[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: expansion of groups/roles/subtree subjects in LDAP ACM



Brian/Kurt,

Mmm, I see your point: in the case of a deny aci where the subject
evaluates to undefined then the "err on the conservative side" principle
would imply that the aciSubject should apply (ie. the deny kicks in).

This behaviour seems reasonable to me.  Equally, being explicit that we
are not requiring remote group/role evaluation also seems good.

Here's a sketch of the text that would give us that behaviour--just the
changed sections:

"
4.3.2.4  Applicability Rules for Subjects

Call the subject portion of the ACI in question aciSubject.  Note that
it is possible that some applicability rules required for evaluating
aciSubject will evaluate to undefined.  So, an applicability rule can
evaluate to one of three values: applies/does not apply/undefined--these
cases are treated explicitly in the text.
To determine if aciSubject applies to requestorSubject we apply the
following rules:

  1.  The ACI in question is a grant ACI.  Then the ACI applies if both
      the context and pureSubject portions of aciSubject apply, as
      defined in "Applicability Rules for Context" and "Applicability
      Rules for pureSubject" below.

  2.  The ACI in question is a deny ACI.  There are three possibilities:

        a.  The pureSubject part applies or is undefined (according to
"Applicability
            Rules for pureSubject").  Then the ACI applies to
            requestorSubject.

        b.  The pureSubject part does not apply.  Then the ACI applies
            to any requestorSubject with an authnLevel less than the
            authnLevel of the ACI.

        c.  Otherwise the ACI does not apply.
"

and

"
4.3.2.7  Applicability Rules for idBasedSubject

If idBasedSubject is of type thisSubject, then it applies to
requestorSubject if authzId from requestorSubject is of type "dn" and is
equal to the DN of the resource.

If idBasedSubject is of type oneSubject, then it applies to
requestorSubject if authzId from requestorSubject is equal to the
authzId specified in aciSubject.

If idBasedSubject is of type setOfSubjects, then it applies to
requestorSubject if authzId from requestorSubject is defined to be in
the set specified in aciSubject (i.e. is in that group, role or
subtree).  The "Precedence of Subjects within a Scope" includes rules
for determining membership in a setOfSubjects. If the group or role
definition is remote then servers MAY perform a remote operation to
determine membership. If the server does not support remote evaluation
then evaluation of a remote group or role evaluates to undefined.  In
general, if this membership evaluation cannot be completed (eg. because
of resource limits or problems with a remote server that stores the
group/role definition) then the idBasedSubject evaluates to undefined.
"

Rob.

Brian Jarvis wrote:
> 
> Sorry about previous copies and confusion with this message.  #$^%^ mail program and fat fingers.
> 
> Rob,
> 
> I think we need to differentiate between grant and deny acis when evaluation
> fails--we should always fail toward denying the access.  On failure, a grant
> aci should assume the aciSubject does not apply while a deny aci should
> assume that it does apply.
> 
> --the walrus
> 
> > -----Original Message-----
> > From: robert byrne [mailto:robert.byrne@Sun.COM]
> > Sent: Monday, July 09, 2001 8:25 AM
> > To: Kurt D. Zeilenga
> > Cc: john.strassner@intelliden.com; Ryan Moats;
> > ietf-ldapext@netscape.com
> > Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM
> >
> >
> >
> > Kurt,
> >
> > I think what's needed here is for the draft to specify that, if the
> > evaluation of any part of the subject fails, then the subject part of
> > that aci does not apply.  So we can change the intro to 4.3.2.4 to
> > something like:
> >
> > "4.3.2.4  Applicability Rules for Subjects
> >
> > Call the subject portion of the ACI in question aciSubject.  Then to
> > determine if aciSubject applies to requestorSubject we apply the
> > following rules.  In the case where the server fails to evaluate a
> > rule and so fails to fully confirm that aciSubject applies, then
> > aciSubject does not apply."
> >
> > Rob.
> >
> > John Strassner wrote:
> > >
> > > agreed, except that noting in the log system that the
> > group/role/subtree
> > > has not been fully expanded **may** give, in some cases,
> > more information
> > > than needed and be a start in compromising security.
> > >
> > > regards,
> > > John
> > >
> > > -----Original Message-----
> > > From: Ryan Moats [mailto:rmoats@lemurnetworks.net]
> > > Sent: Thursday, July 05, 2001 2:18 PM
> > > To: Kurt D. Zeilenga
> > > Cc: ietf-ldapext@netscape.com
> > > Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM
> > >
> > > On Thu, Jul 05, 2001 at 12:58:23PM -0700, Kurt D. Zeilenga wrote:
> > > > How are exceptional conditions in expanding
> > > > groups/roles/subtrees to be handled?  In particular,
> > > > what is the ACM behavior when the groups/roles/subtrees
> > > > cannot be fully expanded and the requestor's DN is not
> > > > found in the partial set of DNs?
> > > >
> > > > Kurt
> > >
> > > Well as an initial (not perfect) suggestion I would opt for
> > > notifying via the log system that the group/role/subtree
> > > has not been fully expanded and that access has been denied
> > > because the DN is not in the partial set.
> > >
> > > Ryan
> >