[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays pcache.c

To: <ando@sys-net.it>
Subject: Re: commit: ldap/servers/slapd/overlays pcache.c
From: "Jong-Hyuk" <jongchoi@OpenLDAP.org>
Date: Tue, 13 Jul 2004 10:33:26 -0400
Cc: "Howard Chu" <hyc@symas.com>, "OpenLDAP Commit" <openldap-commit2devel@OpenLDAP.org>
References: <200407100937.i6A9bm0a062892@cantor.openldap.org> <40F00675.6000407@symas.com> <40F00D14.8030602@sys-net.it> <40F018B2.9070009@symas.com> <010901c466a0$3d1eb680$64644109@watson.ibm.com> <61368.81.72.89.40.1089581010.squirrel@81.72.89.40> <002101c46820$e027e690$3ddb0209@watson.ibm.com> <33368.131.175.154.56.1089647447.squirrel@131.175.154.56> <40F2D803.8020708@symas.com> <002f01c46851$7dbbdd00$3ddb0209@watson.ibm.com> <64704.81.72.89.40.1089666674.squirrel@81.72.89.40> <005501c4685d$15854800$3ddb0209@watson.ibm.com> <61019.81.72.89.40.1089672601.squirrel@81.72.89.40>

> > I think that the access control aspect of the proxy cache in relation to
> > back-ldap needs to be elaborated further. Suppose a situation where the
> > proxy cache stores search entries from the searches having the same
search
> > spec but requested by distinct identities. From the next search, the
> > request
> > will be satisfied by the internal database if they are answerable.
Unless
> > we
> > have the same access control in the proxy cache as in the remote server,
a
> > search  can return entries originally prohibited by the target server. I
> > also suspect that proxyAuthz is required for the proxy cache when it
needs
> > to deal with clients having different access control.
>
> What you're depicting is a scenario where the cached search is done by the
> proxy with some special identity that ensures a broad access, and
> subsequent operations on the cached data are performed locally based on
> the client's identity by means of the local access control rules.  This is
> a very specific scenario that implies a trust relation ship between the
> remote server and the proxy, so that the remote server is willing to give
> broad access to the proxy itself and delegate access control to the proxy.
>  In this case, the cahced request is performed with an administrative
> identity.  I see other possibilities:
>
> a) remote requests are performed by the proxy under an administrative
> identity, cached once for all and then satisfied locally based on the
> client's identity by locally applying acces rules.
> b) remote requests are performed with the client's identity (either by
> binding as the client or by asserting its identity), and cached on a
> per-client basis; access control is directly applied by the remote server,
> and for a client only data it can access is cached.
>
> On the one hand, the latter approach may lead to a proliferation of the
> cached data, but it does not require the remote server to trust the proxy
> and delegate access control.  From my understanding, this latter was the
> approach of proxycache, at least before it made it into an overlay.  Note
> that I'm not favoring any of the approaches (there might even be more,
> with overlappings); they're both reasonable, and may apply to specific
> scenarios.

(b) can be viewed as the current method by and large but there're
differences:
      - It is not crystal clear what you meant by the caching on a
         per-client basis, but it seems to me that the pcache caching
         is not performed on a per-client basis.
      - Hence, if multiple clients having different access controls
         accessed the remote target server, the proxy cache will cache
         their aggregate result. Without the same access control set up
         at the proxy cache, a client can access data in the proxy cache
         which are not allowed in the remote target server.
(a) can be in fact viewed as a replica-initiated replication.
- Jong-Hyuk

Follow-Ups:
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: Howard Chu <hyc@symas.com>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: Howard Chu <hyc@symas.com>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Jong-Hyuk" <jongchoi@OpenLDAP.org>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Jong-Hyuk" <jongchoi@OpenLDAP.org>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: Howard Chu <hyc@symas.com>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Jong-Hyuk" <jongchoi@OpenLDAP.org>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Jong-Hyuk" <jongchoi@OpenLDAP.org>
- Re: commit: ldap/servers/slapd/overlays pcache.c
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: commit: ldap/servers/slapd/overlays pcache.c
Next by Date: Re: commit: ldap/servers/slapd/overlays pcache.c
Index(es):
- Chronological
- Thread