On 11/30/2016 12:06 AM, Alex Rousskov wrote: > Perhaps there is a way to keep the per-scheme access list advantage > without opening the 403 Pandora box and preserving the whole-list > visualization provided by auth_schemes? > > For example, we could support something like this: > > auth_schemes "ALL except S1" acl1 ... > auth_schemes "ALL except S1,S2" acl2 ... > auth_schemes S1,S2 acl3 ... > auth_schemes ALL acl4 ... > > but I do not like how this syntax essentially moves operators inside > quoted strings. > > Another alternative is: > > auth_schemes S1 deny acl1 ... # ALL except S1 > auth_schemes S1,S2 deny acl2 ... # ALL except S1 and S2 > auth_schemes S1,S2 allow acl3 ... # just S1 and S2 > auth_schemes ALL allow acl4 ... # ALL > > (with the configuration implementation similar to the existing > request_header_access rules). > > Unfortunately, in all these cases, we would have to special-case > denying/excepting all schemes to avoid opening the 403 Pandora box. Only > the current auth_schemes implementation avoids that 403 problem (because > an empty list is a syntax-level/configure-time violation).
I just got a nice illustration why that 403-via-lack-of-schemes Pandora box should remain closed: A customer has indicated that "auth_schemes NONE" support would make writing their configurations a little easier. That comment appeared to support your assertion that lack-of-schemes should be treated as a special useful 403 Forbidden case. However, to my surprise, the follow-up conversation revealed that the customer expected "auth_schemes NONE" to _allow_ access, not forbid it! This example of diametrically opposed expectations reinforces my original worries about supporting this special "no authentication schemes" case. I think we should continue to rely on http_access to permit or forbid access (including permitting or forbidding access without authentication) and require at least one authentication scheme to be available when authentication schemes are configured/used. Said that, there might still be a way to configure the list of schemes better than the posted auth_schemes does. I have not found it yet though. Alex. _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev