<html>
<head>
<base href="https://wiki.asterisk.org/wiki">
<link rel="stylesheet" href="/wiki/s/en/2172/18/9/_/styles/combined.css?spaceKey=AST&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://wiki.asterisk.org/wiki/display/AST/Named+ACLs">Named ACLs</a></h2>
<h4>Page <b>edited</b> by <a href="https://wiki.asterisk.org/wiki/display/~mjordan">Matt Jordan</a>
</h4>
<div id="versionComment">
<b>Comment:</b>
Added dynamic use cases<br />
</div>
<br/>
<h4>Changes (58)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{toc:style=disc|indent=20px} <br> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h1. Use Cases (desired for revision I) <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h1. Use Cases - Initial Implementation <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h2. Note on use cases: <br>The method for using named ACLs with consumers is currently something of an open question. In the reviewboard prototype, the named ACL will immediately be searched from the ACL subsystem and if it's found, the real ACL defined in configuration will then be appended to whatever ACL structure the consumer is currently using (M1). Another method that is in discussion is to change the current ACLs into a container that can hold the natural ACL defined in the consumer's configuration with permit and deny as well as an arbitrary number of named ACLs (M2). Another option still would be to have a similar container that can hold an arbitrary number of ACL objects which could either be the names of relevant named ACLs or ast_ha structs. The last approach would require that the full container be iteratively copied into a new standard ast_ha structure at the time of consumption (which would stay alive for the duration of whatever dialog its used for) (M3). The first two methods however require an event setup where consumers are notified of changes to the ACL system so that they can react to them (to update consumer ACLs). <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h2. Actors <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h3. I. Named ACL and consumer startup <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* Named ACL Subsystem - the ACL subsystem that owns the definition of the named ACLs. Currently, this is acl.c. <br>* ACL Consumers - subsystems that use named ACLs to make internal decisions, e.g., chan_sip. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">Note that the configuration information for these actors could come from a variety of sources, such as .conf files, RealTime backends, etc. <br> <br>h2. Named ACL and Consumers - Module Load <br> <br></td></tr>
<tr><td class="diff-unchanged" >h5. Actors <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># Named ACL Subsystem <br># Arbitrary Consumer (There can be any number of them and will include modules and other Asterisk subsystems like manager) <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* Named ACL Subsystem. <br>* One or more Consumers. <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Preconditions <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># Configuration files exist for the named ACL subsystem (acl.conf) and consumers (consumer.conf for the sake of the example) <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* Configuration exists for all actors. <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Scenario <br></td></tr>
<tr><td class="diff-changed-lines" ># The Named ACL Subsystem is <span class="diff-changed-words">initialized<span class="diff-added-chars"style="background-color: #dfd;">.</span></span> <br></td></tr>
<tr><td class="diff-changed-lines" ># The Named ACL Subsystem loads configuration <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">information from acl.conf</span> <span class="diff-added-words"style="background-color: #dfd;">information.</span> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># Categories in acl.conf become names for named ACLs while individual instances of permit/deny options within those categories become the rules that define those named ACLs. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"># Each category in the configuration specifies a unique named ACL. Key/value pairs within that category define the rules for that ACL. <br></td></tr>
