[2319] in Kerberos_V5_Development
Re: request comments on new ACL file format
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue Mar 25 03:20:38 1997
Date: Tue, 25 Mar 1997 03:20:05 -0500
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Tom Yu <tlyu@MIT.EDU>,
krbdev@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
In-Reply-To: <9703250656.AA24264@dcl.MIT.EDU>
>>>>> "tytso" == "Theodore Y Ts'o" <tytso@MIT.EDU> writes:
tytso> When you perform an:
tytso> permissions_check(client_principal, target_principal, operation)
tytso> You need to get a list of all of the groups that
tytso> client_principal belongs to, and a list of all of the groups
tytso> that target_principal belongs to.
Actually, this is not necessary. I've done some more pseudo-coding
and determined that it actually makes the code *more* complex if you
keep separate user and target groups. I think the minor performance
hit in this case is acceptable for most cases.
You *do* have to get the groups that a client principal is a member
of, but you don't need to get the groups that a target principal is a
member of, since the workhorse check function that recursively
determines if a principal is a member of a group already does that for
you. You basically end up using the same function to determine if a
principal is in a group as to determine if a principal is on an acl,
since the latter case ends up making a recursive call to itself if
there are any groups in the acl declaration.
What do people think? Are many sites likely to have a set of admin
requirements that are sufficiently convoluted that not distinguishing
between target groups and user groups is reasonable?
Also, what do people think of this new quasi-BNF grammar for the acl
file format? Are commas really necessary as separators in a target
list? IMHO the fewer special characters in the file format, the
better.
EQUALS: '=' ;
NEWLINE: '\n' ;
BANG: '!' ;
GROUPNAME: ':' [0-9A-Za-z_]+ ;
PERMS: [LACIDEM*]+ ;
PRINCIPAL: /* krb5_unparse_name() output with some extra escaping */ ;
GROUP: "group" ;
entity:
PRINCIPAL
| GROUPNAME ;
neg_entity:
BANG entity ;
elist_elem:
entity
| neg_entity ;
elist:
elist_elem
| elist elist_elem ;
group_def:
GROUP GROUPNAME EQUALS elist NEWLINE ;
acl_def:
ACL entity PERMS EQUALS elist NEWLINE ;
/* end of quasi-grammar */
BTW, did anyone else notice that the acl flag letters spell out all
sorts of amusing things? ;-)
---Tom
