summaryrefslogtreecommitdiffstats
path: root/doc/examples/agent/rbac.json
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-21 14:53:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-21 14:53:22 +0000
commit52c021ee0b0c6ad2128ed550c694aad0d11d4c3f (patch)
tree83cf8627b94336cf4bee7479b9749263bbfd3a06 /doc/examples/agent/rbac.json
parentInitial commit. (diff)
downloadisc-kea-52c021ee0b0c6ad2128ed550c694aad0d11d4c3f.tar.xz
isc-kea-52c021ee0b0c6ad2128ed550c694aad0d11d4c3f.zip
Adding upstream version 2.5.7.upstream/2.5.7upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/examples/agent/rbac.json')
-rw-r--r--doc/examples/agent/rbac.json90
1 files changed, 90 insertions, 0 deletions
diff --git a/doc/examples/agent/rbac.json b/doc/examples/agent/rbac.json
new file mode 100644
index 0000000..1ac2453
--- /dev/null
+++ b/doc/examples/agent/rbac.json
@@ -0,0 +1,90 @@
+// This is an example of a configuration for Control-Agent (CA) using
+// the Role Based Access Control (RBAC) hook library.
+{
+ "Control-agent":
+ {
+ // We need to specify where the agent should listen to incoming HTTP
+ // queries.
+ "http-host": "127.0.0.1",
+
+ // If enabling HA and multi-threading, the 8000 port is used by the HA
+ // hook library http listener. When using HA hook library with
+ // multi-threading to function, make sure the port used by dedicated
+ // listener is different (e.g. 8001) than the one used by CA. Note
+ // the commands should still be sent via CA. The dedicated listener
+ // is specifically for HA updates only.
+ "http-port": 8000,
+
+ // TLS trust anchor (Certificate Authority). This is a file name or
+ // (for OpenSSL only) a directory path.
+ "trust-anchor": "my-ca",
+
+ // TLS server certificate file name.
+ "cert-file": "my-cert",
+
+ // TLS server private key file name.
+ "key-file": "my-key",
+
+ // TLS require client certificates flag. Default is true and means
+ // require client certificates. False means they are optional.
+ "cert-required": true,
+
+ // Add hooks here.
+ "hooks-libraries": [
+ {
+ "library": "/opt/lib/libca_rbac.so",
+ "parameters": {
+ // This section configures the RBAC hook library.
+ // Mandatory parameters.
+ "assign-role-method": "cert-subject",
+ "api-files": "/opt/share/kea/api",
+ // Optional parameters.
+ "require-tls": true,
+ "commands": [
+ {
+ "name": "my-command",
+ "access": "read",
+ "hook": "my-hook"
+ } ],
+ "access-control-lists": [
+ {
+ "my-none": { "not": "ALL" }
+ },{
+ "another-none": { "and": [ "ALL", "NONE" ] }
+ },{
+ "my-read": { "access": "read" }
+ } ],
+ "roles": [
+ {
+ "name": "kea-client",
+ "accept-commands":
+ {
+ "commands": [ "list-commands", "status-get" ]
+ },
+ "reject-commands": "NONE",
+ "other-commands": "reject",
+ "list-match-first": "accept",
+ "response-filters": [ "list-commands" ]
+ },{
+ "name": "admin",
+ "accept-commands": "ALL",
+ "reject-commands":
+ {
+ "hook": "cb_cmds"
+ },
+ "list-match-first": "reject"
+ } ],
+ "default-role":
+ {
+ "accept-commands": "NONE",
+ "reject-commands": "ALL"
+ },
+ "unknown-role":
+ {
+ "accept-commands": "READ",
+ "reject-commands": "WRITE"
+ }
+ }
+ } ]
+ }
+}