<tr><td class="diff-changed-lines" ># A <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">c</span><span class="diff-added-chars"style="background-color: #dfd;">C</span>onsumer</span> is initialized (from here, steps are repeated for each <span class="diff-changed-words">consumer)<span class="diff-added-chars"style="background-color: #dfd;">.</span></span> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># The consumer loads configuration information from consumer.conf <br>h6. The consumer's configuration employs a named ACL option (acl = 'aclname') <br># The named ACL will be appended to whatever ACL/container the consumer is modifying with that option. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"># The Consumer loads its configuration information. <br># The Consumer's configuration specifies the usage of a named ACL defined by the Named ACL Subsystem. <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Post Conditions <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># The consumers will either have ACLs that can be used in their immediate state or will have an ACL container from which an ACL can be readily preparred depending on the implementation above. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"># The Consumers have a key by which they can determine whether or not an address is allowable by that named ACL. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h3. II. Named ACL module is reloaded <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h3. Named ACL - Reload <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Actors <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># Named ACL Subsystem <br># Arbitrary Consumers <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* Named ACL Subsystem. <br>* User or AMI connection. <br>* Consumers <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Preconditions <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># A valid configuration exists for the named ACL subsystem (acl.conf) which has been changed. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* Updated configuration exists for the Named ACL Subsystem. <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Scenario <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># The named ACL subsystem reloads configuration information from acl.conf. At this point, ACLs from the previous configuration may be gone or altered and new ones may be introduced. <br>h6. Using Named ACL consumer storage method M1 or M2 <br># An ACL_CHANGE event is triggered by the named ACL subsystem which has been subscribed to by consumers that currently make use of the named ACL system. <br># The consumer will read the event. How it is handled by the consumer at this point isn't definite, but possible options are for the consumer to force a reload or if the consumer has the ability to examine specific ACLs for named ACLs, to simply repopulate named ACLs. <br>h6. Using Named ACL Consumer storage method M3, no changes would need to be made at this junction. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"># The User or an AMI connection initiates a reload operation on the Named ACL Subsystem. <br># The Named ACL subsystem reloads configuration information from its configuration. <br># Atomically, the ACL subsystem replaces its named ACLs with those from its updated configuration. <br># The Named ACL Subsystem notifies Consumers that its configuration was updated. <br></td></tr>
<tr><td class="diff-unchanged" > <br>h5. Postconditions <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># Any active dialogs that were running before the named ACL subsystem reload would continue to use the original ACL until those dialogs expired. (consistent with current behavior for reloads) <br># New dialogs will use the refreshed named ACL. (also consistent with current behavior for reloads) <br># The structure storing the master ACL or ACL container will be update with the new named ACLs (if necessary). <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"># The Named ACL subsystem is reloaded with an updated configuration. <br># Consumers are notified that the Named ACL subsystem was updated. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h1. Configuration <br>h3. Named ACL Configuration (acl.conf) <br>acl.conf defines ACL profiles. Use of the configuration is very simple and consists only of categories (name of the category determines the name of the ACL and must not be 'general' since that's a reserved word for Asterisk configurations) with two options, permit and deny, which may be used in sequence to build an ACL. Order is important as it is for all ACLs. <br>Like all uses of ACLs in configurations, the named ACL configuration supports ipv6 addresses. