Ronald Bradford wrote:
Hi All,
I have been working initially on the Authentication models that are
currently being offered for Drizzle, PAM, LDAP(via PAM), Http Auth. Thanks
to Eric for helping me fix one of three identified bugs there.
What I am unclear of is the policy or thought for user permissions within
Drizzle after user authentication. I'd consider this an important packaging
requirement but I am unclear if anything is defined for Bell. I will give
you a clear example.
How do you plan to restrict users to not creating or altering objects for
example?
How do you plan to restrict users to read only verses read write?
OK, so the main things that needs to be determined is *when* an access
control plugin/module should be notified and *what* should be passed in
the API.
Put concretely, the following questions need to be addressed:
1) What should Drizzle pass the access control module?
Options:
a) The query string itself?
b) A "parse tree", similar to the Lex class?
c) A Statement class corresponding to the post-parse Statement class
generated?
2) When should the access control be notified?
a) Before parsing?
b) After parsing?
b) During parsing? For instance, once the parser determines it is in a
statement which will require write access to table X, should the parser
call an API, passing in the type of Statement and the table name to the
access control module?
3) How does a module signal to Drizzle that it needs to add to the SQL
syntax supported by Drizzle? For instance, if the access control module
implemented the GRANTS system of MySQL, how does the module, on module
startup, add tokens and heuristics to the parser for handling statements
such as GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY ...
Padraig's work on the executioner has gotten us further towards parser
pluggability, but we're still a ways off. :(
With answers to the above questions, I can work on providing the API
plumbing that would make writing a generic access control module that
would look like a MySQL GRANTS system pretty easy...
-jay
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
