[Date Prev][Date Next] [Chronological] [Thread] [Top]

Resend: ACI syntax definition



<resending so it will be in the list/archive>

I agreed to convert the existing ACI BNF to the style used in 2234. In addition to that, I've included a formal syntax definition for ACI. It contains both a string representation (in BNF) and a binary representation (in ASN.1).

I tried to incorporate as many agreed upon changes into it (re-introduced multi attr's, etc). There are a few things left the old way (kerberosID, ipAddress) that I believe are still up in the air.  I made a couple changes - most notable is where I moved dnType to be part of the subject (I think this will move us toward the goal of using a KerberosID or authzId format). Let me know if it there are parts that don't scan correctly, don't make sense, or could be improved.

Ellen, I can maintain this as the model evolves or I can turn it over to you. Your choice.

Jim

1. ACI Syntax definition

   ( <OID TBD> DESC 'ACI' )


1.1 ACI String Representation

   Values of this syntax are encoded according to the following BNF which 
   follows the BNF encoding conventions described in [RFC2234]:

   aci = scope "#" rights "#" attr "#" subject

   scope = "entry" / "subtree"

   rights = (("grant:" / "deny:") permissions) / 
            ("grant:" permissions ";deny:" permissions)

   permissions = [permission *("," permission)]

   permission = "a" / ; add
                "d" / ; delete
                "r" / ; read
                "s" / ; search
                "w" / ; write
                "c" / ; compare
                "e" / ; edit DN
                "b"   ; browse DN

   attr = "[all]" / "[entry]" / (attribute *("," attribute))
   
   attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38) from [RFC2252]

   subject = ("dn:" DN) /
             ("role:" DN) /
             ("group:" DN) /
             ("subtree:" DN) /
             ("ipAddress:" ipAddress) /
             ("kerberosID:" kerberosID) /
             "public:" /
             "this:"

   DN ; DN syntax (1.3.6.1.4.1.1466.115.121.1.12) from [RFC2252]

   ipAddress = printableString ; dotted decimal form (e.g. 10.0.0.6)

   kerberosID = userID "@" realm

   userID = printableString

   realm = printableString

   printableString ; printableString syntax 
                   ; (1.3.6.1.4.1.1466.115.121.1.44) from [RFC2252]

   Note that the colon following the "public" and "this" subject options
   exist only to simplify string parsing.
  

1.2 ACI Binary Representation
 
   The following ASN.1 data type is used to represent this syntax when
   transferred in binary form:

   Aci ::= SEQUENCE {
      scope      ENUMERATED {
            entry       (0),
            subtree     (1) },
      rights     SEQUENCE OF CHOICE {
            grant       [0] Permissions,
            deny        [1] Permissions },
      attr       CHOICE {
            all         [0] NULL,
            entry       [1] NULL,
            attributes  [2] SEQUENCE OF Attribute },
      subject    CHOICE {
            dn          [0] DN,
            role        [1] DN,
            group       [2] DN,
            subtree     [3] DN,
            ipAddress   [4] IPAddress,
            kerberosID  [5] KerberosID,
            public      [6] NULL,
            this        [7] NULL }, }

   Permissions ::= SEQUENCE OF ENUMERATED {
      add        (0),
      delete     (1),
      read       (2),
      search     (3),
      write      (4),
      compare    (5),
      editDN     (6),
      browseDN   (7) }

   Attribute ::= AttributeType -- from [RFC2251]

   IPAddress ::= PrintableString -- (e.g. 10.0.0.6)

   KerberosID ::= SEQUENCE {
      userID     printableString,
      realm      printableString }