httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: authz: file-group ugliness
Date Tue, 25 Oct 2005 11:37:41 GMT
On Tuesday 25 October 2005 00:29, you wrote:
>    This would be OK except that there is a bigger problem that I looked
> into trying to fix at one point but never completed it.  The problem is
> the duplication of authorization types.  Currently we have both
> mod_authz_groupfile and mod_authz_dbm implementing the types "group" and
> "file-group".  This causes a problem because if both of these modules
> are loaded and the configuration contains the directive:
> require group foo
> or
> require file-group
> which authorization module handles it?  Well it seems to be completely
> dependant on load order and/or the use of the directives
> AuthzXXXAuthoritative.  In addition to implementing an optional function
> in mod_authz_owner to get the owner id, all authorization types should
> probably be renamed to be unique.
> group - mod_authz_groupfile
> dbm-group  - mod_authz_dbm
> dbd-group  - mod_authz_dbd
> ldap-group  - mod_authnz_ldap (already done)
> etc...
> thoughts on this...?

Well, AFAICS that ambiguity only really kicks in if you have both an
AuthGroupFile and an AuthDBMGroupFile, which is something that
would be equally(?) problematic in 1.x/2.0.
Ugly - yes.  Totally broken - no.  Unless I'm missing something?

That still leaves an aura of ambiguity hanging around AuthAuthoritative.
Perhaps a better solution would be to replace that with something like
AuthOrder user group dbm-group
which specifies an order of authz checks, and makes the last one 
'authoritative' in terms of the old logic.

Of course that still leaves file-group looking lonely.  Maybe what that
wants is a provider from authz_[file|dbm|dbd|ldap|etc] ?

Nick Kew

View raw message