| Re: [stellation-res] Access control list inheritance behavior question |
On Sat, 2002-09-28 at 17:16, Florin Iucha wrote: > > I suggest we follow the "principle of least astonishment" and go with > the POSIX behavior for ACLs - I have no clue what it is, but supposedly > they thought about it and some people/admins are already familiar with > it. Or come with a good reason why not. I don't know what the POSIX ACL behavior is. But they're talking about filesystem ACLs, and we're talking about repository ACLs, and those are very different things. I'll look up what POSIX does, and see if I can paraphrase what a POSIX-like ACL inheritance mechanism would look like, as an option. > Now what I see is that for compound artifacts there are extra actions > that are not available for atoms like "list contents", "add item", > "remove item", so it might make sense for a parent to have a "default > ACL for children". You're thinking of ACLs as filesystem ACLs, not repository ACLs. In the current scheme, there are no ACLs for individual artifacts. ACLs apply to repositories, user groups, and branches. If we wanted access control for individual artifacts, it's possible to do, but I suspect we'd want a rather different mechanism that what we use for repositories and branches. They're sufficiently different that you probably want a different mechanism. At the moment, we've been looking at it in terms of what kinds of privileges are available in the filesystem, and have semantic meaning for repository storage. The only filesystem that we've looked at that has any significant ACL support is NTFS, and none of that is accessible through Java. It's also not clear that you'd *want* that for a repository. (There are some very difficult administration issues to make that work right.) The only thing that's really seemed to have significant meaning that should be preserved in the repository is the executability of an artifact. We've put that in as a metadata property (I think it's named "SVC:+x"). If we decide we want file-level access control, I'm honestly clueless about how it should work. And I've got too many things that I need to do, so I'll leave it for some other interested person who has the time to think it through to make a proposal. :-) > I am -1 for 3: it is too much magic - and magic can be dangerous. If > they want to affect a whole tree with a single command, give them "-R". That's basically what scares me about it. There's something intuitive about it in theory, but in practice, it's likely to be surprising. -Mark -- Mark Craig Chu-Carroll, IBM T.J. Watson Research Center *** The Stellation project: Advanced SCM for Collaboration *** http://www.eclipse.org/stellation *** Work Email: mcc@xxxxxxxxxxxxxx ------- Personal Email: markcc@xxxxxxxxxxx
Attachment:
signature.asc
Description: This is a digitally signed message part