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h3. Consumer asks for named ACL information <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h5. Example configuration: <br>{newcode:language=none|title=acl.conf}[profile1] <br>;block everything then whitelist everything from 128.128.128.* <br>deny=0.0.0.0/0.0.0.0 <br>permit=128.128.128.0/255.255.255.0 <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Actors <br>* Named ACL Subsystem. <br>* A single Consumer. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">[profile2] <br>;allow everything then blacklist everything from 10.24.*.* and 10.20.*.* <br>permit=0.0.0.0/0.0.0.0 <br>deny=10.24.0.0/255.255.0.0 <br>deny=10.20.0.0/255.255.0.0{newcode} <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Preconditions <br>* A loaded and configured Named ACL Subsystem and Consumer. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h3. Consumer Configuration <br>Consumers use named ACLs in a similar fashion to how they use ACLs normally with the permit/deny options. The actual keyword used to append a named ACL is determined by the consumer (and can be context sensitive, like with sip.conf which can configure a number of ACLs for a given category/peer), but the standard established for now is that for any option containing ACLs set with [prefix]permit/[prefix]deny, a similar [prefix]acl option will be made. Multiple uses of this should be allowed in order to attach multiple named ACLs. Currently, the project is running with the idea that the order of named ACL use should cause the evaluation behavior to work as though all of the permits/denies associated with that address are evaluated then, but that isn't set in stone. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Scenario - named ACL exists <br># The Consumer receives an address that it must verify against a named ACL. <br># The Consumer verifies the address using the named ACL information from the Named ACL Subsystem. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h5. Example configurations <br>{newcode:language=none|title=sip.conf}[peer1] <br>... <br>deny=0.0.0.0/0.0.0.0 <br>acl=peer1ACL ; Uses a named ACL profile from acl.conf named peer1ACL <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Scenario - named ACL does not exist in Named ACL Subsystem <br># The Consumer receives an address that it must verify against a named ACL. <br># The Consumer is unable to obtain ACL information for that named ACL from the Named ACL Subsystem. <br># The Consumer warns the system (and relevant security frameworks) of a configuration error. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">directmediadeny=0.0.0.0/0.0.0.0 <br>directmediaacl=peer1DMACL ; Uses a named ACL profile from acl.conf named peer1DMACL <br>... <br>{newcode} <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h1. Use Cases - Dynamic Named ACL Updating <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">{newcode:language=none|title=manager.conf}[admin] <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h2. Actors <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">...</span> <span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">In addition to the previously defined actors, the following are also present in these use cases. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">deny=0.0.0.0/0.0.0.0</span> <span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">; We want to accept connections to this manager account from any device at the main building. <br>ACL=whitelist_main_building ; uses a named ACL profile from acl.conf named whitelist_main_building <br>; Also, John Doe's phone should be accepted. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">* Initiator - either a user initiating an update via a CLI command, a third party via an AMI connection, or some other external mechanism <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">ACL=whitelist_JohnDoePhone</span> <span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">; We don't have a profile for it, but Bob Person wants access from a specific IP address. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h3. Initiator updates a named ACL <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">permit=10.1.1.128</span> <span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Actors <br>* Initiator. <br>* Named ACL Subsystem. <br>* Consumers. