[Date Prev][Date Next]
Access Control policies (Re: Proxy cache extension for OpenLDAP)
At 04:29 AM 2002-09-09, Pierangelo Masarati wrote:
>Although feasible (and surely interesting) this doesn't ensure
>the same rights of the source are applied by the caching proxy.
Yes. But this isn't necessarily desired. Say, for example,
your access policy incorporated something like:
Partner A is allowed assess to X, Y, Z.
Partner A will obtain the information from
slave S1 or S2 using the credentials A.
Partner A will ensure X is only available to
employees of class X, Y to class Y,
and Z may be shared with members of
Partner A's service.
Now, one could setup S1 and S2 with just X, Y, and Z
and grant A access to it... or one could setup
S1 and S2 so they include more than X, Y, and Z but
only grant A access to X, Y, and Z.
But in either case, Partner A can set up a proxy server
which connects to either S1 or S2, authenticate as A and
get X, Y, and Z. Parnter A must, of course, must also
establish controls upon this proxy implementing the last
clause of the agreed upon access control policy.
My point here is there are many ways to skin a cat...