flux_msg_handler_allow_rolemask(3)

SYNOPSIS

#include <flux/core.h>

void flux_msg_handler_allow_rolemask (flux_msg_handler_t *mh,
                                      uint32_t rolemask);

void flux_msg_handler_deny_rolemask (flux_msg_handler_t *mh,
                                     uint32_t rolemask);

Link with -lflux-core.

DESCRIPTION

Flux's role based access control mechanism is described in RFC 12. The message handler rolemask determines which messages are delivered to the handler. Requests that would otherwise match but cannot be delivered due to a missing role are automatically sent a "permission denied" response. Other message types that don't match are silently discarded. The instance owner is implicitly authorized for every service, so it is unnecessary to add FLUX_ROLE_OWNER to the role mask.

The currently supported roles are:

FLUX_ROLE_OWNER

Requests from instance owners are matched.

FLUX_ROLE_USER

Requests from users / guests can be matched.

FLUX_ROLE_LOCAL

Requests from the same broker as the receiver are matched.

By default, message handlers have a rolemask of FLUX_ROLE_OWNER.

flux_msg_handler_allow_rolemask() and flux_msg_handler_deny_rolemask() can be used to alter the rolemask for each message handler.

RESOURCES

Flux: http://flux-framework.org

Flux RFC: https://flux-framework.readthedocs.io/projects/flux-rfc

Issue Tracker: https://github.com/flux-framework/flux-core/issues

FLUX RFC

12/Flux Role-based Access Control

SEE ALSO

flux_msg_handler_addvec(3), flux_msg_handler_create(3), flux_msg_cmp(3)