>>> On 5/2/2007 at 1:47 PM, in message
<[EMAIL PROTECTED]>, "Joshua Slive"
<[EMAIL PROTECTED]> wrote:
> On 5/2/07, Brad Nicholes <[EMAIL PROTECTED]> wrote:
>
>>
>> Yeah, that's where I mentioned that things might look a little confusing.
> There actually is a good reason to have both and yes some of the
> functionality can overlap. The reason for having mod_authz_host is so that
> host, IP, ENV, etc. can be used during authorization as well. This really
> wasn't as issue in 2.2 because the AND/OR/NOT logic didn't exist yet. Now
> that you can apply this type of logic to authorization, allowing host, IP,
> ENV, etc. to be part of that, make sense. If we moved mod_authz_host back to
> the 2.2 version, in the first place it would no longer be authz but just
> mod_access again and you wouldn't be able to include host, IP, ENV, etc. as
> part of an authorization rule. But I agree that mod_access_compat name no
> longer makes sense.
>>
>
> What kinds of configurations are we actually talking about where
> Require ip could do things that Order/Allow/Satisfy could not? I guess
> you are talking about things like
> <SatisfyOne>
> <SatisfyAll>
> Require user john
> Require ip 192.0.0
> </SatisfyAll>
> <SatisfyAll>
> Require user bob
> Require ip 191.0.0
> </SatisfyAll>
> </SatisfyOne>
>
> Is that kind of configuration really common enough to justify the
> added complexity of two different access-control systems? (It can be
> accomplished in current versions using some Alias/Location hacks or
> with mod_rewrite.)
>
> My opinion is that either we get rid of Require ip or we fix the hook
> ordering so that Order/Allow/Satisfy/etc can really be deprecated.
>
> Joshua.
Correct, except I am thinking something more like:
<SatisfyOne>
<SatisfyAll>
Require user john
<SatisfyOne>
Require ip 192.0.0
Require ip 137.65.0
Require host myhost.org
</SatisfyOne>
</SatisfyAll>
<SatisfyAll>
Require group admins
<SatisfyOne>
Require ip 10.10.0.0
Require ldap-attribute status="highest"
</SatisfyOne>
</SatisfyAll>
</SatisfyOne>
Which may be a bit more complicated to try to duplicate using other means.
Besides, it seems to be a lot more straight forward to keep all of the
authorization logic in one place rather than bits and pieces spread out in
mod_rewrite rules or alias/location hacks.
I'm all for figuring out a way to rework the hooks so that
Order/Allow/Satisfy/etc. can really be deprecated. That is what my original
intention was. However, after revisiting this issue, I'm not sure how to do it
yet.
Brad
