2.4 API changes for AAA

[Jeff Trawick <tr...@gmail.com>]

after gathering pages of scribbles from comparing
2.2.x/modules<->2.3.x/modules and 2.2.x/include<->2.3.x/include for
API changes and trying to describe as many as I could, I'm left with a
list of things to research further:

check_user_id->check_authn
access_checker->check_access
auth_checker->check_authz
AUTHN_PROVIDER_VERSION?
note_basic_auth_failure
ap_register_provider->ap_register_auth_provider
ap_authn_cache_store
ap_hook_auth_checker->register_auth_provider
access_checker_ex

What's the big picture here?  Is it something like

IF YOU USE THE UGLY LEGACY HTTPD 1.3/2.0 MODEL:
* dudette, your code still works (but shame on you for not using the
2.2 provider framework)
* you may be interested in switching to the 2.4 provider framework,
which allows for XXX,YYY,ZZZ
* you may be interested in these new features: AAA,BBB,CCC

If you use the httpd 2.2 provider framework (ponies and rainbows):
* change1 (e.g., "0"->AUTHN_PROVIDER_VERSION)
* change2
* ...
* changen
* you may be interested in these new features: AAA,BBB,CCC

hints?

Re: 2.4 API changes for AAA

[Stefan Fritsch <sf...@sfritsch.de>]

On Friday 18 March 2011, Jeff Trawick wrote:
> after gathering pages of scribbles from comparing
> 2.2.x/modules<->2.3.x/modules and 2.2.x/include<->2.3.x/include for
> API changes and trying to describe as many as I could, I'm left
> with a list of things to research further:

I'll try to provide some bits. But I fear I don't know the 2.2 model 
well enough to provide a big picture. Let alone the 1.3/2.0 model.

> check_user_id->check_authn
> access_checker->check_access
> auth_checker->check_authz

These three allow to select if a module wants to be called per per-
dir-config or per URL. If a module makes a decision only based on the 
per-dir-config, this can save a lot of overhead for requests with many 
sub-requests (DAV propfind, etc.).

In the 2.4 model, the latter two hooks should normally not be used 
directly. Instead, a module should register authn/authz providers 
which are called by mod_authz_core or by the modules implementing 
authentication types.

access_checker/check_access is really deprecated in favor of *_ex

> AUTHN_PROVIDER_VERSION?

Don't know. I guess just a DEFINE for the "0"?

> note_basic_auth_failure

This is needed to allow a module implementing an authentication type 
to adjust the error response so that authentication is requested from 
the user when ap_note_auth_failure() is called. In 2.2.x, 
ap_note_auth_failure() only really worked for basic auth. This new 
hook allows digest and form to work, too.

> ap_register_provider->ap_register_auth_provider

Same as the first ones above, this allows an authn provider to choose 
if it wants to be called once per per-dir-config or once per URL.

> ap_authn_cache_store

? 

> ap_hook_auth_checker->register_auth_provider

This is the new way to do authorization with the 2.4 provider 
framework, see below. In 2.2, there were only providers for authn, not 
authz.

> access_checker_ex

This is the same as access_checker, but does not only allow to deny a 
request but also to finally allow a request, bypassing authentication.
access_checker is run-all and proceeds with authn if all hooks return 
DECLINED or OK. access_checker is run-first and only proceeds with 
authn if all hooks return DECLINED.

> What's the big picture here?  Is it something like
> 
> IF YOU USE THE UGLY LEGACY HTTPD 1.3/2.0 MODEL:
> * dudette, your code still works (but shame on you for not using
> the 2.2 provider framework)
> * you may be interested in switching to the 2.4 provider framework,
> which allows for XXX,YYY,ZZZ

The 2.4 provider framework treats access restrictions that are not 
based on a user name as authorization, instead of doing two distinct 
checks, one for everything that is not related to a user name (access 
checker), and one for everything that is (authorization). This allows 
the administrator much finer control on when to allow access (compared 
to the crude satisfy any/all choice in 2.2 and earlier).

It also allows merging of authz settings with the parent per-dir 
config. The admin can choose AND, OR, or no merging. In 2.2, there was 
no merging (except for the two checks for authz and access_checker 
being treated separately).

Finally it provides boolean containers (RequireAll, RequireAny) for 
authz, allowing even more control for the admin.

> * you may be interested in these new features: AAA,BBB,CCC
> 
> If you use the httpd 2.2 provider framework (ponies and rainbows):
> * change1 (e.g., "0"->AUTHN_PROVIDER_VERSION)
> * change2
> * ...
> * changen
> * you may be interested in these new features: AAA,BBB,CCC
> 
> hints?

I hope that helped a bit. If you have some specific questions, maybe I 
have some more answers. But I am not making any guarantees.

Re: 2.4 API changes for AAA

[Guenter Knauf <fu...@apache.org>]

Am 18.03.2011 18:10, schrieb Jeff Trawick:
> What's the big picture here?  Is it something like
>
> IF YOU USE THE UGLY LEGACY HTTPD 1.3/2.0 MODEL:
> * dudette, your code still works (but shame on you for not using the
> 2.2 provider framework)
that would be nice - but that worked only with 2.2, but unfortunately 
doesnt work with 2.4 due to the removal of ap_requires() ... :-(

Gün.

Re: 2.4 API changes for AAA

[Jeff Trawick <tr...@gmail.com>]

Thanks!

Re: 2.4 API changes for AAA

[Guenter Knauf <fu...@apache.org>]

Am 22.03.2011 15:52, schrieb Jeff Trawick:
> On Fri, Mar 18, 2011 at 1:10 PM, Jeff Trawick<tr...@gmail.com>  wrote:
>> after gathering pages of scribbles from comparing
>> 2.2.x/modules<->2.3.x/modules and 2.2.x/include<->2.3.x/include for
>> API changes and trying to describe as many as I could, I'm left with a
>> list of things to research further:
>
> I'm surprised that there are no hints out there on the AAA changes.
> (Just sayin'.)
>
> I'll try to dig.
in addition to Stefan's hints maybe this commit is an important one:
http://svn.apache.org/viewvc?view=revision&revision=368027

also there are some related list posts ...

Gün.

Re: 2.4 API changes for AAA

[Jeff Trawick <tr...@gmail.com>]

On Fri, Mar 18, 2011 at 1:10 PM, Jeff Trawick <tr...@gmail.com> wrote:
> after gathering pages of scribbles from comparing
> 2.2.x/modules<->2.3.x/modules and 2.2.x/include<->2.3.x/include for
> API changes and trying to describe as many as I could, I'm left with a
> list of things to research further:

I'm surprised that there are no hints out there on the AAA changes.
(Just sayin'.)

I'll try to dig.