[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL decisions based on requested access

Hallvard B Furuseth wrote:
Rein Tollevik writes:
The "sufficient" control should act like "stop" (i.e grant access) if the effective <access> is sufficient for the requested access level, "continue" otherwise.

It's <access> which grants access, "stop" just says "don't look for
more access rules to apply".  So this in particular makes me nervous:

Yes, this was not the best wording.. It is not the "stop" by itself that grants access, but since "stop" would only be done after access had been tested to be granted the overall effect when the stop was taken would be to grant access.

The "requested" control should act like "continue" if the effective <access> matches what is requested, "break" otherwise.

because this:

 access to <what> by * =w requested by <who> =w

actually grants everyone else than <who> access too, but only when they
don't need it.  That matters if something (now or in the future)
combines and caches access levels for the duration of an operation, or
checks the access level somehow and applies it "by hand".

The <access> in the "requested" control would have to be tested without being assigned to the effective access. Which is not how the other <access> assignments are evaluated :-(

Caching would have to include the requested access level. Given the dynamic nature of some ACL conditions (dynacl, sets), it is already questionably how much can be cached.. The current access_allowed() API returns a boolean grant/deny status for a requested access, so external "by hand" access level checks would, apart from being bad coding, not make any sense.

An alternative would be to make it part of <what> and/or <who>:
   access to requested="=w" <rest of <what>> by <who> =w by * break
That might still get problems with caching, but less severly so.

Yes, this looks as a better approach than the "requested" control. But doing it belongs in another proposal.

I first thought of the "requested" control as "required", and it was a direct opposite to "sufficient". But I didn't find it very useful (at least for me), and it evolved into "requested". Which probably was an unfortunate diversion, since it differ from the current <access> concept.

I now think it is best to go back to "sufficient" and "required" (or some better names?). "sufficient" would "stop" if the effective <access> grants access, "continue" otherwise, while "required" would "stop" if the <access> denies access, "continue" otherwise.

The usage rules would be that "sufficient" can be used when all succeeding rules grants privileges above the <access> level, while "required" can be used when the succeeding rules all grants fewer privileges.

The current effective access level can be tested without altering it with an access of "+0" (or doing the equivalent of leaving it out).

And, provided the "continue" control would be taken in the no-stop case, the following would be equivalent (although the first variants should definitely not be the preferred):

 access to * by * <access> sufficient
 access to * by * <access>

as would these:

 access to * by * <access> required
 access to * by * none

These follows from the implicit "by * none" at the end of all ACLs.

I suppose it could be defined as an optimization hint which slapd at
least in theory may ignore, so it's a user error if the access rules are
written so it makes a difference whether or not slapd applies it.  But
that wouldn't make it easier to understand the access rules:-(

Other notes:

It might be useful to allow stop/continue/break after requested/sufficient.

Yes, I was thinking along those lines too, although I put them in the opposite order. I ditched it since it would introduce a new concept into the ACLs, which I didn't want to do. It would eliminate the problem of whether "continue" or "break" should be the actions in the no-stop case though..

Is there a reason why you have different access tests? Effective access
"is sufficient for" vs. "matches" requested access.

Yes, the unfortunate diversion mentioned above...