[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on Access Control Model - GetEffectiveRights

To: Richard V Huber <rvh@qsun.mt.att.com>
Subject: Re: Comments on Access Control Model - GetEffectiveRights
From: robert byrne <robert.byrne@Sun.COM>
Date: Wed, 04 Apr 2001 15:46:07 +0200
Cc: ietf-ldapext@netscape.com
Organization: Sun Microsystems
References: <200103302321.SAA04366@qsun.mt.att.com>

Rick,

I agree that there is some work to do in section 9.1:

In particular for the points you raise:
. I also find "*" hard to understand and my intention is to propose
dropping it.  In other words you would only be able to ask about a
_particular_ subject, not "everyone".
. The "rights required" to use the getEffectiveRights control is
certainly an issue.  I see a few options: view it as core to the model
(I believe it is) and so make an explicit permission for it, limit the
getEffectiveRights concept so you cannot ask about "his" rights, but
just your own (ie. remove the subject entirely as a parameter), define a
way to extended operational permissions and express the permission in
that scheme and probably lots of others.  Once you have defined the
required rights then I think the "discovery"/discloseOnError type
problem you mention should be easier to resolve.

I hope to have a proposal which will clear up or at least be explicit
about these 9.1 issues for the next draft.

Rob. 

Richard V Huber wrote:
> 
> Section 9.1 says that the subject for GetEffectiveRights may be "*", in
> which case "all DN types are to be used in returning the effective
> rights".  I'm not sure what this means.
> 
> I had a similar question on a previous version of the draft.  The
> response was:
> 
>   < djb > * is intended to return the effective access for all DNs
>   which are defined within the ACI. This is different from simply
>   reading the ACI b/c it does the expansions and evaluations of grant /
>   deny / group memberships etc and returns the granted rights after
>   evaluation.
> 
> But I don't see anything specifying this in the current draft.  And do
> we really want to do this?  What is the intended use?  If I ask for
> effective rights with subject "*" for an object whose ACI is
> "grant:r#[all]#subtree:dc=com" do I get back a list of all the users in
> the dc=com part of the DIT?  And isn't that a security problem?
> 
> I think there are a number of other security issues for
> GetEffectiveRights.  In the "work still to be done" part of Ellen's
> email sending out version -07, she notes:
> 
>   - getEffectiveRights:  address what if not sufficient rights on
>     ldapACI? (get rights based on the bind authzID)".
> 
> Beyond that, don't we need to consider what happens when there are
> insufficient rights on a group or role that needs to be examined to
> calculate effective rights?  And as noted above, the use of subject "*"
> may give back lists of DNs that would otherwise not be accessible to
> the requester.  Even without the "*", GetEffectiveRights might allow
> the requester to confirm the existence of a DN even if the requester
> has no browseDN or returnDN rights for that DN.
> 
> Should we just say that the requester for GetEffectiveRights MUST have
> authorization to access to all data touched during evaluation?  Then we
> need go down the list of things touched and say what permissions are
> needed for each access.
> 
> Rick Huber

Prev by Date: I-D ACTION:draft-zeilenga-ldap-txn-02.txt
Next by Date: Re: java api bind() methods
Index(es):
- Chronological
- Thread