httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jus...@erenkrantz.com>
Subject Re: Comments on Authz_Provider implementation (was: Re: svn commit: r351547 - in /httpd/h)
Date Fri, 02 Dec 2005 17:24:35 GMT
--On December 2, 2005 9:39:46 AM -0700 Brad Nicholes <BNICHOLES@novell.com> 
wrote:

>    As I mentioned in my last commit, it still needs some clean up.
> Please, Please feel free to jump in and clean it up wherever you see the
> need.  I don't have all of the answers to why things were done the way

Okay, there are a bunch of style nits that I'll go clean up if I get a free 
moment.

> they were before and if we still need to do it that way now or is there
> a better way.  In this branch I have been trying to maintain backward
> API compatibility as much as it makes sense.  But there are questions I
> have about the need of some APIs such as ap_requires() and
> ap_some_auth_required(), etc.  These are points that I need feedback on
> and if we can eliminate them, like as was discussed with AuthType, then
> lets do it.

I have these exact same questions - so we're struggling with the same 
things.  Good.

Below are the unedited rambling notes I wrote last night as I was falling 
asleep.  Feel free to comment.  =)  -- justin

=================

Def'n:

authentication: who is this user?
authorization: is this user authorized?

access: run before authn/authz; but really can be categorized in 
authorization

------

Goal:

Want to run authorization hook even on anonymous read-only requests *and*
also when r->user is set.

------

Current behavior:

satisfy all / not spec
  access
  if auth required
    check_user_id
    auth_checker
satisfy any
  access
  if fails:
    if auth not required: bail
    if check_user_id fails: bail
    if auth_checker fails: bail

------

Some auth required is to prevent 'expensive' lookups from occurring.
Q: Is this really needed with a provider system?

------

Ideal behavior?

Restrict check_user_id hook for Digest/Basic/Auth mechanisms
  As needed, auth mech. runs through conf authn providers
    All configured authn providers are executed in specific order
  Will not execute authn providers unless credentials presented
run through all authz providers for the Location, respecting Limit
  All configured authz providers are executed in specific order

Remove hooks?
Move access checker to authz providers
  Only mod_authz_host was an access checker in our tree anyway

Can/should we purposely break backwards-compat for authz modules in
next revision?

------

Require directives in the form of:

require user joe bob jane
require ldap-user jmanager
require ldap-group bigboys
require valid-user

------

mod_authz_svn has both access and authz hooks
authz hook is RUN_FIRST - ugh
*NO* require directive

require svn-group ?

------

How could we fit IP restrictions into this?

require ip !192.168.0.0/24 10.0.1.5

Possibly have deny/allow from semantics 'silently' convert into require 
directives?  Might be able to salvage backwards compat this way.

-------

Mime
View raw message