DHCPD ACL subsystem

TARGETS:

The main goals of acl subsystem is providing a powerfull, flexible and extendable mechanism for access control of different objects in dhcpd configuration. This objects are shared networks, subnets, groups of hosts and hosts.
Also acl subsystem allows you to control some other features, such as: unique object names, applying of changed configuration, viewing and deletion of dhcp leasures.

CONCEPTS:

Dhcpd configuration file we can show as a tree structure. Each node of this tree represents a configuration of different dhcp objects (fig. 0).

Acl subsystem have 2 levels of permissions:

global: read, write, create;
per-object: read, write.

    Global permissions exists for every type of objects (hosts, groups, subnets, shared networks) and controls operations with a whole object set of given type.
Global create
Global read
Global write
    Per-object permissions give you a more flexible way of access control. Per-object permissions acl exists for every object individual object. Today only hosts and subnets per-object acls are impemented.
Per-object read
Per-object write
    Acl subsystem can operate in 4 different security levels (or modes).
dhcpd configuration tree, security level 0, check subnetX permissions

dhcpd configuration tree, security level 0, check subnetX permissions

dhcpd configuration tree, security level 1, check subnetX permissions

dhcpd configuration tree, security level 2, check subnetX permissions

dhcpd configuration tree, security level 3, check subnetX permissions

DHCPD ACL subsystem

TARGETS:

CONCEPTS:

USER NOTES:

DEVELOPER NOTES: