12:01 p.m.
Currently, ACL evaluation doesn't behave the way people always expect on
ADD operations (see ITS#4556). This has been fixed in HEAD, but not
currently applied to RE24. I'm currently working on 2.4.13, and wanted to
gather general feedback on whether or not it is thought this change should
be included. It is a distinct change in behavior, and will break expected
behavior for some folks.
Thanks,
Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
12:04 p.m.
Quanah Gibson-Mount wrote:
Currently, ACL evaluation doesn't behave the way people always
expect on
ADD operations (see ITS#4556). This has been fixed in HEAD, but not
currently applied to RE24. I'm currently working on 2.4.13, and wanted
to gather general feedback on whether or not it is thought this change
should be included. It is a distinct change in behavior, and will break
expected behavior for some folks.
Wasn't it suggested to add a configuration switch to allow turning it
off, at least for the lifespan of 2.4? Much like what happened with
schemacheck.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
12:27 p.m.
--On Monday, November 10, 2008 9:04 PM +0100 Pierangelo Masarati
<ando(a)sys-net.it> wrote:
Quanah Gibson-Mount wrote:
> Currently, ACL evaluation doesn't behave the way people always expect on
> ADD operations (see ITS#4556). This has been fixed in HEAD, but not
> currently applied to RE24. I'm currently working on 2.4.13, and wanted
> to gather general feedback on whether or not it is thought this change
> should be included. It is a distinct change in behavior, and will break
> expected behavior for some folks.
Wasn't it suggested to add a configuration switch to allow turning it
off, at least for the lifespan of 2.4? Much like what happened with
schemacheck.
Well, no such keyword exists right now in HEAD. ;) If it gets added, then
yeah, this would be a no-brainer. :) Howard says he'll take a look at
doing that.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
12:30 p.m.
Quanah Gibson-Mount wrote:
Well, no such keyword exists right now in HEAD. ;) If it gets added,
then yeah, this would be a no-brainer. :) Howard says he'll take a look
at doing that.
I could do it as well, but probably not before the we (as usual :)
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
12:40 p.m.
Pierangelo Masarati wrote:
Quanah Gibson-Mount wrote:
> Well, no such keyword exists right now in HEAD. ;) If it gets added,
> then yeah, this would be a no-brainer. :) Howard says he'll take a look
> at doing that.
I could do it as well, but probably not before the we (as usual :)
Interestingly, the most difficult part here is coming up with a sensible
keyword for this option.
I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to
come up with a meaningful name that doesn't get overly verbose. Any other
suggestions?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:50 p.m.
Howard Chu writes:
I'm leaning toward add_attr_acl but not too thrilled with that.
It's hard to
come up with a meaningful name that doesn't get overly verbose. Any other
suggestions?
Is this a per-database on/off option defaulting from a global setting,
or just a global "on if included" option?
Nitpick, but I would call it "access<something>" so it sorts next to
"access".
--
Hallvard
12:57 p.m.
Hallvard B Furuseth wrote:
Howard Chu writes:
> I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to
> come up with a meaningful name that doesn't get overly verbose. Any other
> suggestions?
Is this a per-database on/off option defaulting from a global setting,
or just a global "on if included" option?
Nitpick, but I would call it "access<something>" so it sorts next to
"access".
"access_check_attrs_on_add" ?
Yes, per-database would be nice. It'd probably cost a char in the
BackendDB structure, or would a bit in be_flags suffice?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
1:03 p.m.
Hallvard B Furuseth wrote:
Howard Chu writes:
> I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to
> come up with a meaningful name that doesn't get overly verbose. Any other
> suggestions?
Is this a per-database on/off option defaulting from a global setting,
or just a global "on if included" option?
It's a per-DB boolean, yes. Default is off. (Except for cn=config, which will
default on.)
Nitpick, but I would call it "access<something>" so
it sorts next to
"access".
Currently I'm using 'add_content_acl' and add* sorts next to
"access"...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:47 p.m.
Howard Chu <hyc(a)symas.com> wrote:
I'm leaning toward add_attr_acl but not too thrilled with that.
It's hard to
come up with a meaningful name that doesn't get overly verbose. Any other
suggestions?
A more general syntax, leaving room for more settings:
attr_acl mod;
attr_acl add,mod;
attr_acl all; (default, currently add,mod)
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
1:36 p.m.
Emmanuel Dreyfus wrote:
Howard Chu<hyc(a)symas.com> wrote:
> I'm leaning toward add_attr_acl but not too thrilled with that. It's hard to
> come up with a meaningful name that doesn't get overly verbose. Any other
> suggestions?
A more general syntax, leaving room for more settings:
attr_acl mod;
attr_acl add,mod;
attr_acl all; (default, currently add,mod)
But in this case I don't think we want any more generality. No one should be
turning off ACL checks on mod (or any other) operations...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:56 a.m.
On Mon, Nov 10, 2008 at 12:01:16PM -0800, Quanah Gibson-Mount wrote:
Currently, ACL evaluation doesn't behave the way people always
expect on
ADD operations (see ITS#4556). This has been fixed in HEAD, but not
currently applied to RE24. I'm currently working on 2.4.13, and wanted to
gather general feedback on whether or not it is thought this change should
be included. It is a distinct change in behavior, and will break expected
behavior for some folks.
It is not clear from the ITS page exactly what the fix eventually was.
The discussion turned to ditStructureRules at followup 6, and by
followup 8 it appears that the issue is considered 'fixed'.
I assume that the fix was to enforce ACLs on the attributes of an
entry before adding it, as originally requested in the ITS. This will
need a note in the Admin Guide, but it seems like a Good Thing To Do.
I would consider the old (non-enforcing on add) behaviour to be wrong
so I would not be worried by the ACLs being enforced in a future version.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
7:19 a.m.
Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> wrote:
I assume that the fix was to enforce ACLs on the attributes of an
entry before adding it, as originally requested in the ITS.
You are right, this is the change.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
5310
days inactive
5311
days old
11 comments
6 participants
participants (6)
-
Andrew Findlay -
Hallvard B Furuseth -
Howard Chu -
manu@netbsd.org -
Pierangelo Masarati -
Quanah Gibson-Mount