[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL all entry attribute keyword
Ellen,
I see a need for the ability to target object classes in the same fashion as we can
target attributes. Consider the following schema.
o=a
ou=ab cn=san
ou=abc cn=pan
ou=abcd
1) How can one specify a ACI at o=a, granting 'a' permission for objects of type
organizationalPerson only. I guess with the current definition it can be achieved
by specifying Mandatory attributes of organizationalPerson. But it is not a
foolproof mechanism. What if two object class have the same set of mandatory
attributes.
2) How can one specify a ACI at o=a, permitting import/export of organizationalUnit
only. e.g. Move ou=abcd,ou=abc,ou=ab,o=a to ou=abcd,ou=ab,o=a.
It should be possible to define ACI as per following proposed BNF.
Example ACI
1) entryACI =grant:a # OID.organizationalPerson # role: cn=admin
or
subtreeACI =grant:a # OID.organizationalPerson # role: cn=admin
2) subtreeACI = grant:e,i # OID.organizationalUnit # role: cn=admin
Proposed BNF. Basic idea is that rights or permissions govern whether the ACI
applies to Entry as a whole or attributes. Again I am not an expert in writing BNF
but I hope that BNF conveys the intent.
entryACI = rights "#" TargetElement "#" subject
subtreeACI = rights "#" TargetElement "#" subject
rights = (("grant:" / "deny:") permissions) /
("grant:" permissions ";deny:" permissions)
permissions = objPermission / attrPermission
;Ideally I will want to derive these rule name from ElementType
objPermission = "a" / ; add
"d" / ; delete
"e" / ; export
"i" / ; import
"n" / ; renameDN
"b" / ; browseDN
"t" ; returnDN
attrPermission = "r" / ; read
"s" / ; search
"w" / ; write (mod-add)
"o" / ; obliterate (mod-del)
"c" / ; compare
"m" ; make
TargetElement = [all] / (ElementType *(,ElementType))
; ElementType can be either attr or obj in a single definition but
not a combination of both
ElementType = attr / obj
attr = ;OID syntax (1.3.6.1.4.1.1466.115.121.1.38)from [ATTR]
obj = ;OID object class name
subject = ["authnLevel:" authnLevel ":"]
(("authzID-" authzID) /
("role:" dn) /
("group:" dn) /
("subtree:" dn) /
("ipAddress:" ipAddress) /
"public:" /
"this:")
authnLevel = "any" /
"simple" /
sasl /
"none" /
"anonymous" /
sasl = "sasl:"
("any" /
mechanism)
mechanism = ; sasl mechanism from 4.2 of [LDAPv3]
authzID = ; authzID from [AuthMeth] repeated below
; for convenience
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId = "dn:" dn
dn = utf8string ; with syntax defined in [UTF]
; unspecified userid, UTF-8 encoded.
uAuthzId = "u:" userid
userid = utf8string ; syntax unspecified
; IP address
ipAddress = IPv6address | printableString
; printableString to use a wildcard
; domain name such as *.airius.com
; to specify a specific DNS domain
; following is excerpted from [IPV6]
IPv6address = hexpart [ ":" IPv4address ]
IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
IPv6prefix = hexpart "/" 1*2DIGIT
hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
hexseq = hex4 *( ":" hex4)
hex4 = 1*4HEXDIG
printableString ; printableString syntax from [ATTR]
-----------------------------------------------------------------------------------
-Panwar
Ellen Stokes wrote:
> Sanjay,
> Your statement is true. But for symmetry in parsing and ease
> of quickly focusing on whether it is attribute or entry, we defined
> the access control attribute the way it is. I don't see any harm
> in leaving it the way it is (especially for ease of use).
> Ellen
>
> At 04:46 PM 3/12/2001 -0800, Sanjay Panwar wrote:
>
> >Ellen,
> >
> >I am not clear on the need of having two distinct keywords 'all' and
> >'entry'. In
> >fact the 'entry' keyword can be avoided all together because permissions
> >specific
> >to an entry can only be applied on the entire entry and not on its parts. Am I
> >missing something ?
> >
> >- Panwar
> >
> >Ellen Stokes wrote:
> >
> > > Sanjay,
> > >
> > > Previously we agreed to annotate the BNF to state which perms applied
> > > to entries and which to attributes. For clarity, I've reworked the BNF
> > > (just section 4.1.1 so far) to remove the annotation and state clearly
> > in BNF.
