Authz refactoring discussion (was: Re: svn commit: r354141)

[Brad Nicholes <BN...@novell.com>]

>>> On 12/6/2005 at 12:04:47 am, in message
<20...@scotch.ics.uci.edu>, justin@erenkrantz.com
wrote:
> On Mon, Dec 05, 2005 at 02:17:09PM -0700, Brad Nicholes wrote:
>> Ignoring SATISFY <whatever> for now, we still want each provider to
be
>> called in the listed order and whether authorization is GRANTED or
>> DENIED may not be known until each one has been called.  Until then
the
>> status is simply DECLINED.  We can assume that DENIED and DECLINED
mean
>> the same thing as long as we get rid of the AuthzXXXAuthoritative
>> directives.  If not then each authz module has to be able to
communicate
>> the difference between DECLINED and DENIED"
> 
> I do think we need to get rid of Authoritative, yes.
> 

Good, then I am +1 on the authz providers only returning AUTHZ_GRANTED
or AUTHZ_DENIED.  I don't see a need for anything else.


> I'd prefer slapping 'core' on their names than leaving an
undecorated
> 'mod_authn' here.  Another alternative would be to just have them
both in
> 'mod_auth_core'.
> 
> Even if it were split out, mod_authn_core really wouldn't perform too
much
> heavy lifting as the basic/digest mechanisms do the heavy lifting
w.r.t.
> authn providers.  But, for authz, because no one really 'owns'
require or
> satisfy, a mod_authz/mod_authz_core would do most of the provider
> invocations - unless we can come up with a better module ownership of
the
> 'core' authz directives.  -- justin

I'm good with mod_authn_core and mod_authz_core.  Since I already added
mod_authn.c and mod_authz.c to SVN I'm not sure how to rename them. 
Could you rename the files in SVN and I'll take care of the rest.

Brad

Re: Authz refactoring discussion

[Geoffrey Young <ge...@modperlcookbook.org>]

Justin Erenkrantz wrote:
> --On December 6, 2005 11:04:13 AM -0700 Brad Nicholes
> <BN...@novell.com> wrote:
> 
>> Good, then I am +1 on the authz providers only returning AUTHZ_GRANTED
>> or AUTHZ_DENIED.  I don't see a need for anything else.
> 
> 
> FWIW, I do see a case for returning 'uh-oh, an error occurred'.

I'm planning on reviewing the rest next weekish, as I've written a few auth
provider hooks and I'm interested in seeing what happens to them with all of
this.  but here I'll agree - an error condition is nice to have.
additonally, though, chaining providers together with DECLINED conditions is
really useful.  I haven't looked closely enough to see whether this can be
accomodated, but it's nice to have and returning DENIED isn't intuitive in
this case.

fwiw

--Geoff

Re: Authz refactoring discussion (was: Re: svn commit: r354141)

[Justin Erenkrantz <ju...@erenkrantz.com>]

--On December 6, 2005 11:04:13 AM -0700 Brad Nicholes 
<BN...@novell.com> wrote:

> Good, then I am +1 on the authz providers only returning AUTHZ_GRANTED
> or AUTHZ_DENIED.  I don't see a need for anything else.

FWIW, I do see a case for returning 'uh-oh, an error occurred'.

> I'm good with mod_authn_core and mod_authz_core.  Since I already added
> mod_authn.c and mod_authz.c to SVN I'm not sure how to rename them.
> Could you rename the files in SVN and I'll take care of the rest.

Sure.  I've done it in the branch.  For future reference:

svn mv mod_authn.c mod_authn_core.c
svn mv mod_authz.c mod_authz_core.c

For bonus points, you can even do it via URLs.  =)  -- justin