sstore-authorized-user (7)
Name
sstore-authorized-user - Statistics Store authorized user
Description
An sstore-authorized user is authorized for a given namespace node and
a privileged operation. This authorization permits the user to perform the privileged
operation on the namespace node or on any of its non-topological descendant nodes without
having the RBAC authorization required to perform that operation. For more
information about RBAC authorization, see the sstore-security(7)) man page.
For example, if the user foo is an authorized user for the
read_sensitive operation on //:class.event but does
not have the RBAC authorization to read sensitive statistics or events, then
foo can read any sensitive events under //:class.event
but foo cannot read sensitive data from any other part of the
namespace.
Defining an Statistics Store Authorized User
You can specify an sstore authorized user for an operation on a
namespace node through an authorization or a set of usernames or both.
Defining an Authorized User Through Username
The namespace node for which the authorized user is defined must have the following
information in its metadata:
"sau_op_name_username": user_name [,<user_name>]
The possible values for op_name are as follows:
-
all
-
read_sensitive
-
capture_sensitive
-
capture_expensive
-
write
-
update_res
-
delete
-
config
For more information about these operations, see the sstore-security(7) man page .
For example, to authorize a user user_bar to read sensitive
statistics or events under //:class.app/solaris/foo, an
sstore authorized user should be created by adding the following
key-value pair in the metadata of //:class.app/solaris/foo
"sau_read_sensitive_username": "user_bar"
Defining an Authorized User Through
RBAC Authorization
The namespace node for which you define the authorized user should have the following
key-value pair in its metadata:
"sau_op_name_auth": RBAC auth
The possible values for the op_name are the same as the
values for defining an authorized user through a user name.
For example, to permit any user who has the
solaris.sstore.apache.write RBAC authorization to perform write
operations on //:class.apache, define the following key-value pair in
the metadata for //:class.apache:
"sau_write_auth": "solaris.sstore.apache.write"
This key-value pair definition permits the Apache process, which has the
solaris.sstore.apache.write RBAC authorization, to provide statistics
under //:class.apache.
See Also
auths(1), sstore(1), libsstore(3LIB), sstore.json(5), ssid(7), ssid-metadata(7), sstore(7), sstore-security(7), sstoreadm(1)