Greg,
I just started reviewing the RFC.
I thought that mod_dav support was required...
...but it doesn't appear in any 'MUST' statement.
Philosophically, using the existing Apache HOOK seems like the right
thing to do if the solution is going to provide a universal HTTP ACL
solution.
One for both DAV enabled sites and non-DAV enabled sites.
It would have to provide the following:
- Use the ACCESS_CHECKER hook to determine accessability
(perhaps query-ing the backend like PROPFIND does currently)
- Support the ACL method to update an ACL for a resource
- If DAV-enabled, support PROPFIND for reporting info on Principals
& properties
- If DAV-enabled, support PROPPATCH for updating info on Principals
- If DAV-enabled, support REPORT for reporting info on Principals
and properties
Could mod_dav/mod_dav_fs be modified to perform all of the above,
for both DAV enabled sites and non-DAV enabled sites???
If so, merging of PROPFIND results between modules wouldn't be
necessary...
Also...One question I had about 3744...
the RFC says in the Introduction:
...The "operations you can perform" are determined by a
single "access control list" (ACL) associated with a resource.
This seems to mirror UNIX's file mode...
...however, in UNIX if a parent directory prevents access, then
even if the file's mode allows access, the file access is prevented.
The RFC seems to say to me, the resource's mode is the single
determining
factor. Its parent collection's mode is of no consequence.
Am I reading this right???
-tony
-----Original Message-----
From: Greg Stein [mailto:[EMAIL PROTECTED]
Sent: Monday, June 14, 2004 1:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Any plans for RFC3744
On Mon, Jun 14, 2004 at 09:49:58AM -0700, Bennett, Tony - CNF wrote:
> Are there any plans afoot to implement support
> for RFC3744 - WebDav ACL, either as a stand-alone
> module or by modifying mod_dav/mod_dav_fs ???
Hey Tony :-)
I'm not sure that anybody has specifically looked at it yet. I do know
that the Subversion guys would be interested in seeing the framework in
Apache so that they can use it, so there is possible dev/time from that
angle. Within the httpd developers... not sure.
As for whether it would be part of mod_dav, or a companion module... I'm
not sure. Ideally, the ACL support would cut across all HTTP
interactions, and it would use Apache's standard authorization hook. In
that sense, it might not be necessary to make it part of mod_dav.
However, I would hope that it enables a backend approach similar to
mod_dav (there is a lot of basic processing the frontend could do,
before passing it to the back).
It might be tricky to coordinate things like PROPFIND across modules,
which may be a reason to integrate them. Personally, I'd hope for a
separable solution, and one that is generally applicable to the whole
server, rather than just DAV-enabled areas.
I believe any default implementation would require some kind of
file-based storage on the server, and/or DBM database. The problem here
is that any ACL changes would need to reach all the Apache child
processes. IPC is a bitch, so dropping the stuff on the disk is best,
where the processes can see what the "current" state is.
Have you applied much thought to the issue yet?
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
