https://bz.apache.org/bugzilla/show_bug.cgi?id=60946
--- Comment #6 from Jacob Champion <[email protected]> --- (In reply to Philip Prindeville from comment #5) > (In reply to Jacob Champion from comment #4) > > > <idle thoughts> > > Does part of the confusion stem from the fact that we are <RequireAny> by > > default instead of <RequireAll>? Switching that alone might make some things > > more intuitive. > > </idle thoughts> > > Except that when one things of traditional mandatory access controls like > ACLs and such, you execute the rules until you get your first conclusive > match... which is what <RequireAny> does. While that might be true -- and I'm not convinced that's an accurate description of all MAC systems -- we're not using an ACL (or a MAC) authorization system here. It's a very flexible (perhaps too flexible), multi-paradigm system, and I would argue that you're just as likely to see role-based authz with some of the more advanced authorization modules. Perhaps the best thing to agree on is that any behavior might be "astonishing" to some, and we should try to do what is least astonishing to the widest possible range of users. Anyway: there's a good chance that this is neither here nor there. Maybe all we need to do is review what directives are considered neutral/success/failure in the authz system. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
