[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL decisions based on requested access

Rein Tollevik writes:
> The "sufficient" control should act like "stop" (i.e grant access) if 
> the effective <access> is sufficient for the requested access level, 
> "continue" otherwise.

It's <access> which grants access, "stop" just says "don't look for
more access rules to apply".  So this in particular makes me nervous:

> The "requested" control should act like "continue" if the effective 
> <access> matches what is requested, "break" otherwise.

because this:

>  access to <what> by * =w requested by <who> =w

actually grants everyone else than <who> access too, but only when they
don't need it.  That matters if something (now or in the future)
combines and caches access levels for the duration of an operation, or
checks the access level somehow and applies it "by hand".

An alternative would be to make it part of <what> and/or <who>:
   access to requested="=w" <rest of <what>> by <who> =w by * break
That might still get problems with caching, but less severly so.

I suppose it could be defined as an optimization hint which slapd at
least in theory may ignore, so it's a user error if the access rules are
written so it makes a difference whether or not slapd applies it.  But
that wouldn't make it easier to understand the access rules:-(

Other notes:

It might be useful to allow stop/continue/break after requested/sufficient.

Is there a reason why you have different access tests? Effective access
"is sufficient for" vs. "matches" requested access.