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">...</span> <span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Preconditions <br>* A loaded and configured Named ACL Subsystem and Consumer. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{newcode}</span> <span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">h5. Scenario <br># Initiator provides information that adds or modified an existing named ACL. <br># Named ACL Subsystem updates its information. <br># Named ACL Subsystem updates its backing storage. <br># The Named ACL Subsystem notifies Consumers that its configuration was updated. <br> <br>h5. Postconditions <br># The Named ACL subsystem is updated with the new named ACL information. <br># Consumers are notified that the Named ACL subsystem was updated. <br> <br>h3. Consumer updates a named ACL <br> <br>h5. Actors <br>* Named ACL Subsystem. <br>* Consumers. <br> <br>h5. Preconditions <br>* A loaded and configured Named ACL Subsystem and Consumer. <br>* A Consumer has received information that a named ACL should be added or modified. <br> <br>h5. Scenario - Add or Update Accepted <br># Consumer requests that a named ACL be added or updated with the appropriate information. <br># Named ACL Subsystem determines that the ACL can be added or updated. <br># Named ACL Subsystem updates its information. <br># Named ACL Subsystem updates its backing storage. <br># The Named ACL Subsystem notifies Consumers that its configuration was updated. <br> <br>h5. Postconditions <br># The Named ACL subsystem is updated with the new named ACL information. <br># Consumers are notified that the Named ACL subsystem was updated. <br> <br>h5. Scenario - Add or Update Rejected <br># Consumer requests that a named ACL be added or updated with the appropriate information. <br># Named ACL Subsystem determines that the ACL should not be added or updated. <br># The Named ACL Subsystem rejects the request. <br># The Consumer warns the system (and relevant security frameworks) of a configuration error. <br> <br>h5. Postconditions <br># No change in the configuration of the Consumer or the Named ACL Subsystem <br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h1><a name="NamedACLs-Overview"></a>Overview</h1>
<p>The primary goal for Named ACLs (Access Control Lists) is to provide users with a way to create commonly used ACL profiles and to be able to use those profiles wherever ACLs are consumed without the need to duplicate the list each time it is used (often with varying keywords for defining the ACLs). This will make the creation and maintainence of complex ACLs an easier, less error prone process. An implementation of this concept exists within a team branch written by Olle E. Johansson, though to what degree the scope of the current implementation will match that of Olle's is still uncertain.</p>
<h1><a name="NamedACLs-TableofContents"></a>Table of Contents</h1>
<style type='text/css'>/*<![CDATA[*/
div.rbtoc1339605216957 {margin-left: 1.5em;padding: 0px;}
div.rbtoc1339605216957 ul {list-style: disc;margin-left: 0px;padding-left: 20px;}
div.rbtoc1339605216957 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='rbtoc1339605216957'>
<ul>
<li><a href='#NamedACLs-Overview'>Overview</a></li>
<li><a href='#NamedACLs-TableofContents'>Table of Contents</a></li>
<li><a href='#NamedACLs-UseCasesInitialImplementation'>Use Cases - Initial Implementation</a></li>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<li><a href='#NamedACLs-NamedACLandConsumersModuleLoad'>Named ACL and Consumers - Module Load</a></li>
<ul>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<li><a href='#NamedACLs-Preconditions'>Preconditions</a></li>
<li><a href='#NamedACLs-Scenario'>Scenario</a></li>
<li><a href='#NamedACLs-PostConditions'>Post Conditions</a></li>
</ul>
<li><a href='#NamedACLs-NamedACLReload'>Named ACL - Reload</a></li>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<li><a href='#NamedACLs-Preconditions'>Preconditions</a></li>
<li><a href='#NamedACLs-Scenario'>Scenario</a></li>
<li><a href='#NamedACLs-Postconditions'>Postconditions</a></li>
</ul>
<li><a href='#NamedACLs-ConsumerasksfornamedACLinformation'>Consumer asks for named ACL information</a></li>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<li><a href='#NamedACLs-Preconditions'>Preconditions</a></li>
<li><a href='#NamedACLs-ScenarionamedACLexists'>Scenario - named ACL exists</a></li>
<li><a href='#NamedACLs-ScenarionamedACLdoesnotexistinNamedACLSubsystem'>Scenario - named ACL does not exist in Named ACL Subsystem</a></li>
