Currently, ACL evaluation doesn't behave the way people always expect on ADD operations (see ITS#4556). This has been fixed in HEAD, but not currently applied to RE24. I'm currently working on 2.4.13, and wanted to gather general feedback on whether or not it is thought this change should be included. It is a distinct change in behavior, and will break expected behavior for some folks.
Thanks, Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
Currently, ACL evaluation doesn't behave the way people always expect on ADD operations (see ITS#4556). This has been fixed in HEAD, but not currently applied to RE24. I'm currently working on 2.4.13, and wanted to gather general feedback on whether or not it is thought this change should be included. It is a distinct change in behavior, and will break expected behavior for some folks.
Wasn't it suggested to add a configuration switch to allow turning it off, at least for the lifespan of 2.4? Much like what happened with schemacheck.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
--On Monday, November 10, 2008 9:04 PM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
Currently, ACL evaluation doesn't behave the way people always expect on ADD operations (see ITS#4556). This has been fixed in HEAD, but not currently applied to RE24. I'm currently working on 2.4.13, and wanted to gather general feedback on whether or not it is thought this change should be included. It is a distinct change in behavior, and will break expected behavior for some folks.
Wasn't it suggested to add a configuration switch to allow turning it off, at least for the lifespan of 2.4? Much like what happened with schemacheck.
Well, no such keyword exists right now in HEAD. ;) If it gets added, then yeah, this would be a no-brainer. :) Howard says he'll take a look at doing that.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
Well, no such keyword exists right now in HEAD. ;) If it gets added, then yeah, this would be a no-brainer. :) Howard says he'll take a look at doing that.
I could do it as well, but probably not before the we (as usual :)
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
Quanah Gibson-Mount wrote:
Well, no such keyword exists right now in HEAD. ;) If it gets added, then yeah, this would be a no-brainer. :) Howard says he'll take a look at doing that.
I could do it as well, but probably not before the we (as usual :)
Interestingly, the most difficult part here is coming up with a sensible keyword for this option.
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to come up with a meaningful name that doesn't get overly verbose. Any other suggestions?
Howard Chu writes:
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to come up with a meaningful name that doesn't get overly verbose. Any other suggestions?
Is this a per-database on/off option defaulting from a global setting, or just a global "on if included" option?
Nitpick, but I would call it "access<something>" so it sorts next to "access".
Hallvard B Furuseth wrote:
Howard Chu writes:
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to come up with a meaningful name that doesn't get overly verbose. Any other suggestions?
Is this a per-database on/off option defaulting from a global setting, or just a global "on if included" option?
Nitpick, but I would call it "access<something>" so it sorts next to "access".
"access_check_attrs_on_add" ?
Yes, per-database would be nice. It'd probably cost a char in the BackendDB structure, or would a bit in be_flags suffice?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Hallvard B Furuseth wrote:
Howard Chu writes:
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to come up with a meaningful name that doesn't get overly verbose. Any other suggestions?
Is this a per-database on/off option defaulting from a global setting, or just a global "on if included" option?
It's a per-DB boolean, yes. Default is off. (Except for cn=config, which will default on.)
Nitpick, but I would call it "access<something>" so it sorts next to "access".
Currently I'm using 'add_content_acl' and add* sorts next to "access"...
Howard Chu hyc@symas.com wrote:
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to come up with a meaningful name that doesn't get overly verbose. Any other suggestions?
A more general syntax, leaving room for more settings: attr_acl mod; attr_acl add,mod; attr_acl all; (default, currently add,mod)
Emmanuel Dreyfus wrote:
Howard Chuhyc@symas.com wrote:
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to come up with a meaningful name that doesn't get overly verbose. Any other suggestions?
A more general syntax, leaving room for more settings: attr_acl mod; attr_acl add,mod; attr_acl all; (default, currently add,mod)
But in this case I don't think we want any more generality. No one should be turning off ACL checks on mod (or any other) operations...
On Mon, Nov 10, 2008 at 12:01:16PM -0800, Quanah Gibson-Mount wrote:
Currently, ACL evaluation doesn't behave the way people always expect on ADD operations (see ITS#4556). This has been fixed in HEAD, but not currently applied to RE24. I'm currently working on 2.4.13, and wanted to gather general feedback on whether or not it is thought this change should be included. It is a distinct change in behavior, and will break expected behavior for some folks.
It is not clear from the ITS page exactly what the fix eventually was. The discussion turned to ditStructureRules at followup 6, and by followup 8 it appears that the issue is considered 'fixed'.
I assume that the fix was to enforce ACLs on the attributes of an entry before adding it, as originally requested in the ITS. This will need a note in the Admin Guide, but it seems like a Good Thing To Do. I would consider the old (non-enforcing on add) behaviour to be wrong so I would not be worried by the ACLs being enforced in a future version.
Andrew
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
I assume that the fix was to enforce ACLs on the attributes of an entry before adding it, as originally requested in the ITS.
You are right, this is the change.
-
Andrew Findlay -
Hallvard B Furuseth -
Howard Chu -
manu@netbsd.org -
Pierangelo Masarati -
Quanah Gibson-Mount