httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Martin <james.s.mar...@gmail.com>
Subject Re: [users@httpd] using multiple LimitExcept directives
Date Sun, 03 Mar 2013 22:42:05 GMT
On Sun, Mar 3, 2013 at 4:08 PM, Igor Cicimov <icicimov@gmail.com> wrote:
>
> On 04/03/2013 3:36 AM, "James Martin" <james.s.martin@gmail.com> wrote:
>>
>> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>> >
>> > On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@gmail.com> wrote:
>> >>
>> >> Folks,
>> >>
>> >> I'm attempting to using multiple LimitExcept directives in one
>> >> Location.  Basically I want to give a the "Actor" ldap group  GET &
>> >> PUTT access, the "WeatherMan" ldap group only GET access, and the
>> >> "Actor" ldap group PUT access.  I'm open to using either apache 2.2 or
>> >> 2.4, as I see that apache 2.4 supports nesting of the Limit and
>> >> LimitExcept directives.  This is what I've tried so far:
>> >>
>> >
>> > Can you please first check the above bold out groups for us? Is that
>> > correct
>> > or one of them should be Artist instead?
>> >
>>
>> I realize there was a typo there, sorry about that.   I said Actor
>> twice.  The groups should be Artist, Actor, and WeatherMan  Here's the
>> proper text:
>>
>> Basically I want to give a the "Artist" ldap group  GET & PUT access,
>> the "WeatherMan" ldap group only GET access, and the "Actor" ldap
>> group PUT access.  I'm open to using either apache 2.2 or 2.4, as I
>> see that apache 2.4 supports nesting of the Limit and LimitExcept
>> directives.  This is what I've tried so far:
>>
>> <Location>
>> <LimitExcept GET PUT>
>>     Require ldap-group cn=Artist, ou=groups, o=company
>> </LimitExcept>
>>  <LimitExcept GET>
>>         Require ldap-group cn=WeatherMan, ou=groups, o=company
>>  </LimitExcept>
>>  <LimitExcept PUT>
>>         Require ldap-group cn=Actor, ou=groups, o=company
>>  </LimitExcept>
>> </Location>
>>
>> >>
>> >> <Location "/boballcharlieputs">
>> >>   AuthType Basic
>> >>   AuthName "Secure Area"
>> >>   AuthBasicProvider ldap
>> >>    AuthLDAPURL
>> >> "ldap://localhost:10389/ou=users,o=company?uid"
>> >>   AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>> >>   AuthLDAPBindPassword password
>> >
>> >
>> >> <LimitExcept GET PUT>
>> >>     Require ldap-group cn=Actor, ou=groups, o=company
>> >> </LimitExcept>
>> >
>> > From the docs:
>> >
>> > <LimitExcept> and </LimitExcept> are used to enclose a group of
access
>> > control directives which will then apply to any HTTP access method not
>> > listed in the arguments
>> >
>>
>> It is my understanding that if you have GET PUT within LimitExcept
>> then you are limiting all operations *except* GET & PUT.
>>
>>
>> > In this context, isn't your above statement actually achieving the
>> > opposite
>> > from what you want?
>> >
>> >>  <LimitExcept GET>
>> >>         Require ldap-group cn=WeatherMan, ou=groups, o=company
>> >>  </LimitExcept>
>> >>  <LimitExcept PUT>
>> >>         Require ldap-group cn=Actor, ou=groups, o=company
>> >>  </LimitExcept>
>> >> </Location>
>> >>
>> >> In this case Apache only processes the last LimitExcept, so only
>> >> operation that is successful is the PUT by a user in the Actor ldap
>> >> group.
>> >>
>> >>
>> >> I've also attempted to nest these statements (new feature in 2.4) and
>> >> apache complains:
>> >>
>> >> "<LimitExcept> directive specifies methods already excluded"
>> >>
>> >> Here is that example:
>> >>
>> >> <LimitExcept GET PUT>
>> >>     Require ldap-group cn=Artist, ou=groups, o=bashoproserv
>> >>     <LimitExcept PUT>
>> >>         Require ldap-group cn=Actor, ou=groups, o=bashoproserv
>> >>     </LimitExcept>
>> >> </LimitExcept>
>> >>
>> >
>> > So is it Actor or Artist or both??? Can't see Artist in the first
>> > example...
>> >
>> > The docs further say:
>> >
>> > The <Limit> and <LimitExcept> directives may be nested. In this
case,
>> > each
>> > successive level of <Limit> or <LimitExcept> directives must further
>> > restrict the set of methods to which access controls apply.
>> >
>> > When using <Limit> or <LimitExcept> directives with the Require
>> > directive,
>> > note that the first Require to succeed authorizes the request,
>> > regardless of
>> > the presence of other Require directives.
>> >
>> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor,
>> > and
>> > having the above said in mind, I would try something like this:
>> >
>> >
>> > <Limit GET PUT>
>> >    Require ldap-group cn=Artist, ou=groups, o=company
>> > </Limit>
>> > <Limit GET>
>> >
>> >    Require ldap-group cn=WeatherMan, ou=groups, o=company
>> > </Limit>
>> > <Limit PUT>
>> >
>> >    Require ldap-group cn=Actor, ou=groups, o=company
>> > </Limit>
>> >
>>
>> I attempted your method and it *does* seem to work as I wanted
>> (thanks!); however, my concern is as per the docs:
>>
>> """
>> The following example applies the access control only to the methods
>> POST, PUT, and DELETE, leaving all other methods unprotected:
>>
>> <Limit POST PUT DELETE>
>>   Require valid-user
>> </Limit>
>> """
>>
>> To me that means that  GET, CONNECT, OPTIONS, PATCH, PROPFIND,
>> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
>> all.
> Correct since those 3 are important ones so you need only some users to
> access them and you dont care about the other methods. Why else would you
> use limit then with Require? By default ALL methods are unprotected. So in
> your case you dont need to give Artist GET access to anything, he already
> has it! The point is to allow access to that user ONLY and thats where Limit
> and Require come into play.
>
>>
>> It also mentions
>>
>> """
>> A <LimitExcept> section should always be used in preference to a
>> <Limit> section when restricting access, since a <LimitExcept> section
>> provides protection against arbitrary methods.
>> """
>>
> Correct BUT only if it matches your user case. Does it???
> Nothing wrong with using Limit if you know exactly what you are doing.
>
>> Perhaps I need to combine the Limit with a LimitExcept so catch all of
>> the other methods not defined?
>>
> Sure go on and try it. Im only giving you some pointers hope you'll come up
> with the solution that suits you your self.
>

