Re: mod_access vs mod_authz_host
--On November 8, 2005 7:21:54 PM -0500 Geoffrey Young [EMAIL PROTECTED] wrote: you really think so? I think it's mistakenly given an authz namespace, giving users the impression it steps in after authentication, or does something else specifically based on r-user. at least any users who have bothered to wrap their heads around the entire aaa idiom and phase separations. It runs with the access_checker/auth_checker hook. Which is an authorization hook. (So, yes, this implies that I think the access_checker/auth_checker split is off-kilter - they should really be the same, I think.) But, I'll admit that mod_access_host isn't entirely bad. However, it'd be really nice to re-do the second half of our auth system, but I worry that Sander's completely forgotten about his promises to do that. =) -- justin
Re: mod_access vs mod_authz_host
On Wednesday 09 November 2005 17:28, Justin Erenkrantz wrote: --On November 8, 2005 7:21:54 PM -0500 Geoffrey Young [EMAIL PROTECTED] wrote: you really think so? I think it's mistakenly given an authz namespace, giving users the impression it steps in after authentication, or does something else specifically based on r-user. at least any users who have bothered to wrap their heads around the entire aaa idiom and phase separations. It runs with the access_checker/auth_checker hook. That's two hooks of course, and not even contiguous. Which is an authorization hook. (So, yes, this implies that I think the access_checker/auth_checker split is off-kilter - they should really be the same, I think.) That would lose Satisfy [Any|All]. We could rebuild the functionality on AuthAuthoritative logic, but that's harder. But, I'll admit that mod_access_host isn't entirely bad. Good. However, it'd be really nice to re-do the second half of our auth system, Agreed, authz isn't pretty. OTOH, mod_[access|authz](_host)? is well clear of authz ugliness. Why chuck away the bit that definitely doesn't want fixing? but I worry that Sander's completely forgotten about his promises to do that. =) -- justin Someone'll do it. Eventually. But not in time for 2.2. -- Nick Kew
Re: mod_access vs mod_authz_host
On 11/9/2005 at 10:28:38 am, in message [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: But, I'll admit that mod_access_host isn't entirely bad. However, it'd be really nice to re-do the second half of our auth system, but I worry that Sander's completely forgotten about his promises to do that. =) -- justin Sander may have forgotten by I think I missed it altogether. Can you explain a bit more on what the thoughts were? Brad
Re: mod_access vs mod_authz_host
--On November 9, 2005 9:25:20 PM + Nick Kew [EMAIL PROTECTED] wrote: It runs with the access_checker/auth_checker hook. That's two hooks of course, and not even contiguous. I disagree. Access checker and auth checker perform almost identical functions. There is no reason why we couldn't replace them with only one hook. There are only two occurrences of access_checker in our code base: the first is with mod_authz_host which would be fine if moved to an auth checker. The other is mod_ssl which uses the hook to reject invalid cipher configuration, etc. The key change Sander and I wanted to do was to remove ap_some_auth_required and unconditionally run both check_user_id and auth_checker hook. The fact that it is conditional makes mod_authz_svn in Subversion a bit more awkward than necessary: it really needs to run on every request. So, if auth_checker executes unconditionally, then it becomes the same as access_checker (except run after check_user_id). Sander may have wanted to do more things, but that's the one that matters here. This is all in the archives, I believe. -- justin
Re: mod_access vs mod_authz_host
--On November 3, 2005 4:54:08 PM + Nick Kew [EMAIL PROTECTED] wrote: Just to elaborate on that, it's the name I'm not happy about. I'm perfectly happy with the /modules/aaa/ classification. The problem is that mod_access does not indicate the purpose of the module. access to what? What is access? mod_authz_host is by far the best representation of what the module does and how it specifically fits into our module classifications. So, if you are going to complain about the name, please come up with helpful suggestions rather than having us revert to an ambiguous name. -- justin
Re: mod_access vs mod_authz_host
--On November 3, 2005 4:50:08 PM + Nick Kew [EMAIL PROTECTED] wrote: So can mod_rewrite and others, but that doesn't make it mod_authz_url! Perhaps mod_load_average should be called mod_authz_busy ? No, mod_authz_host only does authorization checks. mod_rewrite can do anything... (Har-har.) -- justin
