[Catacomb] Re: catacomb acl
On Thu, 24 Jun 2004 01:22:18 +0800 (KRAST), Artem Lantsev
> hello Sung
> I have several thoughts - and will be very appreciated if you read it
> 1. It's obvious that the principal is just another type of the resource - and I wonder why it is not specified in RFC
You might want to send some requests to acl maling list: firstname.lastname@example.org
> 3. Then, it needs to rewrite the way of processing the live properties - as far as I understand it must be implemented as hook - so anyone will be able to add new live property and the way how to process it without recompiling the mod_dav and mod_catacomb - only add new module to apache
> 4. I've made several changes in the mod_dav - how to I can integrate these changes into apache repository?
Great. Send a patch to Apache HTTP development list: email@example.com
> 5. I would like to make several changes in the general catacomb database design
No problem. Go ahead and submit patches.
> 6. Each collection MUST has one ACL to assign it with new created non-collection child resources, and another ACL to assign with new created child colllection resources.
> I guess that it must be implemented the same way as in the NT - each ACE in ACL must has special flags which indicate does this ACE propogate into new created child collection and non-collection resources.
> 7. Another point which is not clear to me is the way to communication between dav module (catacomba) and some authentication module.
> As far as I understand, in ideal case the authentcation must be tear off into separate module - like mod_ldap or something else - this module will process all authentiation logic
> but the problem is that in the same repository collection can be contained several resoures and one resource can be accessed by anyone, when another can has access rights only for certain users
> I have no idea how to use standard authentication apache modules to allow this.
> So I guess that whole repository directory will be mandatory served by some authentication module.
> Another open question is how to map logged user into ACL principal - I have some ideas how to map logged user into ACL user principal, but it is not clear what I have to do with groups.
> In ideal case will be perfect to use some standart way to manage user groups - like ldap - but it is not quite clear for me now.
> Another thought - as I mentioned above - principal is just another resource - so in general it is possible to use PROPFIND/PROPPATCH WebDAV requests to manage groups.
> And may be it will be the most easiest way to make initially the authentiaction implementation completely based on catacomb module.
> Your thoughts and advices will be very much appreciated.
I haven't thought about ACL implementations in detail, but there have
been couple emails about the issues in the apache development mailing
> I intend to complete the sample working version in the next 1,2 weeks - it will be almost strightforward implementation of the ACL support - but I think that the many thing which was mentioned above have to be implemented in the near future
Great. Look forward to your patches.
> kind regards
> Artem Lantsev
> PS: I tried to get catacomba code from CVS something about one week ago - but I did not get it. I'm using in current work the version 0.9 from source tgz archive.
You can checkout Catacomb source code from our new Subversion
repository, http://svn.webdav.org/repos/catacomb/trunk/. (Thank Greg
for his support!)