Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, August 8, 2018
 
 

sstore-authorized-user (7)

Name

sstore-authorized-user - Statistics Store authorized user

Description

An sstore-authorized user is authorized for a given namespace node and a privileged operation. This authorization permits the user to perform the privileged operation on the namespace node or on any of its non-topological descendant nodes without having the RBAC authorization required to perform that operation. For more information about RBAC authorization, see the sstore-security(7)) man page.

For example, if the user foo is an authorized user for the read_sensitive operation on //:class.event but does not have the RBAC authorization to read sensitive statistics or events, then foo can read any sensitive events under //:class.event but foo cannot read sensitive data from any other part of the namespace.

Defining an Statistics Store Authorized User

You can specify an sstore authorized user for an operation on a namespace node through an authorization or a set of usernames or both.

Defining an Authorized User Through Username

The namespace node for which the authorized user is defined must have the following information in its metadata:

"sau_op_name_username": user_name [,<user_name>]

The possible values for op_name are as follows:

  • all

  • read_sensitive

  • capture_sensitive

  • capture_expensive

  • write

  • update_res

  • delete

  • config

For more information about these operations, see the sstore-security(7) man page .

For example, to authorize a user user_bar to read sensitive statistics or events under //:class.app/solaris/foo, an sstore authorized user should be created by adding the following key-value pair in the metadata of //:class.app/solaris/foo

"sau_read_sensitive_username": "user_bar"
Defining an Authorized User Through RBAC Authorization

The namespace node for which you define the authorized user should have the following key-value pair in its metadata:

"sau_op_name_auth": RBAC auth

The possible values for the op_name are the same as the values for defining an authorized user through a user name.

For example, to permit any user who has the solaris.sstore.apache.write RBAC authorization to perform write operations on //:class.apache, define the following key-value pair in the metadata for //:class.apache:

"sau_write_auth": "solaris.sstore.apache.write"

This key-value pair definition permits the Apache process, which has the solaris.sstore.apache.write RBAC authorization, to provide statistics under //:class.apache.

See Also

auths(1), sstore(1), libsstore(3LIB), sstore.json(5), ssid(7), ssid-metadata(7), sstore(7), sstore-security(7), sstoreadm(1)