[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL all entry attribute keyword
Ellen,
I am not clear on the need of having two distinct keywords 'all' and 'entry'. In
fact the 'entry' keyword can be avoided all together because permissions specific
to an entry can only be applied on the entire entry and not on its parts. Am I
missing something ?
- Panwar
Ellen Stokes wrote:
> Sanjay,
>
> Previously we agreed to annotate the BNF to state which perms applied
> to entries and which to attributes. For clarity, I've reworked the BNF
> (just section 4.1.1 so far) to remove the annotation and state clearly in BNF.
>
> Here it is (and I hope I got it right given I'm not a BNF expert)...
>
> ******start BNF***********
>
> entryACI = rights "#" attr "#" subject
>
> subtreeACI = rights "#" attr "#" subject
>
> rights = (("grant:" / "deny:") permissions) /
> ("grant:" permissions ";deny:" permissions)
>
> permissions = entryPerm ("," entryPerm)* "#[entry]" /
> attrPerm ("," attrPerm)* "#[all]" /
> attrPerm ("," attrPerm)* "#" (attribute ("," attribute)*)
>
> entryPerm = "a" / ; add
> "d" / ; delete
> "e" / ; export
> "i" / ; import
> "n" / ; renameDN
> "b" / ; browseDN
> "t" ; returnDN
>
> attrPerm = "r" / ; read
> "s" / ; search
> "w" / ; write (mod-add)
> "o" / ; obliterate (mod-del)
> "c" / ; compare
> "m" ; make
>
> attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38)
> ; from [ATTR]
>
> subject = ["authnLevel:" authnLevel ":"]
> (("authzID-" authzID) /
> ("role:" dn) /
> ("group:" dn) /
> ("subtree:" dn) /
> ("ipAddress:" ipAddress) /
> "public:" /
> "this:")
>
> authnLevel = "any" /
> "simple" /
> sasl /
> "none" /
> "anonymous" /
>
> sasl = "sasl:"
> ("any" /
> mechanism)
>
> mechanism = ; sasl mechanism from 4.2 of [LDAPv3]
>
> authzID = ; authzID from [AuthMeth] repeated below
> ; for convenience
>
> authzId = dnAuthzId / uAuthzId
>
> ; distinguished-name-based authz id.
> dnAuthzId = "dn:" dn
>
> dn = utf8string ; with syntax defined in [UTF]
>
> ; unspecified userid, UTF-8 encoded.
> uAuthzId = "u:" userid
> userid = utf8string ; syntax unspecified
>
> ; IP address
> ipAddress = IPv6address | printableString
> ; printableString to use a wildcard
> ; domain name such as *.airius.com
> ; to specify a specific DNS domain
>
> ; following is excerpted from [IPV6]
> IPv6address = hexpart [ ":" IPv4address ]
> IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
> IPv6prefix = hexpart "/" 1*2DIGIT
>
> hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
> hexseq = hex4 *( ":" hex4)
> hex4 = 1*4HEXDIG
>
> printableString ; printableString syntax from [ATTR]
>
> *******endBNF***********
>
> Ellen
>
> At 12:50 PM 3/9/2001 -0800, Sanjay Panwar wrote:
>
> >Question on draft-ietf-ldapext-acl-model-07.txt
> >-----------------------------------------------------
> >
> >WRT attr options
> > attr = "[all]" / "[entry]" / (attribute *("," attribute))
> >
> >Is it necessary to have two different keywords to target Entry and All
> >attributes, since we already have separate set of permissions for entry
> >and attributes.
> >
> >Is it not sufficient to have only one keyword, lets call it "[all
> >entry]", to target both entry and its attributes. Permission determines
> >whether it can be applied to an entry or attribute as illustrate below.
> >
> > subtreeACI: grant:o # [all entry] # role:cn=SysAdmin,o=Company
> > ; Applies to all attributes as o is attribute specific
> >permission
> > subtreeACI: grant:d # [all entry] # role:cn=SysAdmin,o=Company
> > ; Applies to the entry as d is entry specific
> >permission
> >
> > With the existing scheme it is possible to define following ACIs, which
> >do not have any meaning.
> >
> > subtreeACI:grant:o#[entry]#role:cn=SysAdmin,o=Company
> > subtreeACI:grant:d#[all]#role:cn=SysAdmin,o=Company
> >
> >- Panwar