The Controller Daemon requires an Access Control List (ACL) that assigns privileges (admin, query) by user or group of users associated with Capture or Engine agents running on the platform. This sequential file, usually named acl.cfg is placed in the <SQDATA_VAR_DIR>/daemon/cfg directory. The file name must match the name specified in the SQDagents.cfg file by the acl= <location/file>.
The ACL configuration file contains 3 sections, two of which are named. Each section consists of key-argument pairs. Empty lines and lines starting with # or -- are interpreted as comments. Section names must be bracketed while keywords and arguments are case-sensitive.
allow_guest=yes
guest_acl=none
default_acl=query
[groups]
admin=<user>,<user2>
[acls]
admin=admin
cntl=exec
status=read
Syntax
allow_guest=no | yes
guest_acl=<acl_list_name>
default_acl=<comma separated list>
Keyword | Description |
---|---|
allow_guest=no | yes |
Specifies whether a guest is allowed to connect. Guests are clients that can process a NaCl handshake, but whose public key is not in the server's authorized_keys_list file. If guests are allowed, they are by default granted the right to query. The default value is No. |
guest_acl=<acl_list_name> |
Optionally assigns one of the acl_list_names in the [acls] section to guest users. This must be specified after the allow_guest parameter. The default if not acl_list_name is specified is none. |
default_acl=<comma separated list> | Optional comma separated list of specific access type authorizations (see below) assigned to authenticated clients that do not have an [acls] explicitly associated to them, either directly or via a Group making them by default a "Guest". |
Syntax
[groups]
<group_name>=<user_name> [,<user_name>…]
Keyword | Description |
---|---|
<group_name>=<user_name> [,<user_name>…] |
Defines a "named group" and the members of that group. The case sensitive user_name/user-id of a connecting client must match a name specified in one or more group_names or the user will be considered a guest. The user_name may include a domain, eg: user_name@server but more commonly does not which facilitates the use of a single NACL key pair for an individual user with accounts on multiple systems. |
Syntax
[acls]
<user_name> | <group_name> = <access type list>
Keyword | Description |
---|---|
<user_name> | <group_name> |
Individual user_name/user-id or group_name |
<access type list> |
A comma separated list of one or more of the following access or authorization types listed in ascending order of authority:
|
- When a type of access or authorization is assigned to a group_name, the list will propagate to all users in the group.
- Access types are cumulative therefore it is only necessary to list the maximum access or authorization allowed for an individual User or Group:
[acls] admin=admin cntl=exec status=read
- The user_name/user_id that starts the daemon, is implicitly granted sysadm access whether or not explicitly assigned to a group or individually assigned another specific access right or authorization.
- Changes are not known to the daemon until the configuration file is reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started.