[Date Prev][Date Next]
ACL decisions based on requested access
I have a fairly complicated ACL set which I need to optimize the
evaluation of. To do this I need to make decisions based on the
requested access level, which currently isn't possible (as far as I know
that is). E.g, most of my ACLs are concerned with whether the entries
and attributes should be read or writable or not, and I would like to
quickly grant search access when that is all that is requested.
One possibility I have considered is to add a new optional <requested
access> field between the existing <who> and the <access> clauses, but
I'm not very happy with that solution as it could easily be mixed with
the existing <access>.
So far my preferred solution is to add two new ACL controls, which I
currently think of as "sufficient" and "requested".
The "sufficient" control should act like "stop" (i.e grant access) if
the effective <access> is sufficient for the requested access level,
The "requested" control should act like "continue" if the effective
<access> matches what is requested, "break" otherwise.
I initially thought that "break" should be the non-match action in both
controls, but I think "continue" is the best for "sufficient" as that
allows further decisions to be made in the same ACL without repeating
the <to> part in a following ACL. At the cost of repeating the <who>
part in a new condition in the same ACL if "break" was really needed..
I.e, both choices have their ups and downs, and I can live with both.
I also though that "stop" should be the non-match case for "requested"
to make the controls more symmetric. But that removes the ability to
make further decisions in the succeeding rules, which I find highly
These controls would allow access rules like the following to quickly
grant search access if that is all that is requested, while keep on
processing for other access types:
access to <what> by <who> =s sufficient by * break
An access rule where the <who> clauses are only evaluated when write
access is requested could be written like:
access to <what> by * =w requested by <who> =w
Comments? It should be fairly easy to implement these controls, and
I'll volunteer to do it if they are acceptable.