90 likes | 172 Views
ACL draft Issues from IESG. Basic MUST be over SSL/TLS DELETE not mapped to specific permission Model is excessively complex Too much flexibility, too many options Humans will err Clients will help humans err. Complexity: ACE Combination.
E N D
ACL draft Issues from IESG • Basic MUST be over SSL/TLS • DELETE not mapped to specific permission • Model is excessively complex • Too much flexibility, too many options • Humans will err • Clients will help humans err
Complexity: ACE Combination • Note that each server may only advertise one of three ace combination models. • DAV:ace-combination • DAV:first-match • DAV:all-grant-before-any-deny • DAV:specific-deny-overrides-grant • Can we map all three of these to one canonical? • Then as long as the server does mapping right, security is improved (only one source of bugs).
Complexity:ACE ordering • Note that a server must advertise either no ordering, or deny-before-grant ordering • DAV:ace-ordering • DAV:deny-before-grant • Can we cut this? Can servers that internally require deny to be “before” grant do reordering themselves?
Complexity: Allowed ACE, Required Principals • Server may advertise limitations on the number/type of ACEs allowed internally (section 6.3) • Deny ACEs • Inverted ACEs • Only one per principal • Server may advertise what ACEs must exist (section 6.4) • This shouldn’t make modeling permissions harder • Client could ignore these and attempt to set the ACL improperly, but would get error
Complexity: Optional errors • DAV:recognized-principal • Server MUST recognize the principal? • DAV:no-ace-conflict • Server MUST prevent conflicts? • Recommend more specificity on whether preconditions MUST or MAY be met.
Privileges • Specific list of Privileges • Try to meet RFC3010 list? • Extensibility is a most – we can’t limit ACEs to a fixed list
If header simplification • Proposal • Existing header: too complicated to determine which assertions are checked and against which resource • Require all assertions be evaluated, because “resources affected by” is too vague • Untagged assertions apply only to request-URI • Issues from list • Does this mean we need a lock model? • Do we clarify which operations require which locks? • Do we allow clients to submit locks in non-conditional headers? • Basic design principle: make implementations “fix up”, or
New headers • New “Locktokens-Used” request header • Holds comma-separated lock tokens (no etags) • Can apply to any resource • Never cause the request to fail • New “Locktokens-No-Match” header • Holds comma-separated lock tokens that are expired, invalid, or didn’t match any resource’s locks • Allows server to correct client’s view of lock state • Also confirms that the server understands the Locktokens-Used header.
Quota draft • Redefine quota-bytes and space-used-bytes • Quota max. storage available to the user in area of the namespace in which the collection is allocated • Space used current storage allocated to the user in this partition • Change names to use ‘octets’ rather than ‘bytes’