httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: Authz modules and User group lookups
Date Wed, 24 Jun 2009 20:42:50 GMT
Thank you for your helpful reply. Unfortunately in sat for a week in  
my rather aggressive spam filter!

>> I'm currently planning out my own Authorization module
>> (mod_resource_authz) which allows a webmaster to deny or grant access
>> to a resource based on the method used.
> Note that every authz module supports that, through <Limit>
> (and in future through <If ...>) configuration sections.
> Not to mention "scripted" solutions like mod_rewrite.

This is true, and I have examined this in detail, but this solution
doesn't lend itself very easily to dynamicly created resources, and
makes management and maintanence difficult. I want to be able to manage
many users, which belong to multiple groups, with dynamicly created
resources which allow access based on owner, group or world. Emulating
this through Limit and/or mod_rewrite, whilst possible for some of these
requirements, in my experience, quickly become unmaintainable and wieldly.

The module I am attempting to write would help me by clearly defining  
the rules
and process of Authorization (i.e. Users belong to Groups. A Resource has an
Owner, and a Group. Access to a Resource is either as Owner, a member  
of a Group or
'the World'. Permission to access a Resource by Method is restricted
by Owner, Group and World). This is just a cryistalised Authorization process,
and not intended to be 'the' authorization process. It's merely an attempt
to provide a fixed process that is consistant, simple and easy to maintain,
rather than the current Authz modules which provide much more flexibility. I
certainly wouldn't have thought of a need for such a module if the  
existing Authz
modules wern't so flexible and provided me with such scope for  

>> My problem comes from attempting to determine if the user is a member
>> of a specific group. If been looking around, and it doesn't appear
>> that the user group membership lookups have been separated out from
>> their individual modules. For example, mod_authz_groupfile doesn't
>> provide an interface my module can use to lookup if a user is a
>> member of a group. Neither does mod_authz_dbm, etc; All these modules
>> do is provide authorization is a user is simply a member of a group.
> There's nothing in HTTP that defines a notion of "group".
> Modules implement it as a convenience.

Absolutely, and I understand this. "Group" is an internal notion to  
httpd. I was
hoping that this notion had a definition, possible a structure/API and if
so, common access mechanism across modules.

>> Does anyone have any suggestions, or am I best implementing a separate
>> provider hook in my module that delegate group membership lookups to
>> other modules (e.g. mod_resource_authz_grplkup_file,
>> mod_resource_authz_grplkup_dbm, mod_resource_authz_grplkup_dbd). A
>> simple interface would suffice, e.g. provide the username, returns an
>> array of groups the user is a member of.
> You seem to be asking for a "group" API that'll enable your
> module to take advantage of existing authz providers, yesno?
> Since authz has been revamped in /trunk/ from 2.2.x, I suggest you
> start with /trunk/.  If you have ideas to enhance the API that'll
> not break things and could be of general interest, then you could
> perhaps propose them to the dev list, and they may be in time for
> a 2.4 release.  Bear in mind that to be of general use, you'll
> probably need to start by writing down exactly what you mean by
> "group", to avoid the likelihood of arguing at cross-purposes.
> Otherwise, yes, your module can export its own API independently.

This is exactly the answer I was looking for. I am experimenting with the
notion of a "group" API and was looking to make sure I wasn't wasting my
time, though I hadn't found any such reference from the module code I have
examined so far.

The work I have so far consists of a provider function fetch_users_groups(),
that, unsuprisingly, given a username returns an array of group names the
username belongs to. Nice and simple. How this is implemented is up to the
individual provider module, and how this list of groups is used to  
determine if the
user has authorization is up to calling module.

I will explore the /trunk/ authz code as you suggested (I have been  
playing around
with mod_authz_dbd for a while now in hopes this module might aid me,  
but again,
it only provides authorization based on required membership to a group).

As for making a proposal to the dev list, and specifying the exact terms used,
I shall explore this further after I have running code, as I feel it might be
more helpful to have a demonstratable implementation to refer to.

Thanks for your help, exactly what I was after!


Ben Davies

P.S. Is there any possibility of a second edition of "The Apache  
Modules book"? I've
found it invaluable and was curious if there were any improvements  
coming in future.

View raw message