mod_metadata: Request for feedback on ideas

[Ben Davies <bd...@stickyeyes.com>]

Hi everyone,

 

Just thinking aloud here, so would appreciate some feedback or information
particularly on something I've missed.

 

I've been looking at mod_authz_dbd and such and have noticed that the
Requires directive allows you to specify a userid or group-name that an
Authz provider must match. It appears that this userid or group-name must be
specified before hand.

 

Does anyone know of a pre existing module that allows you to specify these
Require details (preferably) from a SQL database, based on requested URI?

 

For example, instead of:

 

<Directory /usr/www/my.site/team-private/>
AuthType Basic
AuthName Team
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s AND login =
'true'"
AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
Requires dbd-group team
</Directory>

 

Which restricts files in specified directory to users who are members of the
group "team", you could do something like this:

 

<Directory /usr/www/my.site/team-private/>
AuthType Basic
AuthName Team
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s AND login =
'true'"
AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
MetaDBDQuery "SELECT owner, group FROM resources WHERE uri = %s"
Requires meta-dbd-group
</Directory>

 

I've had a google about and I've not found anything, apart from
mod_authz_owner that does anything close to this; that is, allows you to
specify the userid or group-name based on something outside the
httpd.conf/htaccess file (mod_authz_owner checks the file-owner and
file-group details of the requested file). 

 

An ideal implementation would work in a similar manner to the auth
framework: you would have a resource-metadata framework, which consisted of
providers that allowed you to specify where apache would look-up the
meta-data for the requested resource in order to complete the authorization
phase of the request. Doing so allows us to specify who is authorized to
access a given resource (or collection/directory tree of resources) from an
external system (sql-db, dbm or even a separate .meta/RDF file). In fact, if
these details were in fact a separate file, you could modify them using
simple REST principles.

 

This is an idea I've had banging around in my head for a while now, and I'm
curious if anyone has come across something similar that has already been
implemented, or if there are plans to add a similar feature in a future
version of apache. I would also appreciate it if anyone could give me some
feedback on this idea, especially if I have missed some obvious reason why
this would not be a very good idea.

 

Cheers!

 

Ben Davies