[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL all entry attribute keyword

To: sanjay.panwar@openwave.com
Subject: Re: ACL all entry attribute keyword
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Tue, 13 Mar 2001 08:30:51 -0600
Cc: ietf-ldapext@netscape.com
In-reply-to: <3AAD6DE9.8E4898F9@openwave.com>
References: <5.0.2.1.0.20010312154911.00a75008@popmail2.austin.ibm.com>

Sanjay,
Your statement is true.  But for symmetry in parsing and ease
of quickly focusing on whether it is attribute or entry, we defined
the access control attribute the way it is.  I don't see any harm
in leaving it the way it is (especially for ease of use).
Ellen

At 04:46 PM 3/12/2001 -0800, Sanjay Panwar wrote:

Ellen,
I am not clear on the need of having two distinct keywords 'all' and 'entry'. In fact the 'entry' keyword can be avoided all together because permissions specific to an entry can only be applied on the entire entry and not on its parts. Am I missing something ?
- Panwar
Ellen Stokes wrote:
> Sanjay, > > Previously we agreed to annotate the BNF to state which perms applied > to entries and which to attributes. For clarity, I've reworked the BNF > (just section 4.1.1 so far) to remove the annotation and state clearly in BNF. > > Here it is (and I hope I got it right given I'm not a BNF expert)... > > ******start BNF*********** > > entryACI = rights "#" attr "#" subject > > subtreeACI = rights "#" attr "#" subject > > rights = (("grant:" / "deny:") permissions) / > ("grant:" permissions ";deny:" permissions) > > permissions = entryPerm ("," entryPerm)* "#[entry]" / > attrPerm ("," attrPerm)* "#[all]" / > attrPerm ("," attrPerm)* "#" (attribute ("," attribute)*) > > entryPerm = "a" / ; add > "d" / ; delete > "e" / ; export > "i" / ; import > "n" / ; renameDN > "b" / ; browseDN > "t" ; returnDN > > attrPerm = "r" / ; read > "s" / ; search > "w" / ; write (mod-add) > "o" / ; obliterate (mod-del) > "c" / ; compare > "m" ; make > > attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38) > ; from [ATTR] > > subject = ["authnLevel:" authnLevel ":"] > (("authzID-" authzID) / > ("role:" dn) / > ("group:" dn) / > ("subtree:" dn) / > ("ipAddress:" ipAddress) / > "public:" / > "this:") > > authnLevel = "any" / > "simple" / > sasl / > "none" / > "anonymous" / > > sasl = "sasl:" > ("any" / > mechanism) > > mechanism = ; sasl mechanism from 4.2 of [LDAPv3] > > authzID = ; authzID from [AuthMeth] repeated below > ; for convenience > > authzId = dnAuthzId / uAuthzId > > ; distinguished-name-based authz id. > dnAuthzId = "dn:" dn > > dn = utf8string ; with syntax defined in [UTF] > > ; unspecified userid, UTF-8 encoded. > uAuthzId = "u:" userid > userid = utf8string ; syntax unspecified > > ; IP address > ipAddress = IPv6address | printableString > ; printableString to use a wildcard > ; domain name such as *.airius.com > ; to specify a specific DNS domain > > ; following is excerpted from [IPV6] > IPv6address = hexpart [ ":" IPv4address ] > IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT > IPv6prefix = hexpart "/" 1*2DIGIT > > hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ] > hexseq = hex4 *( ":" hex4) > hex4 = 1*4HEXDIG > > printableString ; printableString syntax from [ATTR] > > *******endBNF*********** > > Ellen > > At 12:50 PM 3/9/2001 -0800, Sanjay Panwar wrote: > > >Question on draft-ietf-ldapext-acl-model-07.txt > >----------------------------------------------------- > > > >WRT attr options > > attr = "[all]" / "[entry]" / (attribute *("," attribute)) > > > >Is it necessary to have two different keywords to target Entry and All > >attributes, since we already have separate set of permissions for entry > >and attributes. > > > >Is it not sufficient to have only one keyword, lets call it "[all > >entry]", to target both entry and its attributes. Permission determines > >whether it can be applied to an entry or attribute as illustrate below. > > > > subtreeACI: grant:o # [all entry] # role:cn=SysAdmin,o=Company > > ; Applies to all attributes as o is attribute specific > >permission > > subtreeACI: grant:d # [all entry] # role:cn=SysAdmin,o=Company > > ; Applies to the entry as d is entry specific > >permission > > > > With the existing scheme it is possible to define following ACIs, which > >do not have any meaning. > > > > subtreeACI:grant:o#[entry]#role:cn=SysAdmin,o=Company > > subtreeACI:grant:d#[all]#role:cn=SysAdmin,o=Company > > > >- Panwar

Follow-Ups:
- Re: ACL all entry attribute keyword
  - From: Sanjay Panwar <sanjay.panwar@openwave.com>

References:
- Re: ACL all entry attribute keyword
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: ACL all entry attribute keyword
  - From: Sanjay Panwar <sanjay.panwar@openwave.com>

Prev by Date: Re: ACL discloseOnError
Next by Date: imperatives (Was: WG last call on the Java API)
Index(es):
- Chronological
- Thread