Re: Milestone 2: authentication and authorization

From: Branko Čibej <brane_at_xbc.nu>
Date: 2000-12-14 01:32:28 CET

Jim Blandy wrote:

> In the former system, it's possible that authorization would be
> implemented entirely in mod_dav_svn, with no help from the FS.

No, that can't work, svn_ra_dav won't be the only RA layer. The ACLs
must be stored in the filesystem, either as node properties or in a
separate table.

A separate table may even be a better idea, given that an authorisation
check must be done /before/ accessing a node's data. You have to
synchronize the index with the nodes table, but that's not such a chore
in our case because we never delete a node or revision (yet).

The index for the ACL table can have the same structure as the index in
the nodes table. (Maybe it can even be the same index? Does DB3 let you
hook more than one piece of data off the same index entry?)

In general, the it's always the filesystem that should whether or not to
allow an operation. That decision is based on more than just (user +
operation + ACL); teansactions, etc., can influence it.

-- 
Brane ďż˝ibej
    home:   <brane_at_xbc.nu>             http://www.xbc.nu/brane/
    work:   <branko.cibej_at_hermes.si>   http://www.hermes-softlab.com/
     ACM:   <brane_at_acm.org>            http://www.acm.org/

Received on Sat Oct 21 14:36:17 2006

This message: [ Message body ]
Next message: Greg Stein: "authorization (was: Re: Milestone 2: ...)"
Previous message: Jim Blandy: "Re: Milestone 2: authentication and authorization"
In reply to: Jim Blandy: "Re: Milestone 2: authentication and authorization"
Next in thread: Greg Stein: "authorization (was: Re: Milestone 2: ...)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]