[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Comments on Access Control Model - GetEffectiveRights
Section 9.1 says that the subject for GetEffectiveRights may be "*", in
which case "all DN types are to be used in returning the effective
rights". I'm not sure what this means.
I had a similar question on a previous version of the draft. The
response was:
< djb > * is intended to return the effective access for all DNs
which are defined within the ACI. This is different from simply
reading the ACI b/c it does the expansions and evaluations of grant /
deny / group memberships etc and returns the granted rights after
evaluation.
But I don't see anything specifying this in the current draft. And do
we really want to do this? What is the intended use? If I ask for
effective rights with subject "*" for an object whose ACI is
"grant:r#[all]#subtree:dc=com" do I get back a list of all the users in
the dc=com part of the DIT? And isn't that a security problem?
I think there are a number of other security issues for
GetEffectiveRights. In the "work still to be done" part of Ellen's
email sending out version -07, she notes:
- getEffectiveRights: address what if not sufficient rights on
ldapACI? (get rights based on the bind authzID)".
Beyond that, don't we need to consider what happens when there are
insufficient rights on a group or role that needs to be examined to
calculate effective rights? And as noted above, the use of subject "*"
may give back lists of DNs that would otherwise not be accessible to
the requester. Even without the "*", GetEffectiveRights might allow
the requester to confirm the existence of a DN even if the requester
has no browseDN or returnDN rights for that DN.
Should we just say that the requester for GetEffectiveRights MUST have
authorization to access to all data touched during evaluation? Then we
need go down the list of things touched and say what permissions are
needed for each access.
Rick Huber