</ul>
</ul>
</ul>
<li><a href='#NamedACLs-UseCasesDynamicNamedACLUpdating'>Use Cases - Dynamic Named ACL Updating</a></li>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<ul>
<li><a href='#NamedACLs-InitiatorupdatesanamedACL'>Initiator updates a named ACL</a></li>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<li><a href='#NamedACLs-Preconditions'>Preconditions</a></li>
<li><a href='#NamedACLs-Scenario'>Scenario</a></li>
<li><a href='#NamedACLs-Postconditions'>Postconditions</a></li>
</ul>
<li><a href='#NamedACLs-ConsumerupdatesanamedACL'>Consumer updates a named ACL</a></li>
<ul>
<li><a href='#NamedACLs-Actors'>Actors</a></li>
<li><a href='#NamedACLs-Preconditions'>Preconditions</a></li>
<li><a href='#NamedACLs-ScenarioAddorUpdateAccepted'>Scenario - Add or Update Accepted</a></li>
<li><a href='#NamedACLs-Postconditions'>Postconditions</a></li>
<li><a href='#NamedACLs-ScenarioAddorUpdateRejected'>Scenario - Add or Update Rejected</a></li>
<li><a href='#NamedACLs-Postconditions'>Postconditions</a></li>
</ul>
</ul>
</ul>
</ul></div>
<h1><a name="NamedACLs-UseCasesInitialImplementation"></a>Use Cases - Initial Implementation</h1>
<h2><a name="NamedACLs-Actors"></a>Actors</h2>
<ul>
        <li>Named ACL Subsystem - the ACL subsystem that owns the definition of the named ACLs. Currently, this is acl.c.</li>
        <li>ACL Consumers - subsystems that use named ACLs to make internal decisions, e.g., chan_sip.</li>
</ul>
<p>Note that the configuration information for these actors could come from a variety of sources, such as .conf files, RealTime backends, etc.</p>
<h2><a name="NamedACLs-NamedACLandConsumersModuleLoad"></a>Named ACL and Consumers - Module Load</h2>
<h5><a name="NamedACLs-Actors"></a>Actors</h5>
<ul>
        <li>Named ACL Subsystem.</li>
        <li>One or more Consumers.</li>
</ul>
<h5><a name="NamedACLs-Preconditions"></a>Preconditions</h5>
<ul>
        <li>Configuration exists for all actors.</li>
</ul>
<h5><a name="NamedACLs-Scenario"></a>Scenario</h5>
<ol>
        <li>The Named ACL Subsystem is initialized.</li>
        <li>The Named ACL Subsystem loads configuration information.</li>
        <li>Each category in the configuration specifies a unique named ACL. Key/value pairs within that category define the rules for that ACL.</li>
        <li>A Consumer is initialized (from here, steps are repeated for each consumer).</li>
        <li>The Consumer loads its configuration information.</li>
        <li>The Consumer's configuration specifies the usage of a named ACL defined by the Named ACL Subsystem.</li>
</ol>
<h5><a name="NamedACLs-PostConditions"></a>Post Conditions</h5>
<ol>
        <li>The Consumers have a key by which they can determine whether or not an address is allowable by that named ACL.</li>
</ol>
<h3><a name="NamedACLs-NamedACLReload"></a>Named ACL - Reload</h3>
<h5><a name="NamedACLs-Actors"></a>Actors</h5>
<ul>
        <li>Named ACL Subsystem.</li>
        <li>User or AMI connection.</li>
        <li>Consumers</li>
</ul>
<h5><a name="NamedACLs-Preconditions"></a>Preconditions</h5>
<ul>
        <li>Updated configuration exists for the Named ACL Subsystem.</li>
</ul>
<h5><a name="NamedACLs-Scenario"></a>Scenario</h5>
<ol>
        <li>The User or an AMI connection initiates a reload operation on the Named ACL Subsystem.</li>
        <li>The Named ACL subsystem reloads configuration information from its configuration.</li>
        <li>Atomically, the ACL subsystem replaces its named ACLs with those from its updated configuration.</li>
        <li>The Named ACL Subsystem notifies Consumers that its configuration was updated.</li>
</ol>
<h5><a name="NamedACLs-Postconditions"></a>Postconditions</h5>
<ol>
        <li>The Named ACL subsystem is reloaded with an updated configuration.</li>
        <li>Consumers are notified that the Named ACL subsystem was updated.</li>
</ol>
<h3><a name="NamedACLs-ConsumerasksfornamedACLinformation"></a>Consumer asks for named ACL information</h3>
<h5><a name="NamedACLs-Actors"></a>Actors</h5>
<ul>
        <li>Named ACL Subsystem.</li>
        <li>A single Consumer.</li>
</ul>
<h5><a name="NamedACLs-Preconditions"></a>Preconditions</h5>
<ul>
        <li>A loaded and configured Named ACL Subsystem and Consumer.</li>
</ul>
<h5><a name="NamedACLs-ScenarionamedACLexists"></a>Scenario - named ACL exists</h5>
<ol>
        <li>The Consumer receives an address that it must verify against a named ACL.</li>
