DAV ACLs

Lisa Dusseault

Microsoft

Agenda

• Background

• Scenarios

• Goals

Background

• draft-ietf-webdav-acreq-01.txt

• draft-ietf-webdav-acl-00.txt

• Terms– ACL– ACE– Principal

File System ACLs

• Resource x principal x right --> yes/no

• Each resource (file or directory) has its own list

• Each list has entries for various principals and rights

• “All Users” principal

• Groups as well as individual users

File System ACLs

• Common rights: read, write, execute

• Other rights: list members, read ACLs, write ACLs, synchronize

• Directories may be treated differently than files

• Access rights may be denied as well as granted

File System ACLs

• Ownership

• Inheritance

• Rules for avoiding conflict

Scenarios

• Different authors on different resources within one collection

• Deny access to a member of a group

• Delegation without relinquishing control

• Disallow from seeing the presence of a resource in a collection??

• Roles: Authors, editors, maintainers, managers, contributors...

Goals

• Allow access controls to be read and set

• Support most frequently used rights– read, write, delete, add child, list children,

delete children, read ACL, write ACL

• Support grant, deny

• Access controls must apply to resources and should apply to properties

Goals Continued

• Flexible principal specification– userid & domain, group & domain, all, all

authorized

• Ability to add and remove access settings without resetting entire list

Inheritance goals

• Static inheritance

• Dynamic inheritance

• Top-down vs. leaf-only inheritance (“walk the path”)

• What to do if leaf has empty acls

Extensibility and Discovery

• Add new types of rights to resources or types of resources

• Ability to discover new rights

Security Goals

• Allow administrators to block/log access control requests

• Allow resource/collection managers to grant and deny access to read and write access settings

Security: Ownership

• “Owner” is the principal to whom permissions cannot be effectively denied

• Useful to have “set owner” as well as “set ACLs” right (solves delegation scenario)

• Must be supported

Security: Encryption

• Encryption could greatly reduce chance of snooping

• Snooping is particularly dangerous when account names are sent across the wire

• Recommend but not require that implementations support encryption

• Allow implementations to refuse non-encrypted requests

Security: Certificates

• Could have certificates issuable which mean “I have permission to write to this resource” even though certificate holder is not known

• Would access certificates override the access list?

• Should we support this use of certificates?• DAV ACL design will be functional without

certificate-based delegation.

Predictability Goal

• Ability for clients to predict access levels

• Completeness • include all administrators that could delete the file?

• Evaluation must be unambiguously defined

• Behaviour must be entirely consistent or discoverable