You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Ben Davies <bd...@stickyeyes.com> on 2009/03/23 14:39:41 UTC
mod_metadata: Request for feedback on ideas
Hi everyone,
Just thinking aloud here, so would appreciate some feedback or information
particularly on something I've missed.
I've been looking at mod_authz_dbd and such and have noticed that the
Requires directive allows you to specify a userid or group-name that an
Authz provider must match. It appears that this userid or group-name must be
specified before hand.
Does anyone know of a pre existing module that allows you to specify these
Require details (preferably) from a SQL database, based on requested URI?
For example, instead of:
<Directory /usr/www/my.site/team-private/>
AuthType Basic
AuthName Team
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s AND login =
'true'"
AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
Requires dbd-group team
</Directory>
Which restricts files in specified directory to users who are members of the
group "team", you could do something like this:
<Directory /usr/www/my.site/team-private/>
AuthType Basic
AuthName Team
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s AND login =
'true'"
AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
MetaDBDQuery "SELECT owner, group FROM resources WHERE uri = %s"
Requires meta-dbd-group
</Directory>
I've had a google about and I've not found anything, apart from
mod_authz_owner that does anything close to this; that is, allows you to
specify the userid or group-name based on something outside the
httpd.conf/htaccess file (mod_authz_owner checks the file-owner and
file-group details of the requested file).
An ideal implementation would work in a similar manner to the auth
framework: you would have a resource-metadata framework, which consisted of
providers that allowed you to specify where apache would look-up the
meta-data for the requested resource in order to complete the authorization
phase of the request. Doing so allows us to specify who is authorized to
access a given resource (or collection/directory tree of resources) from an
external system (sql-db, dbm or even a separate .meta/RDF file). In fact, if
these details were in fact a separate file, you could modify them using
simple REST principles.
This is an idea I've had banging around in my head for a while now, and I'm
curious if anyone has come across something similar that has already been
implemented, or if there are plans to add a similar feature in a future
version of apache. I would also appreciate it if anyone could give me some
feedback on this idea, especially if I have missed some obvious reason why
this would not be a very good idea.
Cheers!
Ben Davies