On 12/13/2015 11:31 AM, Amos Jeffries wrote:
On 9/12/2015 10:56 p.m., Christos Tsantilas wrote:
There are several use cases where an annotation may contain a list of
values for a single key. Today it is only possible to match the full
annotation value.
This patch investigates the -m flag which can be used to enable
delimiter separated substrings matching on annotations:
acl aclname note [-m[=delimiters]] name value ...
The '-m' flag by default matches comma separated substrings. The
optional "delimiters" parameter is a list of non-alphanumeric
characters, which can be used as alternate delimiters.
E.g. if an external ACL sets an annotation like:
"applications=http,facebook,facebook-chat"
the following ACLs can be used to block access to certain applications:
acl fb_chat note -m applications facebook-chat
acl db_upload note -m applications dropbox-upload
http_access deny fb_chat
http_access deny db_upload
This is a Measurement Factory project
Annotations from the helper are kv-pair. By definition that means
singular value per key on helper responses. Values are also stored
internally separate, and matched individually agaist the ACL values.
Yes, but a simple value may consists by a string which include spaces or
comas, like those in your following examples
Any concatenation of values that would need this delimiting is solely an
artifact of the reporting method (logformat, header sets, etc).
So where is the need for this coming from?
Imagine cases where an ICAP/ECAP meta header which include a list, for
example:
"X-Meta-Applications: http;facebook;facebook-chat"
This is stored as one key value pair.
Also;
How does this interact with helpers that return multiple kv-pairs ?
eg. OK user=foo group=Group1 group=Group2 group=group3
the acl:
acl GROUP1 note -m group Group1
still matches.
How does it interact with kv-pair which contain the delimiter characters
internally?
eg OK group=Group,1 group=Group2
To match the following kv pairs:
OK group=Group1;subgroupTesters group=Group2
Should use acls in the form:
acl SUBGROUPTESTERS note -m=; group subgroupTesters
acl GROUP1 note -m; group Group1
acl GROUP2 note -m; group Group2
What about when those delimiters are escaped?
eg. OK group="Group\,One" group=Group%2cTwo
Well, this patch does not handle all these cases, someone has to:
1) Fix helper to use always at least escaped coma
2) Use both '\' and ',' as delimiters to -m option (accepts more than
one delimiters):
acl GROUP2 note -m,\ group Two
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
