Page 2 of 2
Re: API critique wanted for my RBAC/ACL
Posted: Wed Sep 23, 2009 11:27 am
by koen.h
josh wrote:As in, pass the post's status to the ACL, the ACL would handle checking if it is "allowed" for a given status ( rather then getting back an object you have to "poke at" further to get a simple true/false )
So you would have a 4th optional "context" parameter that could be anything ( a post's status, the request method GET vs POST, etc.. any "context" you needed to be conditional )... these contexts would work like a second "permission" ( the resource, role, permission, AND context would all have to match )
Originally I wanted it to do this, and have given it a lot of thought, but I don't see a way to do this that would be acceptable (performance, API and design-wise).
I think this is more or less what ZF wants assertions to do. The result is that you're almost building an access control within the access control.
Actually what I currently have is not far from it. I see the connection but don't know how to implement access on object(types) contained by other object(types). I'll explain with an example in pseudo-code. What I have now is something like this:
Code: Select all
create a type 'post'
allow role action 'view' on type 'post' // the rule
create a type 'draft', which is type 'post' with property 'status' = 'draft'
deny role action 'view' on type 'draft' // other rule
Now we would like to implement a wider context. Say I have multiple sites and only want to allow this role to view type 'post' on site specialSite.com. How can I create a rule that expresses this? And how would the access check be expressed? It's easy to express access on a type that contains another type (eg a 'post' that has a property which is a 'tag'). But not as easy to express when the type is contained by another type:
Code: Select all
allow role action 'view' on type ... ?
allow role action 'view' on object ... ?
How to express this context? If you ahave any suggestions I'll gladly look into them.
Re: API critique wanted for my RBAC/ACL
Posted: Thu Sep 24, 2009 6:02 am
by josh
koen.h wrote: Say I have multiple sites and only want to allow this role to view type 'post' on site specialSite.com. How can I create a rule that expresses this?
I would "salt" it into the context, so you would concatenate the strings or if these were a recurring problem I would add a second context ( or call it website just for the sake of sanity ) as a second paramater
Re: API critique wanted for my RBAC/ACL
Posted: Thu Sep 24, 2009 12:58 pm
by koen.h
josh wrote:koen.h wrote: Say I have multiple sites and only want to allow this role to view type 'post' on site specialSite.com. How can I create a rule that expresses this?
I would "salt" it into the context, so you would concatenate the strings or if these were a recurring problem I would add a second context ( or call it website just for the sake of sanity ) as a second paramater
I don't understand this. The context is what should, somehow, be a parameter in the rule. Now we have role, action and an object or type of objects as parameters.
Adding a context as fourth parameter like in: allow('guest', 'view', 'post', $contextObject) makes it even more difficult and processor intensive to find a matching rule when client code asks: isAllowed('guest', 'view', 'post', $partialOverlappingContextObject). Maybe I have to show how this would be processed but it's not pretty and very difficult to cache.
Re: API critique wanted for my RBAC/ACL
Posted: Thu Sep 24, 2009 6:48 pm
by josh
The context would be a string
$context = 'draft';
or...
$context = 'draft-website1';
or $context1 = 'draft' $context2='website1';
Shouldn't be "processor intensive" at all. If I can regex a 100MB .html file in a few seconds on an old pentium I'm sure your ACL class will run fine. Honestly.. querying databases, too much aggressive loading, and file obscene amounts of files inclusion are 99% of all PHP slowness.
Re: API critique wanted for my RBAC/ACL
Posted: Thu Sep 24, 2009 7:03 pm
by Christopher
koen.h wrote:Adding a context as fourth parameter like in: allow('guest', 'view', 'post', $contextObject) makes it even more difficult and processor intensive to find a matching rule when client code asks: isAllowed('guest', 'view', 'post', $partialOverlappingContextObject). Maybe I have to show how this would be processed but it's not pretty and very difficult to cache.
I have lost track of the current state of the design, and when I see calls like the above is makes me think that the dependencies have gone the wrong direction. What is the current API? And do you have some test code we can try? I would like to re-understand the problem because this is a topic with too many details to causally follow in a discussion.