NAME

PlugAuth::Role::Authz - Role for PlugAuth authorization plugins

VERSION

version 0.39

SYNOPSIS

 package PlugAuth::Plugin::MyAuthz;
 
 use Role::Tiny::With;
 
 with 'PlugAuth::Role::Plugin';
 with 'PlugAuth::Role::Authz';

 # implement at least: can_user_action_resource, match_resources, 
 # host_has_tag, actions, groups_for_user, all_groups 
 # and users_in_group 
 
 # optionall implement: create_group, delete_group, update_group
 # and delete_group
 
 1;

DESCRIPTION

Use this role when writing PlugAuth plugins that manage authorization (ie. determine what the user has authorization to actually do).

REQUIRED ABSTRACT METHODS

$plugin->can_user_action_resource( $user, $action, $resource )

If $user can perform $action on $resource, return a string containing the group and resource that permits this. Otherwise, return false.

$plugin->match_resources( $regex )

Given a regex, return all resources that match that regex.

$plugin->host_has_tag( $host, $tag )

Returns true if the given host has the given tag.

$plugin->actions

Returns a list of actions.

$plugin->groups_for_user( $user )

Returns the groups the given user belongs to.

$plugin->all_groups

Returns a list of all groups.

$plugin->users_in_group( $group )

Return the list of users (as an array ref) that belong to the given group. Each user belongs to a special group that is the same as their user name and just contains themselves, and this will be included in the list.

Returns undef if there is no such group.

OPTIONAL ABSTRACT METHODS

These methods may be implemented by your class.

$plugin->create_group( $group, $users )

Create a new group with the given users. $users is a comma separated list of user names.

$plugin->delete_group( $group )

Delete the given group.

$plugin->grant( $group, $action, $resource )

Grant the given group or user ($group) the authorization to perform the given action ($action) on the given resource ($resource).

$plugin->revoke( $group, $action, $resource )

Revoke the given group or user ($group) the authorization to perform the given action ($action) on the given resource ($resource)

$plugin->granted

Returns a list of granted permissions

$plugin->update_group( $group, $users )

Update the given group, setting the set of users that belong to that group. The existing group membership will be replaced with the new one. $users is a comma separated list of user names.

$plugin->add_user_to_group( $group, $user )

Add the given user to the given group. If you do not implement this method, but do implement the update_group method above, then this method will get the group using users_in_group and update_group, but there is a race condition if another process updates the group between these two calls, so it is better to implement it yourself using whatever native locking mechanism you can.

This method should return the new list of users that belong to the given group.

$plugin->remove_user_from_group( $group, $user )

Remove the given user from the given group. If you do not implement this method, but do implement the update_group method above, then this method will get the group using users_in_group and update_group, but there is a race condition if another process updates the group between these two calls, so it is better to implement it yourself using whatever native locking mechanism you can.

This method should return the new list of users that belong to the given group.

SEE ALSO

PlugAuth, PlugAuth::Guide::Plugin

AUTHOR

Graham Ollis <gollis@sesda3.com>

COPYRIGHT AND LICENSE

This software is copyright (c) 2012 by NASA GSFC.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.