TellmeSchema.pm - Tellme specific schema filters
In verdad.conf, say "schema-check = TellmeSchema.pm"
itemLint checks for things we know should be true for Tellme's items.
itemExpand adds tags which should be computed based on the other tags in the item.
hasPerms checks permissions using the following philosophy:
Groups of users can be defined within items with the tag "verdad-group = true". All permission information is contained within items with the tag "verdad-acl = true".
Each verdad-group item should contain tags where the name of the tag is the name of the group and the value of the tag is the list of users in that group. Another group, instead of a username, can be referenced by prefixing the group name with an "@".
Each verdad-acl item should contain an acl-type tag and an acl-name tag. The acl-type tag should be set to "verdad-item" for an item ACL or "verdad-tag" for a tag ACL. The acl-name tag lists all the names of the items/tags that should be restricted. If the name starts with a "~" then it's treated as a regular expression, otherwise it's a full string match.
ACLs are specified with an acl-write, acl-add, acl-modify and acl-delete tags. The tags should list all usernames that are allowed access. A "*" will match all users. Adding someone to acl-write is just shorthand for adding them to acl-add, acl-modify, and acl-delete. If no acl-* tags are specified, then no one has access. A verdad-group can be referenced, instead of a username, by prefixing the group name with an "@".
Since there are no explicit denial lists, if a permission check request matches multiple defined ACLs (perhaps multiple regular expressions happen to match a given check), a user just needs to have access on one of the ACLs to be granted access.
Some examples of verdad-group and verdad-acl in action:
# create a couple of groups
item verdad-acl-groups
dc-ops = (desl alain jadams doug martins krysta)
infeng = (bryan tjs djs karl mary natefair hpaul)
netops = (@security @infeng @noc @dc-ops)
noc = (marty dkubasak schrader courtenay raymond isaac)
security = hso
verdad-group = true
# This limits all '^verdad-acl-' items
# by giving write access to the security group
item verdad-acl-default
acl-name = "~^verdad-acl-"
acl-write = @security
acl-type = verdad-item
verdad-acl = true
# this restricts all '^accessible-by' items
# to the list above as well giving bryan and
# tjs write access
item verdad-acl-accessible-by
acl-name = "~^accessible-by"
acl-write += (bryan tjs)
acl-type = verdad-item
is = verdad-acl-default
# this limits the verdad-acl tag to be
# accessible by those inherited from
# verdad-acl-default
item verdad-acl-tags
acl-name = (verdad-acl verdad-group)
acl-type = verdad-tag
is = verdad-acl-default
# this limits the users and admin-users
# tags like above, but gives dc-ops
# the ability to initially add these
# tags to items
item verdad-acl-user-tags
acl-add = @dc-ops
acl-name = (users admin-users)
acl-type = verdad-tag
is = verdad-acl-default
See Verdad.pm's documentation for more info on the $itemRef structure. Also, see DefaultSchema.pm.
Jeff R. Allen <jra@nella.org>