5 Mar
2020
5 Mar
'20
12:46 p.m.
On 3/5/20 9:04 PM, Howard Chu wrote:
Dieter Bocklandt wrote:
I would assume the following takes place:
- The service user binds to the consumer and assumes dieter's identity, which should be the same net effect as binding with dieter's user in the first place.
- The proxy user binds to the provider and assumes dieter's identity
- The provider tries to perform the write, using dieter's identity for ACL evaluation
What actually happens:
- The service user binds to the consumer and assumes dieter's identity
- The proxy user binds to the provider and assumes the service user's identity
- The provider tries to perform the write, using the service user's identity for ACL evaluation
Actually, I spent some more time on this today and I /think/ I might know what's happening here:
Your analysis makes sense. Would have to ask Pierangelo why he wrote it the way he did but it seems that it should use op->o_ndn.
Hmm, is the semantics of proxying the SASL proxy authorization clearly defined? The consumer proxy itself also has an identity.
Just asking...
Ciao, Michael.