[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Resend: ACI syntax definition
<resending so it will be in the list/archive>
I agreed to convert the existing ACI BNF to the style used in 2234. In addition to that, I've included a formal syntax definition for ACI. It contains both a string representation (in BNF) and a binary representation (in ASN.1).
I tried to incorporate as many agreed upon changes into it (re-introduced multi attr's, etc). There are a few things left the old way (kerberosID, ipAddress) that I believe are still up in the air. I made a couple changes - most notable is where I moved dnType to be part of the subject (I think this will move us toward the goal of using a KerberosID or authzId format). Let me know if it there are parts that don't scan correctly, don't make sense, or could be improved.
Ellen, I can maintain this as the model evolves or I can turn it over to you. Your choice.
Jim
1. ACI Syntax definition
( <OID TBD> DESC 'ACI' )
1.1 ACI String Representation
Values of this syntax are encoded according to the following BNF which
follows the BNF encoding conventions described in [RFC2234]:
aci = scope "#" rights "#" attr "#" subject
scope = "entry" / "subtree"
rights = (("grant:" / "deny:") permissions) /
("grant:" permissions ";deny:" permissions)
permissions = [permission *("," permission)]
permission = "a" / ; add
"d" / ; delete
"r" / ; read
"s" / ; search
"w" / ; write
"c" / ; compare
"e" / ; edit DN
"b" ; browse DN
attr = "[all]" / "[entry]" / (attribute *("," attribute))
attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38) from [RFC2252]
subject = ("dn:" DN) /
("role:" DN) /
("group:" DN) /
("subtree:" DN) /
("ipAddress:" ipAddress) /
("kerberosID:" kerberosID) /
"public:" /
"this:"
DN ; DN syntax (1.3.6.1.4.1.1466.115.121.1.12) from [RFC2252]
ipAddress = printableString ; dotted decimal form (e.g. 10.0.0.6)
kerberosID = userID "@" realm
userID = printableString
realm = printableString
printableString ; printableString syntax
; (1.3.6.1.4.1.1466.115.121.1.44) from [RFC2252]
Note that the colon following the "public" and "this" subject options
exist only to simplify string parsing.
1.2 ACI Binary Representation
The following ASN.1 data type is used to represent this syntax when
transferred in binary form:
Aci ::= SEQUENCE {
scope ENUMERATED {
entry (0),
subtree (1) },
rights SEQUENCE OF CHOICE {
grant [0] Permissions,
deny [1] Permissions },
attr CHOICE {
all [0] NULL,
entry [1] NULL,
attributes [2] SEQUENCE OF Attribute },
subject CHOICE {
dn [0] DN,
role [1] DN,
group [2] DN,
subtree [3] DN,
ipAddress [4] IPAddress,
kerberosID [5] KerberosID,
public [6] NULL,
this [7] NULL }, }
Permissions ::= SEQUENCE OF ENUMERATED {
add (0),
delete (1),
read (2),
search (3),
write (4),
compare (5),
editDN (6),
browseDN (7) }
Attribute ::= AttributeType -- from [RFC2251]
IPAddress ::= PrintableString -- (e.g. 10.0.0.6)
KerberosID ::= SEQUENCE {
userID printableString,
realm printableString }