On 14/12/2015 11:58 p.m., Christos Tsantilas wrote: > On 12/13/2015 11:31 AM, Amos Jeffries wrote: >> On 9/12/2015 10:56 p.m., Christos Tsantilas wrote: >>> There are several use cases where an annotation may contain a list of >>> values for a single key. Today it is only possible to match the full >>> annotation value. >>> >>> This patch investigates the -m flag which can be used to enable >>> delimiter separated substrings matching on annotations: >>> >>> acl aclname note [-m[=delimiters]] name value ... >>> >>> The '-m' flag by default matches comma separated substrings. The >>> optional "delimiters" parameter is a list of non-alphanumeric >>> characters, which can be used as alternate delimiters. >>> >>> E.g. if an external ACL sets an annotation like: >>> "applications=http,facebook,facebook-chat" >>> the following ACLs can be used to block access to certain applications: >>> >>> acl fb_chat note -m applications facebook-chat >>> acl db_upload note -m applications dropbox-upload >>> http_access deny fb_chat >>> http_access deny db_upload >>> >>> This is a Measurement Factory project >> >> >> Annotations from the helper are kv-pair. By definition that means >> singular value per key on helper responses. Values are also stored >> internally separate, and matched individually agaist the ACL values. > > Yes, but a simple value may consists by a string which include spaces or > comas, like those in your following examples > >> >> Any concatenation of values that would need this delimiting is solely an >> artifact of the reporting method (logformat, header sets, etc). >> >> So where is the need for this coming from? > > Imagine cases where an ICAP/ECAP meta header which include a list, for > example: > "X-Meta-Applications: http;facebook;facebook-chat" > > This is stored as one key value pair. > >> >> Also; >> >> How does this interact with helpers that return multiple kv-pairs ? >> eg. OK user=foo group=Group1 group=Group2 group=group3 > > the acl: > acl GROUP1 note -m group Group1 > > still matches. > > > >> >> How does it interact with kv-pair which contain the delimiter characters >> internally? >> eg OK group=Group,1 group=Group2 > > To match the following kv pairs: > OK group=Group1;subgroupTesters group=Group2 > > Should use acls in the form: > acl SUBGROUPTESTERS note -m=; group subgroupTesters > acl GROUP1 note -m; group Group1 > acl GROUP2 note -m; group Group2 > > >> >> What about when those delimiters are escaped? >> eg. OK group="Group\,One" group=Group%2cTwo > > Well, this patch does not handle all these cases, someone has to: > 1) Fix helper to use always at least escaped coma > 2) Use both '\' and ',' as delimiters to -m option (accepts more than > one delimiters): > acl GROUP2 note -m,\ group Two > >
Okay. fair enough. Last queston: * why m? - the others are all initials for something; (i)nsensitive, (s)trict, (r)egex, (m)??? - maybe this should be the exemplar case for '--' options by implementing --delim=XYZ Amos _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
