[Date Prev][Date Next]
Re: Wishes for set ACLs
Pierangelo Masarati writes:
>Hallvard B Furuseth wrote:
>> It would be nice to have boolean operators on sets. That allows
>> e.g. 'members of posixGroup A can access members of posixGroup B':
>> (user/uid & [cn=A]/memberUid) && (this/uid & [cn=B]/memberUid)
>> where '&&' would return the empty set if one of the sets are empty, and
>> either the set  or the last set otherwise.
>> or it could be (...)
> Should be easy; I'd favor the first choice. I guess you don't want an
> '||' because the '|' already does the trick.
Actually '||' would be useful to short-cut expensive set computations,
if all one wants to know is if the set is non-empty.
Come to think of it, do 'x & y' and 'x + y' compute both sets if they
know that one is empty?
BTW, I've realized that one can use '+' instead of '&&' if one just
wants a true/false test. Not a clever idea if the sets are large, but
with the example above it works, at it can short-cut like '&&' too.
>> An operator would be useful which escaped the members of a set as DNs.
>> "[cn=] + user/cn + [,o=foo]" is wrong if the cn contains ",".
> Right. In this case, a generic mechanism might be useful, e.g.
> something like a cast:
> "[cn=] + <DNescape:user/cn> + [,o=foo]"
> looks like we're running out of operators...
Looks like a function call to me. We are not running out of function
names. Could even do <complexfunction:arg:arg:arg> - e.g.
Or a postfix form like user/cn@DNescape, [whatever]@normalize(entryDN).
This is getting awfully complex, though...