[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3631) Implement granular write privileges



Full_Name: Pierangelo Masarati
Version: HEAD
OS: Linux (whitebox)
URL: ftp://ftp.openldap.org/incoming/pierangelo.masarati.addel-ACL-2005-04-04.patch
Submission from: (NULL) (81.74.43.82)


I've prepared a proof-of-concept implementation of granular write permissions,
along the line of discussion emerged from
<http://www.openldap.org/lists/openldap-devel/200504/msg00001.html>.  A patch
has been uploaded to the URL indicated below.

The reworking of the ACL macros is a bit cumbersome at the moment, but it should
be flexible enough to allow granularity addition to other access levels. 

Currently, only back-bdb/hdb is addressed, so admins that use other backends
should not exploit this functionality.

The syntax is quite simple: given a rule

access to <what>
        by <who> <access>

an <access> of "write" or "=w" will grant both privileges; an <access> of "+z"
will grant add privileges and "=z" will grant delete privileges.

the request for an access level of ACL_WRITE will require both privileges, while
a request for ACL_WADD and ACL_WDEL will require only add or delete privileges,
respectively.

In modrdn, I'm not sure what access should be required to the "children"
pseudo-attribute of the oldParent; currently, if newSuperior == NULL then
"write" is required, otherwise "delete" suffices; "add" is then required to the
"children" pseudo-attribute of the newSuperior.  The entry's "entry"
pseudo-attribute is required both delete and add (in one word, write)
privileges. 

If there's consensus on the patch, it can be trivially extended to all backends
by simply graduating the occurrences of ACL_WRITE in ACL_WADD and ACL_WDEL as
appropriate.

p.