httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject RE: mod_authn_mysql
Date Wed, 19 Feb 2003 22:18:14 GMT
At 01:32 PM 2/19/2003, Cliff Woolley wrote:
>On Wed, 19 Feb 2003, Dietz, Phil E. wrote:
>> For 2.1 and beyond, I'd rather see something more generic.  Like a
>> mod_authn_odbc or a mod_authn_soap.
>Ironic, since I was just about to say I'm not so keen on adding more
>modules to 2.0, and that if it's going in I'd rather have it in 2.1.

I was sorta thinking the same... we seem to be saying that bits of this
aren't altogether that flexible, we want different backends, et al, and yet
rather than invest the time in structuring 2.1 so that all the auth overhaul
is really successful and complete, we want to start maintaining another
auth under the old schema?  Seems like that would waste more project
cycles than really benefiting the direction that auth is taking.

I'm sorta -0 on seeing this go into 2.0.  I won't scream and yell and
flail my arms, and will go where the list takes this, but I wouldn't 
support introducing it until 2.1.  Dropping it in 2.0 would actually be
a disincentive (at least for me) to really contributing to the shape up 
of our own authn/authz logic by the first 2.2 release.

BTW - yes I realize the reorganization and new hooks are already
done for 2.1.  What isn't finished is some mechanism for query and
linked lists of credentials; what Dirk has advocated for some time.
This module is a perfect back end to illustrate that.

So is _hostname, actually, because it's more than just an IP.  It's
a machine identity, with the root value of an absolute IP address,
with sometimes a reverse-dns-validated hostname, and an agent
token of the dns server that validated that hostname<->IP relation.

What Dirk proposes is to layer all of those nuggets to later unwind
the chain of authority, or log it.  My goal is to simply check the
list of machine-token identifiers and compare 'em all to the Allow
or Deny patterns, so that one flavor or another doesn't escape from
our scrutiny.  But they all benefit from rethinking this logic already.

The current 2.0 is goodness, the module is available from and maintained
by others, and we are happy to adopt it into our new 'authn/authz' family.
But that family won't be born till 2.2.

My longwinded 2c, but that's all it's worth.


View raw message