LIST-ACL options name-component
This request can be used to list the ACL (access control list) for the object specified in the previous OBJECT command. If the object is a DIRECTORY, this request can be used to list the access control list for a link within that directory. The optional name-component is required only if requesting the ACL for a link within the directory (option = LINK). It is to be left out when requesting the ACL for the object itself (option = OBJECT).
The response will be zero or more lines of the form:
ACL entry-type authentication-type rights principal-name
If no ACL entries are listed, then the response is SUCCESS. Fields inappropriate to a particular entry-type need not be sent, but if they are sent, they should be sent as a zero-length string. For instance, the DEFAULT, SYSTEM, and DIRECTORY ACL types do not use the authentication-type, rights, and principal-name fields.
If the ACL's permissions state that it cannot be viewed (v or V permission), then the response is
FAILURE NOT-AUTHORIZED optional multi-token explanatory text.
Possible values for entry-type include NONE (allows access to no principals; in other words, it's a no-op), ANY (grants access to all principals), OWNER (grants access to the principal specified by the link or object's OWNER field; i.e., the one who owns the link or object), NAMED, GROUP (In this case, the authentication-type token represents the group certification method), DIRECTORY, DEFAULT, SYSTEM, AUTHENT (means that an authentication method is used; the authentication-type token specifies the authentication method. The only currently supported value for authentication-type is KERBEROS.), ASRTHOST, and TRSTHOST. An example:
ACL ANY '' rlvY
ACL ASRTHOST '' ALRMDI prospero
ACL AUTHENT KERBEROS ALRMDI swa@ISI.EDU bcn@ISI.EDU
ACL DEFAULT '' ''
ACL SYSTEM '' ''
We interpret a null link ACL as the DIRECTORY ACL. We interpret a null directory ACL as the DEFAULT ACL.
See the Prospero User's Manual for a discussion of the order of evaluation of ACLs.
If we want to find out the value of a NAMED ACL (named ACLs are shorthand for longer lists, and are local to the server) (XXX this should go into the user's manual), then we use the NAMED option, and the name-component is replaced with the (possibly quoted) name of the named ACL.
There are four special NAMED ACLs: SYSTEM, MAINTENANCE, DEFAULT, and OVERRIDE.
The new CONTAINER option is not yet fully deployed in our current server. Our intent is to have every object associated with a container for that object. In this way, one can change a group of objects' ACLs by modifying their CONTAINER ACLs.
See the Prospero User's manual for a further discussion of ACLs.