On Sat, Aug 30, 2014 at 1:42 AM, Branko Čibej <brane_at_wandisco.com> wrote:
> On 29.08.2014 23:03, stefan2_at_apache.org wrote:
> Author: stefan2
> Date: Fri Aug 29 21:03:25 2014
> New Revision: 1621387
> URL: http://svn.apache.org/r1621387
> On the authzperf branch: Make /**/ segments match empty paths, i.e. zero
> segments, as well. That is in line with what e.g. zsh globbing does as well.
> This is contrary to what's written in the design doc in the wiki.
Yes, it is.
Friday afternoon during the SHF hackathon, I had a short discussion with
Ben and Justin. We discovered that the glob path matchers that we could
find (I remember zsh), would make "**" match empty paths by default.
Seeing now how small the difference in the parsing and matching code is,
we could even decide to make that behaviour an option. I don't suggest it
ATM because using wildcards correctly will already be challenging to
inexperienced admins (= 100% after the initial release) and behavioural
options may make discussions on users@ much harder.
It also invalidates the wildcard normalization rules defined in that doc
> (and implemented by the parser), making the wildcard semantics
> inconsistent. For example, the rule that a trailing /** should be converted
> to a /* clearly no longer works after this change
As it turned out "**" is a much more powerful pattern than it may appear.
The reason is the difference between a rule_matching_ a path and its
ACL just applying by default to the respective sub-tree.
That means "/foo/**" matches all paths below "/foo" _individually_ (and
since 1621387 /foo itself), overriding any previous definitions and
a following "/foo/bar" rule to exactly that node. So, normalizing trailing
"/**" to just "/*" as per my original design has always been wrong.
Fixed in r1621521.
> Please update the doc and make the design consistent before implementing
> major semantic changes.
I updated the wiki page now to make it match the code again, updated
terminology to make it match your API and (hopefully) addressed the
comments to had on the page. I left the comments in for you to review.
Received on 2014-08-30 21:38:29 CEST