        <li>The Consumer verifies the address using the named ACL information from the Named ACL Subsystem.</li>
</ol>
<h5><a name="NamedACLs-ScenarionamedACLdoesnotexistinNamedACLSubsystem"></a>Scenario - named ACL does not exist in Named ACL Subsystem</h5>
<ol>
        <li>The Consumer receives an address that it must verify against a named ACL.</li>
        <li>The Consumer is unable to obtain ACL information for that named ACL from the Named ACL Subsystem.</li>
        <li>The Consumer warns the system (and relevant security frameworks) of a configuration error.</li>
</ol>
<h1><a name="NamedACLs-UseCasesDynamicNamedACLUpdating"></a>Use Cases - Dynamic Named ACL Updating</h1>
<h2><a name="NamedACLs-Actors"></a>Actors</h2>
<p>In addition to the previously defined actors, the following are also present in these use cases.</p>
<ul>
        <li>Initiator - either a user initiating an update via a CLI command, a third party via an AMI connection, or some other external mechanism</li>
</ul>
<h3><a name="NamedACLs-InitiatorupdatesanamedACL"></a>Initiator updates a named ACL</h3>
<h5><a name="NamedACLs-Actors"></a>Actors</h5>
<ul>
        <li>Initiator.</li>
        <li>Named ACL Subsystem.</li>
        <li>Consumers.</li>
</ul>
<h5><a name="NamedACLs-Preconditions"></a>Preconditions</h5>
<ul>
        <li>A loaded and configured Named ACL Subsystem and Consumer.</li>
</ul>
<h5><a name="NamedACLs-Scenario"></a>Scenario</h5>
<ol>
        <li>Initiator provides information that adds or modified an existing named ACL.</li>
        <li>Named ACL Subsystem updates its information.</li>
        <li>Named ACL Subsystem updates its backing storage.</li>
        <li>The Named ACL Subsystem notifies Consumers that its configuration was updated.</li>
</ol>
<h5><a name="NamedACLs-Postconditions"></a>Postconditions</h5>
<ol>
        <li>The Named ACL subsystem is updated with the new named ACL information.</li>
        <li>Consumers are notified that the Named ACL subsystem was updated.</li>
</ol>
<h3><a name="NamedACLs-ConsumerupdatesanamedACL"></a>Consumer updates a named ACL</h3>
<h5><a name="NamedACLs-Actors"></a>Actors</h5>
<ul>
        <li>Named ACL Subsystem.</li>
        <li>Consumers.</li>
</ul>
<h5><a name="NamedACLs-Preconditions"></a>Preconditions</h5>
<ul>
        <li>A loaded and configured Named ACL Subsystem and Consumer.</li>
        <li>A Consumer has received information that a named ACL should be added or modified.</li>
</ul>
<h5><a name="NamedACLs-ScenarioAddorUpdateAccepted"></a>Scenario - Add or Update Accepted</h5>
<ol>
        <li>Consumer requests that a named ACL be added or updated with the appropriate information.</li>
        <li>Named ACL Subsystem determines that the ACL can be added or updated.</li>
        <li>Named ACL Subsystem updates its information.</li>
        <li>Named ACL Subsystem updates its backing storage.</li>
        <li>The Named ACL Subsystem notifies Consumers that its configuration was updated.</li>
</ol>
<h5><a name="NamedACLs-Postconditions"></a>Postconditions</h5>
<ol>
        <li>The Named ACL subsystem is updated with the new named ACL information.</li>
        <li>Consumers are notified that the Named ACL subsystem was updated.</li>
</ol>
<h5><a name="NamedACLs-ScenarioAddorUpdateRejected"></a>Scenario - Add or Update Rejected</h5>
<ol>
        <li>Consumer requests that a named ACL be added or updated with the appropriate information.</li>
        <li>Named ACL Subsystem determines that the ACL should not be added or updated.</li>
        <li>The Named ACL Subsystem rejects the request.</li>
        <li>The Consumer warns the system (and relevant security frameworks) of a configuration error.</li>
</ol>
<h5><a name="NamedACLs-Postconditions"></a>Postconditions</h5>
<ol>
        <li>No change in the configuration of the Consumer or the Named ACL Subsystem</li>
</ol>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://wiki.asterisk.org/wiki/users/removespacenotification.action?spaceKey=AST">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://wiki.asterisk.org/wiki/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://wiki.asterisk.org/wiki/display/AST/Named+ACLs">View Online</a>
|
<a href="https://wiki.asterisk.org/wiki/pages/diffpagesbyversion.action?pageId=20185274&revisedVersion=5&originalVersion=4">View Changes</a>
|
<a href="https://wiki.asterisk.org/wiki/display/AST/Named+ACLs?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>