Re: mod_access vs mod_authz_host
Justin Erenkrantz wrote: --On November 3, 2005 4:50:08 PM + Nick Kew [EMAIL PROTECTED] wrote: So can mod_rewrite and others, but that doesn't make it mod_authz_url! Perhaps mod_load_average should be called mod_authz_busy ? No, mod_authz_host only does authorization checks. mod_rewrite can do anything... (Har-har.) -- justin and sometimes mod_rewrite even does what you thought you asked it to do :)
Re: mod_access vs mod_authz_host
Justin Erenkrantz wrote: --On November 3, 2005 4:54:08 PM + Nick Kew [EMAIL PROTECTED] wrote: Just to elaborate on that, it's the name I'm not happy about. I'm perfectly happy with the /modules/aaa/ classification. The problem is that mod_access does not indicate the purpose of the module. I agree. access to what? What is access? if it were anyone else I'd answer those ;) mod_authz_host is by far the best representation of what the module does and how it specifically fits into our module classifications. you really think so? I think it's mistakenly given an authz namespace, giving users the impression it steps in after authentication, or does something else specifically based on r-user. at least any users who have bothered to wrap their heads around the entire aaa idiom and phase separations. So, if you are going to complain about the name, please come up with helpful suggestions rather than having us revert to an ambiguous name. I suggested mod_access_host, which I think fits into the current hierarchy rather nicely. then we could potentially have slots formod_access_cookie, mod_access_useragent, or whatever else people generally use the access phase for. mod_authz_host feels terribly misleading... --Geoff
Re: mod_access vs mod_authz_host
But it does handle access control which kind of puts in the category of authz vs. anywhere else. Brad On 11/3/2005 at 9:26:57 am, in message [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: Is there really a rationale for that name change? This module is *not* an authz module in the sense of anything from the used-to-be-auth modules are. * It lives on a different request processing hook. * Its semantics, and even HTTP failure code, are different. * it uses TCP information rather than HTTP information. * It has a clear but *distinct* relationship with the real authz, expressed in the Satisfy Any|All directive. Reverting the name to mod_access will make it immediately more accessible to users (a name they know), and reduce the scope for future confusion. How about it?
Re: mod_access vs mod_authz_host
On Thursday 03 November 2005 16:37, Brad Nicholes wrote: But it does handle access control which kind of puts in the category of authz vs. anywhere else. So can mod_rewrite and others, but that doesn't make it mod_authz_url! Perhaps mod_load_average should be called mod_authz_busy ? In terms of its role, mod_access is not an authz module, for the reasons mentioned in my previous post. Unless you can suggest some much stronger reason it should be? -- Nick Kew
Re: mod_access vs mod_authz_host
Nick Kew wrote: On Thursday 03 November 2005 16:37, Brad Nicholes wrote: But it does handle access control which kind of puts in the category of authz vs. anywhere else. So can mod_rewrite and others, but that doesn't make it mod_authz_url! Perhaps mod_load_average should be called mod_authz_busy ? In terms of its role, mod_access is not an authz module, for the reasons mentioned in my previous post. Unless you can suggest some much stronger reason it should be? what about mod_access_host? that would give us mod_access_*, mod_authn_*, and mod_authz_* modules corresponding to the different aaa hooks... --Geoff
Re: mod_access vs mod_authz_host
On Thursday 03 November 2005 16:50, Nick Kew wrote: On Thursday 03 November 2005 16:37, Brad Nicholes wrote: But it does handle access control which kind of puts in the category of authz vs. anywhere else. So can mod_rewrite and others, but that doesn't make it mod_authz_url! Perhaps mod_load_average should be called mod_authz_busy ? In terms of its role, mod_access is not an authz module, for the reasons mentioned in my previous post. Unless you can suggest some much stronger reason it should be? Just to elaborate on that, it's the name I'm not happy about. I'm perfectly happy with the /modules/aaa/ classification. -- Nick Kew
Re: mod_access vs mod_authz_host
On Thursday 03 November 2005 16:52, Geoffrey Young wrote: what about mod_access_host? that would give us mod_access_*, mod_authn_*, and mod_authz_* modules corresponding to the different aaa hooks... Sounds good to me. -- Nick Kew
