On Sat, Aug 30, 2014 at 1:42 AM, Branko Čibej <br...@wandisco.com> wrote:
> On 29.08.2014 23:03, stef...@apache.org wrote: > > Author: stefan2 > Date: Fri Aug 29 21:03:25 2014 > New Revision: 1621387 > > URL: http://svn.apache.org/r1621387 > Log: > On the authzperf branch: Make /**/ segments match empty paths, i.e. zero > segments, as well. That is in line with what e.g. zsh globbing does as well. > > > This is contrary to what's written in the design doc in the wiki. > Yes, it is. Friday afternoon during the SHF hackathon, I had a short discussion with Ben and Justin. We discovered that the glob path matchers that we could find (I remember zsh), would make "**" match empty paths by default. Seeing now how small the difference in the parsing and matching code is, we could even decide to make that behaviour an option. I don't suggest it ATM because using wildcards correctly will already be challenging to inexperienced admins (= 100% after the initial release) and behavioural options may make discussions on users@ much harder. It also invalidates the wildcard normalization rules defined in that doc > (and implemented by the parser), making the wildcard semantics > inconsistent. For example, the rule that a trailing /** should be converted > to a /* clearly no longer works after this change > As it turned out "**" is a much more powerful pattern than it may appear. The reason is the difference between a rule_matching_ a path and its ACL just applying by default to the respective sub-tree. That means "/foo/**" matches all paths below "/foo" _individually_ (and since 1621387 /foo itself), overriding any previous definitions and restricting a following "/foo/bar" rule to exactly that node. So, normalizing trailing "/**" to just "/*" as per my original design has always been wrong. Fixed in r1621521. > Please update the doc and make the design consistent before implementing > major semantic changes. > I updated the wiki page now to make it match the code again, updated terminology to make it match your API and (hopefully) addressed the comments to had on the page. I left the comments in for you to review. -- Stefan^2.