> > >
> > > Here it is (and I hope I got it right given I'm not a BNF expert)...
> > >
> > > ******start BNF***********
> > >
> > > entryACI = rights "#" attr "#" subject
> > >
> > > subtreeACI = rights "#" attr "#" subject
> > >
> > > rights = (("grant:" / "deny:") permissions) /
> > > ("grant:" permissions ";deny:" permissions)
> > >
> > > permissions = entryPerm ("," entryPerm)* "#[entry]" /
> > > attrPerm ("," attrPerm)* "#[all]" /
> > > attrPerm ("," attrPerm)* "#" (attribute ("," attribute)*)
> > >
> > > entryPerm = "a" / ; add
> > > "d" / ; delete
> > > "e" / ; export
> > > "i" / ; import
> > > "n" / ; renameDN
> > > "b" / ; browseDN
> > > "t" ; returnDN
> > >
> > > attrPerm = "r" / ; read
> > > "s" / ; search
> > > "w" / ; write (mod-add)
> > > "o" / ; obliterate (mod-del)
> > > "c" / ; compare
> > > "m" ; make
> > >
> > > attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38)
> > > ; from [ATTR]
> > >
> > > subject = ["authnLevel:" authnLevel ":"]
> > > (("authzID-" authzID) /
> > > ("role:" dn) /
> > > ("group:" dn) /
> > > ("subtree:" dn) /
> > > ("ipAddress:" ipAddress) /
> > > "public:" /
> > > "this:")
> > >
> > > authnLevel = "any" /
> > > "simple" /
> > > sasl /
> > > "none" /
> > > "anonymous" /
> > >
> > > sasl = "sasl:"
> > > ("any" /
> > > mechanism)
> > >
> > > mechanism = ; sasl mechanism from 4.2 of [LDAPv3]
> > >
> > > authzID = ; authzID from [AuthMeth] repeated below
> > > ; for convenience
> > >
> > > authzId = dnAuthzId / uAuthzId
> > >
> > > ; distinguished-name-based authz id.
> > > dnAuthzId = "dn:" dn
> > >
> > > dn = utf8string ; with syntax defined in [UTF]
> > >
> > > ; unspecified userid, UTF-8 encoded.
> > > uAuthzId = "u:" userid
> > > userid = utf8string ; syntax unspecified
> > >
> > > ; IP address
> > > ipAddress = IPv6address | printableString
> > > ; printableString to use a wildcard
> > > ; domain name such as *.airius.com
> > > ; to specify a specific DNS domain
> > >
> > > ; following is excerpted from [IPV6]
> > > IPv6address = hexpart [ ":" IPv4address ]
> > > IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
> > > IPv6prefix = hexpart "/" 1*2DIGIT
> > >
> > > hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
> > > hexseq = hex4 *( ":" hex4)
> > > hex4 = 1*4HEXDIG
> > >
> > > printableString ; printableString syntax from [ATTR]
> > >
> > > *******endBNF***********
> > >
> > > Ellen
> > >
> > > At 12:50 PM 3/9/2001 -0800, Sanjay Panwar wrote:
> > >
> > > >Question on draft-ietf-ldapext-acl-model-07.txt
> > > >-----------------------------------------------------
> > > >
> > > >WRT attr options
> > > > attr = "[all]" / "[entry]" / (attribute *("," attribute))
> > > >
> > > >Is it necessary to have two different keywords to target Entry and All
> > > >attributes, since we already have separate set of permissions for entry
> > > >and attributes.
> > > >
> > > >Is it not sufficient to have only one keyword, lets call it "[all
> > > >entry]", to target both entry and its attributes. Permission determines
> > > >whether it can be applied to an entry or attribute as illustrate below.
> > > >
> > > > subtreeACI: grant:o # [all entry] # role:cn=SysAdmin,o=Company
> > > > ; Applies to all attributes as o is attribute specific
> > > >permission
> > > > subtreeACI: grant:d # [all entry] # role:cn=SysAdmin,o=Company
> > > > ; Applies to the entry as d is entry specific
> > > >permission
> > > >
> > > > With the existing scheme it is possible to define following ACIs, which
> > > >do not have any meaning.
> > > >
> > > > subtreeACI:grant:o#[entry]#role:cn=SysAdmin,o=Company
> > > > subtreeACI:grant:d#[all]#role:cn=SysAdmin,o=Company
> > > >
> > > >- Panwar