On Tuesday, January 15, 2002, at 05:36 PM, Chad La Joie wrote:
I agree, such functionality would be nice. I thought I might start taking a look into what was started with security so far and maybe do some work on it. Is there anyone actively working on/in charge of this section? Here are my thoughts so far on the security.
I wrote the code about nine months ago and haven't touched it since we decided to leave it out of 1.0. You're more then welcome to pick it up and run with it.
1. Support of user authentication entities (i.e. userid/passwd to connect)
2. Support user/group authorization entities (i.e. these users, or members of these groups, can connect, read, write, etc)
3. Support multiple back stores for this data (the current work uses an XML file, it would be nice to have LDAP and Database support as well)
If i remember right the current code is interface based for this very reason. I wouldn't worry about writing any of these things to start though.
4. Support restrictions on the following: - create, query, update, remove, create XMLObject, remove XMLObjects, create Indexes, remove Indexes for collection - Connect, create collection, remove collection for databases.
I just dug out my notes, I also had execute for XMLObjects.
Some other things that need to be considered.
- APIs for ACL config and user config
- Command line tools for the same
- Authentication APIs for access services. For instance it needs to be easy to add another network interface and tie it into the auth system.
- Logging / Auditing
- How to configure the initial server setup
- How the server can bootstrap itself to get through the security controls.
At 01:50 PM 1/15/2002, you wrote:I see in the source code that you are working on user/group security and read and write access. One powerful feature would be to add xpath based security. By allowing a user or group read/write access to a specific xpath in a collection or document.
<person> <name>John Doe</name> <salary>1000</salary> <- no access </person>
---- not real - access xml doc --- <group> <user id="bigboss"> <access> <collection id="documents"> <xpath>//salary</xpath> <privileges>none</privileges> </collection> </access> </user> </group>
This is just a quick example - an a final suggestion.
What do you think?
Regards, Niels Peter
Kimbro Staken XML Database Software, Consulting and Writing http://www.xmldatabases.org/
