[2322] in Kerberos_V5_Development
Re: request comments on new ACL file format
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Tue Mar 25 15:21:08 1997
To: Tom Yu <tlyu@MIT.EDU>
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, Ken Hornstein <kenh@cmf.nrl.navy.mil>,
krbdev@MIT.EDU
From: Marc Horowitz <marc@cygnus.com>
Date: 25 Mar 1997 15:16:47 -0500
In-Reply-To: Tom Yu's message of Tue, 25 Mar 1997 03:20:05 -0500
Tom Yu <tlyu@MIT.EDU> writes:
>> Also, what do people think of this new quasi-BNF grammar for the acl
>> file format? Are commas really necessary as separators in a target
>> list? IMHO the fewer special characters in the file format, the
>> better.
>>
>> EQUALS: '=' ;
>> NEWLINE: '\n' ;
>> BANG: '!' ;
>> GROUPNAME: ':' [0-9A-Za-z_]+ ;
>> PERMS: [LACIDEM*]+ ;
>> PRINCIPAL: /* krb5_unparse_name() output with some extra escaping */ ;
>> GROUP: "group" ;
If you want to get rid of magic characters, and increase readability,
instead of using a : to designate a group (which is arbitrary and
ugly), explicitly denote principals and groups, and use (or at least
allow) english tokens when reasonable. Also, allow "implicit" groups.
that is, anywhere you can give a single name, allow more than one to
be specified.
group marc = principal marc@CYGNUS.COM, principal marc@CYGNUS.COM, not
principal marc@GZA.COM
# ok, the not thing doesn't do anything, it's an example
acl group marc LACIDEM = principal *
acl principal tlyu@ATHENA.MIT.EDU, principal tlyu@ZONE.MIT.EDU A = principal host/*
I think you get the idea.
You should also say if acl lines are ordered or not.
Oh, and define a comment character RIGHT NOW, before it's too late :-)
Marc
