httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose Kahan <>
Subject Extending mod_authz_dbd
Date Tue, 14 Apr 2015 17:38:52 GMT

We're preparing the migration to apache 2.4 and we're happy
to see that many features now available allow us to put to
rest most of our custom developed modules.

Looking at mod_authz_dbd, we would like to make a request
against a dbase passing different parameters (REQUEST_URI, 
REQUEST_METHOD, REMOTE_USER, ...) to support a fine-grained
ACL mechanism. However, this module doesn't seem to support
resolving those variables when preparing the SQL query. 
Looking at the code, the only one that seems supported is 
a hard-coded r->user in authz_dbd_group_query:

 rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
                       query, 0, r->user, NULL);

Is there any historical reason for this? Would you be interested
in our contributing time to extend this module to support more
generic queries such as (invented query)

require sql-query "SELECT * FROM foo WHERE user=${REMOTE_USER} 
                   AND uri=${REQUEST_URI} AND ${REQUEST_METHOD} in
	           ('GET', 'POST')"

While browsing for information regarding this point, I only
found people asking if this was possible, but no hints if there
had been (or will be) plans to do this.

The defunct mod_auth_mysql used to propose something similar. i
This module is not officially maintained anymore.

A possible point of confusion in the module's doc [1] is the 
phrase saying 

  "Since v2.4.8, expressions are supported within the DBD 
   require directives."

while the requires in the paragraphs below can't support expressions, 
as far as I can tell. I may be missing something.

Please keep me update if you'd be interested in this generic 
contribution, which we would be happy to make, rather than forking 
and maintaining a derived and non-generic patch to this module.

If you're interested, I'd appreciate some feedback on how the feature
should look like so that it's designed that way before coding it,
rather than coding, proposing the contribution and getting feedback
it wasn't what x had in mind.

Of course, it's understood that your showing interest for this doesn't 
mean you will end up accepting the contribution.

Thanks and KUDOS! Apache 2.4 rocks!


View raw message