases.
Please pay special attention to the -convert
Most importantly, after adding, deleting, or editing an access control file the
ACL index must be regenerated. This can be done simply by running
with no arguments.
•So that it can be run as part of the
installation procedure, dacsacl does not require dacs.conf to exist. If
it does exist, however, it must be readable and syntactically correct.
•The program emits a warning message if
it finds different ACL files that contain identical url_pattern (or url_expr)
attributes. It does not detect pairs of these attributes that are equivalent,
however; in general, it is not possible to do so because the actual
specifications used to match against a service request are not known until run
time. Two or more service elements should never apply to the same service
request (other than through wildcard matching) and the result of authorization
testing with such rules is indeterminate.
•The dacs_admin(8) web
service provides some of the same functionality as dacsacl.
In addition to the standard dacsoptions
recognizes these options:
Index rebuilding is done by default with most
modes of operation, but it can be explicitly requested with this flag. If the
flag is given, it is not an error if an index file does not exist (as when
initially creating an index).
Suppress index rebuilding.
This flag, which may be repeated, causes
to be defined as if by a VFS
 directive, overriding
any existing definition. This can be used to specify an alternate location for
the item types acls or dacs_acls, for instance. As a special case, if acls
(dacs_acls) is defined using this flag but not dacs_acls (acls), then only the
former's index will be rebuilt.
This option can be useful in conjunction with the -un
 flag so
that indexes can be generated before a jurisdiction has been configured.
The optional op-spec
describes one of the following operations:
This flag is used to convert from the older
rule processing scheme (pre-1.4.21) to the current scheme. It should only be
needed by installations that are using custom rules (i.e., those other than
the standard rules for DACS web pages and web services). Note that in
some cases (described below) conversion is not fully automated, so the
administrator may need to do some additional work.
This flag is a no-op that is used to prevent
any following argument from being interpreted as a flag or operation.
Each file argument is the pathname of
an ACL file or a directory containing ACL files. Since ACL files can be
organized using a directory structure, directories are checked
List the full URI of each access control rule
in the virtual filestore for item types acls and dacs_acls. No error checking
List the name (sans prefixes) of each access
control rule in the virtual filestore for item types acls and dacs_acls. No
error checking is performed.
Clean up the authorization cache by deleting
expired or otherwise invalid entries. Note: since there may not be any
concurrency control in effect, this should probably not be done while
DACS could be writing to the file.
Delete one or more authorization cache entries
by giving their integer listing number (starting at 1, as produced by the
-tl flag). Note: since there may not be any concurrency control in
effect, this should probably not be done while DACS could be writing to
List the entries in the authorization
Truncate the authorization cache, effectively
deleting everything in the cache. This is not currently implemented; in the
meantime, simply delete the file or database, or copy /dev/null to it.
If one or more acl-name
arguments appear they are interpreted as ACL
files accessed through DACS's
virtual filestore using item types acls
and dacs_acls (both are checked). The applicable DACS
the item type determines how an acl-name
will be accessed. Note that
must be the actual filename.
If no op-spec
is specified, dacsacl
examine all currently indexed ACL files configured for the appropriate
The following command checks all of the access control rules belonging to the
jurisdiction associated with dss.example.com:
% dacsacl -u dss.example.com -v
(Note: duplicate keys for "acl-auth.0" and "acl-conf.0")
(Note: duplicate keys for "acl-conf.0" and "acl-dacs.0")
(Note: duplicate keys for "acl-dacs.0" and "acl-passwd.0")
(Note: duplicate keys for "acl-passwd.0" and "acl-stddocs.0")
Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-abc.0
Updated rule: [acls]dacs-fs:/usr/local/dacs/conf/acls/acl-accounts.0
Built index for "acls": 44 rules
Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-admin.0
Updated rule: [dacs_acls]dacs-fs:/usr/local/dacs/acls/acl-auth-agent.0
Built index for "dacs_acls": 14 rules
58 ACL files were checked (OK)
While it is not an error for access control rules to have the same numeric
suffix, because the suffix partly determines the order in which roles are
processed, using equal suffix values accidentally may have unintended results.
The following command checks only one access control rule belonging to the
jurisdiction associated with dss.example.com:
% dacsacl -u dss.example.com -v acl.2
1 ACL file was checked (OK)
In general, to validate and index a set of rules placed in the directory
% dacsacl -un -q -build -vfs "[dacs_acls]file:///tmp/rules"
The program exits 0 if everything was fine, 1 if an error occurred.
Distributed Systems Software ( www.dss.ca
Copyright2003-2016 Distributed Systems Software. See the LICENSE
that accompanies the distribution for licensing information.