[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Wishes for set ACLs

Pierangelo Masarati writes:
>Hallvard B Furuseth wrote:
>> 1.
>> It would be nice to have boolean operators on sets.  That allows
>> e.g. 'members of posixGroup A can access members of posixGroup B':
>> (user/uid & [cn=A]/memberUid) && (this/uid & [cn=B]/memberUid)
>> where '&&' would return the empty set if one of the sets are empty, and
>> either the set [] or the last set otherwise.
>> or it could be (...)
> Should be easy; I'd favor the first choice.  I guess you don't want an
> '||' because the '|' already does the trick.

Actually '||' would be useful to short-cut expensive set computations,
if all one wants to know is if the set is non-empty.

Come to think of it, do 'x & y' and 'x + y' compute both sets if they
know that one is empty?

BTW, I've realized that one can use '+' instead of '&&' if one just
wants a true/false test.  Not a clever idea if the sets are large, but
with the example above it works, at it can short-cut like '&&' too.

>> 2.
>> An operator would be useful which escaped the members of a set as DNs.
>> "[cn=] + user/cn + [,o=foo]" is wrong if the cn contains ",".
> Right.  In this case, a generic mechanism might be useful, e.g.
> something like a cast:
> "[cn=] + <DNescape:user/cn> + [,o=foo]"
> looks like we're running out of operators...

Looks like a function call to me.  We are not running out of function
names.  Could even do <complexfunction:arg:arg:arg> - e.g.

Or a postfix form like user/cn@DNescape, [whatever]@normalize(entryDN).

This is getting awfully complex, though...