[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL decisions based on requested access

I have a fairly complicated ACL set which I need to optimize the evaluation of. To do this I need to make decisions based on the requested access level, which currently isn't possible (as far as I know that is). E.g, most of my ACLs are concerned with whether the entries and attributes should be read or writable or not, and I would like to quickly grant search access when that is all that is requested.

One possibility I have considered is to add a new optional <requested access> field between the existing <who> and the <access> clauses, but I'm not very happy with that solution as it could easily be mixed with the existing <access>.

So far my preferred solution is to add two new ACL controls, which I currently think of as "sufficient" and "requested".

The "sufficient" control should act like "stop" (i.e grant access) if the effective <access> is sufficient for the requested access level, "continue" otherwise.

The "requested" control should act like "continue" if the effective <access> matches what is requested, "break" otherwise.

I initially thought that "break" should be the non-match action in both controls, but I think "continue" is the best for "sufficient" as that allows further decisions to be made in the same ACL without repeating the <to> part in a following ACL. At the cost of repeating the <who> part in a new condition in the same ACL if "break" was really needed.. I.e, both choices have their ups and downs, and I can live with both.

I also though that "stop" should be the non-match case for "requested" to make the controls more symmetric. But that removes the ability to make further decisions in the succeeding rules, which I find highly unsatisfactory.

These controls would allow access rules like the following to quickly grant search access if that is all that is requested, while keep on processing for other access types:

 access to <what> by <who> =s sufficient by * break

An access rule where the <who> clauses are only evaluated when write access is requested could be written like:

 access to <what> by * =w requested by <who> =w

Comments? It should be fairly easy to implement these controls, and I'll volunteer to do it if they are acceptable.

Rein Tollevik
Basefarm AS