From directory-dev-return-2221-apmail-incubator-directory-dev-archive=incubator.apache.org@incubator.apache.org Sun Oct 31 05:41:34 2004 Return-Path: Delivered-To: apmail-incubator-directory-dev-archive@www.apache.org Received: (qmail 38166 invoked from network); 31 Oct 2004 05:41:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 31 Oct 2004 05:41:34 -0000 Received: (qmail 94873 invoked by uid 500); 31 Oct 2004 05:41:34 -0000 Delivered-To: apmail-incubator-directory-dev-archive@incubator.apache.org Received: (qmail 94818 invoked by uid 500); 31 Oct 2004 05:41:34 -0000 Mailing-List: contact directory-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list directory-dev@incubator.apache.org Received: (qmail 94803 invoked by uid 99); 31 Oct 2004 05:41:33 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [192.18.33.10] (HELO exchange.sun.com) (192.18.33.10) by apache.org (qpsmtpd/0.28) with SMTP; Sat, 30 Oct 2004 22:41:33 -0700 Received: (qmail 19982 invoked from network); 31 Oct 2004 05:41:32 -0000 Received: from localhost (HELO nagoya) (127.0.0.1) by nagoya.betaversion.org with SMTP; 31 Oct 2004 05:41:32 -0000 Message-ID: <1910073894.1099201292020.JavaMail.apache@nagoya> Date: Sat, 30 Oct 2004 22:41:32 -0700 (PDT) From: "Alex Karasulu (JIRA)" To: directory-dev@incubator.apache.org Subject: [jira] Created: (DIREVE-68) Authorization Service: hardcode simple authorization rules for safty Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Authorization Service: hardcode simple authorization rules for safty -------------------------------------------------------------------- Key: DIREVE-68 URL: http://issues.apache.org/jira/browse/DIREVE-68 Project: Directory Eve Type: Task Components: interceptors Reporter: Alex Karasulu Assigned to: Alex Karasulu We need to prevent everyone except the admin user from accessing the admin user's entry. It should not be returned on searches and lookup's should fail if these operations are not being conducted by the admin. This will prevent other users from being able to read the admin's entry or alter it. In general I'm not in favor of hard coding rules but this is one that is almost universally valid and is ok to hardcode. After all this can be changed later as dynamic authorization policy mechanisms are put into place. Also modifyRdn and delete operations will not be allowed! Furthermore we can extend this to regular users where only those that own their entry under ou=users,ou=system can read, or modify their entry. No modifyRdn, or delete operations are allowed on these entries by any user except the admin user. The admin user can do anything it wants to do. Other users besides the creator/owner cannot read the userPassword field. This is basically a new interceptor implementation. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira