Access control mechanism for web2
|Reported by:||Tv||Owned by:||Tv|
Merge web2-access forward, rename to have this ticket in the name.
(04:29:05) exarkun: Tv: Hello (04:29:17) exarkun: Tv: What are you thoughts regarding /branches/tv/web2-access? (10:29:06) Tv: exarkun: i think nobody ever reviewed web2-access (10:29:28) Tv: exarkun: i still think it's a nice feature (10:48:39) exarkun: Tv: The implementation seems contrary to the typical manner of authentication and authorization in Twisted. (11:30:25) Tv: exarkun: feel free to comment further on *how* you would like it to look (11:47:10) exarkun: Tv: cred wooo (11:47:47) Tv: exarkun: yes, well, see how well the original web cred integration worked (11:48:01) exarkun: Tv: fucking _fabulously_ what are you talking about? (11:48:23) Tv: exarkun: about the fact that most people can't use it (11:48:31) _keturn: are you talking about some ticket I should be paying attention to? (11:48:32) exarkun: Tv: everyone can and must use it (11:48:50) exarkun: _keturn: we're not even talking about a ticket. :) (11:48:52) Tv: exarkun: nice disconnection, let me know when you want to come back to reality ;) (11:48:58) radix: Tv: Why can't they use it? (11:49:11) Tv: besides, cred does mostly user auth (11:49:18) Tv: there's plenty of other ACL stuff (11:49:24) Tv: on the phone (11:49:36) exarkun: Tv: don't forget that "auth" is short for two things :) (11:49:38) radix: Yes, ACL is out of the scope of cred. That is authorization. (11:49:44) exarkun: Tv: an ACL is just one kind of authorization. (11:49:50) Tv: radix: web2-access is meant to be ACL (11:49:50) exarkun: radix: and cred does authorization (11:49:54) exarkun: in addition to access to control (11:49:57) exarkun: erasdlkj (11:49:57) radix: well, ok (11:50:00) exarkun: in addition to authentication (11:50:03) radix: it gives you the first step to authorization :) (11:50:16) exarkun: ACLs can be implemented with an avatar that has ACL logic in it (11:51:06) radix: Tv: anyway, you didn't explain why people can't use cred (11:51:18) radix: Tv: I will patiently await the end of your phone call. (13:14:14) Tv: exarkun: so (13:14:33) Tv: exarkun: one of the things i like about web2-access is that you can plug in ACL enforcers at any point in the resource tree (13:15:20) Tv: exarkun: what i tend to do is have a full self-contained "app" that i just plug in to the resource tree, and the app takes care of its own ACL enforcement (13:15:43) Tv: exarkun: and if you want global sysadmin-configured ACL enforcing, you can just use the same mechanism at the top level (13:17:11) foom: OMG this is another conversation I've had like 50000 times, isn't it? (13:17:15) foom: I think it's even on a ticket now (13:17:56) Tv: probably yes (13:18:58) foom: http://twistedmatrix.com/trac/ticket/2042 (13:23:21) Tv: most of that ticket seems to be mostly concerned about authenticating users (13:23:39) Tv: and authorizing based on username (13:23:46) Tv: web2-access also does source-IP etc (13:30:27) Tv: the biggest connection between the web2-access branch and #2042, that i can see, is that web2-access would read that mythical userid string (13:30:31) Tv: and allow comparing it (13:30:45) Tv: but that's just one of the tests in web2-access (13:31:45) foom: well, the whole philosophical argument you were starting to espouse is exact same thing, I think, as was being argued there. (13:32:09) Tv: is anyone actually saying t (13:32:11) Tv: err (13:32:32) Tv: okay (13:32:33) Tv: honestly (13:32:46) Tv: as far as i care, glyph is an abstraction astronaut (13:33:32) foom: btw, how does your thing compare with dav-acl-1608-4 (13:33:32) Tv: what i really want is a simple way to have a subtree of objects where one lower level subtree is only accessible to localhost (13:36:11) foom: Tv: From the face of it, they're both doing quite similar things (13:36:19) Tv: foom: perhaps (13:36:30) Tv: i'm trying to figure out what's non-dav in 1608 (13:39:31) Tv: well on the simplest level, #1608 gives you nothing unless you drink DAV koolaid (13:39:42) foom: only because it was implemented only for DAV resources (13:39:56) foom: (I think) (13:39:59) Tv: trying to find the generic bits from inside of it (13:40:18) foom: dreid could probably do a better job of helping (13:41:01) Tv: + return davxml.ACL(*[ (13:41:01) Tv: + davxml.ACE( (13:41:01) Tv: + davxml.Grant(davxml.Privilege(privilege)), (13:41:01) Tv: + davxml.Principal(davxml.All()) (13:41:01) Tv: + ) (13:41:01) Tv: + for privilege in privileges (13:41:01) Tv: + ]) (13:41:34) dreid: nothing is non-dav in 1608 (13:41:45) dreid: it is an implementation of the WebDAV ACL protocol. (13:41:54) dreid: It is more or less entirely dav specific. (13:42:03) Tv: yeah, that's what it seemed like (13:42:13) Tv: web2-access is more like (13:42:14) Tv: # /friends subtree is shown to these hosts (13:42:14) Tv: And( Segments('friends'), (13:42:14) Tv: Or( Network('10.0.1.0/255.255.255.0'), (13:42:14) Tv: Network('10.0.2.0/255.255.255.0'), (13:42:14) Tv: ), (13:42:14) Tv: ), (13:42:24) Tv: talking about url segments, ip addresses, etc (13:42:29) dreid: And figuring it out how to make it not dav specific is not my idea of a good time. (13:42:30) exarkun: Tv: you can put multiple resource guards into a single url hierarchy (13:42:40) dreid: also that thing exarkun said. (13:42:41) foom: dreid: oh okay, I thought it had some stuff that might be more generic (13:42:48) dreid: foom: generic is hard. (13:42:49) Tv: exarkun: i want one login only, though (13:42:50) exarkun: dreid: any progress being made on moving that branch somewhere? (13:42:57) foom: exarkun: moving? (13:42:59) exarkun: Tv: and that works too (13:43:04) foom: exarkun: you mean merging? (13:43:13) Tv: exarkun: good (13:43:15) exarkun: causing any changes in it at all :) (13:43:17) radix: foom: *that* question was asked a long time ago (13:43:25) dreid: exarkun: No, we'll figure it out after the auth stuff settles down and we ship leopard. (13:43:26) Tv: exarkun: now, do you think i should use guard for IP-based limits? (13:43:36) exarkun: Tv: yes (13:43:57) Tv: exarkun: maybe web2 has something called "guard" that is very different from nevow's guard.. (13:44:09) dreid: Tv: I've avoided calling it guard. (13:44:35) Tv: exarkun: but web2-access's AccessControl tries to be such a thing you can put at any place in the tree (13:44:35) exarkun: Tv: the shortcoming of nevow's guard is that it doesn't make credential type easily configurable (13:44:46) exarkun: Tv: it has a hardcoded list of about three things it supports (13:44:57) foom: web2-access's AccessControl is basically a guard, isn't it? (13:45:12) Tv: foom: depending on what you mean by "guard", but I guess yes (13:45:28) Tv: foom: it guards the resources underneath it in the tree (13:45:43) exarkun: foom: the biggest difference, I think, is that with AccessControl you call a function and it returns a deferred which tells you if access is allowed or not (13:45:44) Tv: according to a pluggable set of rules (13:45:49) exarkun: foom: and then you do something based on that result (13:46:02) foom: exarkun: so it's half of guard. (13:46:14) exarkun: I suppose (13:46:19) Tv: yeah, that's the IRule bit (13:46:29) Tv: and AccessControl lets you combine those with And, Or, Not etc (13:46:32) idnar: can I change the usage output from t.p.u.O to show the names of "positional" args? (13:46:39) dreid: the stuff in #1608 works similarly, and there has been quite a bit of discussion about wether or not that is completely wrong. (13:46:49) dreid: and by discussion I mean exarkun and glyph yelling at me. :) (13:47:01) foom: glyph and exarkun like to yell at people about guard stuff (13:47:35) exarkun: I don't like yelling at people at all (13:47:48) itamar: I would argue that IP-based access control is orthogonal (13:47:49) exarkun: I would like it if all of you jerks would stop making me do it (13:47:50) exarkun: ;) (13:47:50) Tv: exarkun: yes your style is more *passive* aggressive itamar itamarst (13:47:58) exarkun: itamarst: SHUT UP YOU DON'T KNOW ANYTHING YOU ASS GO AWAY (13:48:04) itamar: for a *specific* resource itamar itamarst (13:48:09) itamar: not with a subtree language (13:48:18) exarkun: itamarst: RAAAAAAAAAAAAAAAAAAAAAAAGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (13:48:31) itamar: because otherwise how would you hook it up to cred!@ itamar itamarst (13:48:34) ***idnar gets popcorn (13:48:49) Tv: itamar: the point of web2-access is that you can say things like "https OR localhost" (13:49:14) itamar: that's probably something you want per-avatar (13:49:14) itamar: but (13:49:27) itamar: the basic implementation would have to be for resources (13:49:32) itamar: since avatars are resources in web (13:49:58) foom: don't start with that one again. :P (13:50:10) itamar: ok whatver (13:50:20) itamar: I'll go back to reading (13:50:22) foom: there has to be a lower level function which does the access control decision. web2-access might be a good implemtation of that, and should be reviewed on that basis, at least. (13:50:48) foom: how that is hooked up to other stuff is a point of argument, but however that happens, the lower level function is the same (13:51:44) foom: That's how I'd like to see this branch move forward. (13:52:11) exarkun: Okay! (13:52:21) exarkun: It sounds like we aren't just going to delete it right now, then. (13:52:31) Tv: foom: yay! (13:52:34) exarkun: So how about someone files a ticket saying the thing foom just said (13:52:42) Tv: foom: that works for me 100% (13:52:48) exarkun: And then does the appropriate svn dance to make the branch line up with it (13:53:22) exarkun: Anyone want to volunteer to do that? (13:53:35) Tv: i still claim lack of understanding of goal (13:53:43) foom: Tv: merge branch forward with a ticket number in it (13:53:50) exarkun: The goal is to get rid of the "/branches/tv" directory in svn. ;) (13:54:04) foom: Tv: then put it up for review and see if we can get it merged. (13:54:20) Tv: ok (13:54:39) foom: assuming it's ready for review, I don't know if you had it at that point or not? (13:54:48) exarkun: And once all of the user branches directories are gone, I think we might generalize that goal a little bit to resolving tickets with existing branches associated with them. (13:55:07) exarkun: And once we make some progress on that, we might try to tackle the repo reorg (13:55:46) dreid: omg (13:55:54) exarkun: Tv: So you will make the ticket and merge the branch forward? (13:56:14) Tv: yeah
Change History (4)
Note: See TracTickets for help on using tickets.