[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: denyop (Was: commit: ldap/servers/slapd/back-monitor back-monitor.h database.c init.c proto-back-monitor.h)

To: <hyc@OpenLDAP.org>
Subject: Re: denyop (Was: commit: ldap/servers/slapd/back-monitor back-monitor.h database.c init.c proto-back-monitor.h)
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Sun, 2 May 2004 22:13:56 +0200 (CEST)
Cc: <Kurt@OpenLDAP.org>, <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <40937A0E.9050201@sys-net.it>
References: <200404262356.i3QNucuB084559@cantor.openldap.org> <6.0.1.1.0.20040427091316.0492bdb0@127.0.0.1> <40937A0E.9050201@sys-net.it>

> I would separate the two issues based on the context they may be used.
> This would clarify that both attributes (at least both principles) are
> useful.  The "denyop" approach should be intended as a means to
> fine tuning what operations a database can be used for; the "readOnly"
> apporach would be rather administrative, i.e. used by an administrative
> entity to operate temporary mode changes, e.g. right before changing the
> configuration in a way that requires disabling of write operations (e.g.
> the schema is being changed, a replica is being added or so).
>
> In this sense, "denyop" would be nearly permamnent, and fine tuning is
> desirable; "readOnly" would be mostly temporary, and coarse but
> quick'n'easy write disabling would be preferable.  In this sense I'm in
> favour of a multi-valued "denyOp" attribute, plus a boolean "readOnly"
> that, when set, overrides the write "denyOp" values (simply, it's
> honored before "denyOp" is checked).

I just committed some code to enable selective modification of readOnly
and restrictedOperation attributes in what I think is a consistent manner
(if any can be defined).  The approach is opposed to what Howard used for
the readOnly attribute only, and I'm sure there are issues left;
essentially, readOnly and restrictedOperation act on the same underlying
data, and the former essentially acts on a subset of the latter.  One
issue is, for instance, that if we consider readOnly a shortcut to disable
write operations, if applied to a database that already restricts some
operations there is no easy way to revert it, e.g.

# status
readOnly: FALSE
restrictedOperation: compare
restrictedOperation: delete

# apply readOnly=TRUE
readOnly: TRUE
restrictedOperation: compare
restrictedOperation: add
restrictedOperation: delete
restrictedOperation: modify
restrictedOperation: rename

# apply readOnly=FALSE
readOnly: FALSE
restrictedOperation: compare

The final status differs from the initial one.

Feel free to suggest changes, or to revert the changes.

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- RE: denyop (Was: commit: ldap/servers/slapd/back-monitor back-monitor.h database.c init.c proto-back-monitor.h)
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: denyop (Was: commit: ldap/servers/slapd/back-monitor back-monitor.h database.c init.c proto-back-monitor.h)
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: denyop (Was: commit: ldap/servers/slapd/back-monitor back-monitor.h database.c init.c proto-back-monitor.h)
Next by Date: OL, SSL/TLS, and load balancing
Index(es):
- Chronological
- Thread