Just a follow up, I was able to get what I wanted with this approach.
Hopefully someone else can find this information useful. Thanks for
your pointers, they definitely helped!

#this stanza allows only folks belonging to the "Admin" group to put
#and get into /protected

<Location "/protected">
  <Limit GET PUT>
    Require ldap-group cn=Admin, ou=groups, o=company
  </Limit>

#the following prevents all other methods to the location
  <LimitExcept GET PUT>
  Order Allow,Deny
  Deny from all
  </LimitExcept>
</Location>


#The following stanza controls access to the /protected/boballcharlieputs
# location
# Someone from the Artist group can get and put
# Someone from the WeatherMan group can only get
# Someone from the Actor group can only put

<Location "/protected/boballcharlieputs">
  <Limit GET>
    Require ldap-group cn=WeatherMan, ou=groups, o=company
    Require ldap-group cn=Artist, ou=groups, o=company
  </Limit>
  <Limit PUT>
    Require ldap-group cn=Artist, ou=groups, o=company
    Require ldap-group cn=Actor, ou=groups, o=company
  </Limit>

#The following  blocks all other HTTP methods to the location
  <LimitExcept GET PUT>
    Order Allow,Deny
    Deny from all
  </LimitExcept>
</Location>

Thanks again,

James

>> Thanks,
>>
>> - James
>>
>>
>> >> I feel like I'm very close to getting this working, but I'm not quite
>> >> grasping how to stack the LimitExcepts properly.
>> >>
>> >> Thanks for your help,
>> >>
>> >>
>> >> James
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message