On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
> Further to Rob's points, what about including the method being used
> (HTTP GET/POST/PUT/PATCH)?  In a RESTful world this seems like an
> important aspect to include.
> How deep does this rabbit-hole go? :)

The work, while focused primarily on web use-cases, should be usable
outside of HTTP protocol. The rabbit hole might include questions
about mapping FTP commands into some sensible list of methods that
could be easily managed. In his work Lukáš seemed concerned by DENY
rules not being supported (were removed from IPA), hence his regexp
proposal with negative lookaheads to avoid

        /               all users
        /admin          admins

where of course both URLs would match for access to /admin/edit but
the longer one should win, thus serving as DENY.

For FTP that has the potential of having to list looooong list of

        long-list-of-all-cmds-except-write-cmds         /       all users
        long-list-of-write-commands                     /       admins

If we could specify

        *                                               /       all users
        long-list-of-write-commands                     /       admins

and the situation was not considered as introduction of DENY
mechanism, it might be more feasible. We might still want to have
"metacommands" like 'FTP:read', 'FTP:write' to group the underlying
commands for easy maintenance and presentation.

My preference would be not to do the methods at this time but have
the data structured in such a way that it's easy to extend later.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to