httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: svn commit: r534533 - in /httpd/httpd/trunk: include/http_core.h modules/aaa/mod_access_compat.c modules/aaa/mod_auth.h modules/aaa/mod_authz_core.c modules/aaa/mod_authz_default.c server/core.c server/request.c
Date Wed, 02 May 2007 22:46:47 GMT
>>> On 5/2/2007 at 1:47 PM, in message
<e498c1660705021247s159eae41ifc1d250b766fa838@mail.gmail.com>, "Joshua Slive"
<joshua@slive.ca> wrote:
> On 5/2/07, Brad Nicholes <BNICHOLES@novell.com> wrote:
> 
>>
>> Yeah, that's where I mentioned that things might look a little confusing.  
> There actually is a good reason to have both and yes some of the 
> functionality can overlap.  The reason for having mod_authz_host is so that 
> host, IP, ENV, etc. can be used during authorization as well.  This really 
> wasn't as issue in 2.2 because the AND/OR/NOT logic didn't exist yet.  Now 
> that you can apply this type of logic to authorization, allowing host, IP, 
> ENV, etc. to be part of that, make sense.  If we moved mod_authz_host back to 
> the 2.2 version, in the first place it would no longer be authz but just 
> mod_access again and you wouldn't be able to include host, IP, ENV, etc. as 
> part of an authorization rule.  But I agree that mod_access_compat name no 
> longer makes sense.
>>
> 
> What kinds of configurations are we actually talking about where
> Require ip could do things that Order/Allow/Satisfy could not? I guess
> you are talking about things like
> <SatisfyOne>
>   <SatisfyAll>
>     Require user john
>     Require ip 192.0.0
>   </SatisfyAll>
>   <SatisfyAll>
>     Require user bob
>     Require ip 191.0.0
>   </SatisfyAll>
> </SatisfyOne>
> 
> Is that kind of configuration really common enough to justify the
> added complexity of two different access-control systems? (It can be
> accomplished in current versions using some Alias/Location hacks or
> with mod_rewrite.)
> 
> My opinion is that either we get rid of Require ip or we fix the hook
> ordering so that Order/Allow/Satisfy/etc can really be deprecated.
> 
> Joshua.

Correct, except I am thinking something more like:

 <SatisfyOne>
   <SatisfyAll>
      Require user john
       <SatisfyOne>
          Require ip 192.0.0
          Require ip 137.65.0
          Require host myhost.org
       </SatisfyOne>
   </SatisfyAll>
   <SatisfyAll>
     Require group admins
       <SatisfyOne>
          Require ip 10.10.0.0
          Require ldap-attribute status="highest"
       </SatisfyOne>
   </SatisfyAll>
 </SatisfyOne>

Which may be a bit more complicated to try to duplicate using other means.  Besides, it seems
to be a lot more straight forward to keep all of the authorization logic in one place rather
than bits and pieces spread out in mod_rewrite rules or alias/location hacks.

I'm all for figuring out a way to rework the hooks so that Order/Allow/Satisfy/etc. can really
be deprecated.  That is what my original intention was.  However, after revisiting this issue,
I'm not sure how to do it yet.

Brad



Mime
View raw message