On 3/5/20 9:04 PM, Howard Chu wrote: > Dieter Bocklandt wrote: >> I would assume the following takes place: >> - The service user binds to the consumer and assumes dieter's identity, >> which should be the same net effect as binding with dieter's user in the >> first place. >> - The proxy user binds to the provider and assumes dieter's identity >> - The provider tries to perform the write, using dieter's identity for ACL >> evaluation >> >> What actually happens: >> - The service user binds to the consumer and assumes dieter's identity >> - The proxy user binds to the provider and assumes the service user's >> identity >> - The provider tries to perform the write, using the service user's >> identity for ACL evaluation >> >> Actually, I spent some more time on this today and I /think/ I might know >> what's happening here: > > Your analysis makes sense. Would have to ask Pierangelo why he wrote it the > way he > did but it seems that it should use op->o_ndn.
Hmm, is the semantics of proxying the SASL proxy authorization clearly defined? The consumer proxy itself also has an identity. Just asking... Ciao, Michael.
