dav acls lisa dusseault microsoft. agenda background scenarios goals
TRANSCRIPT
DAV ACLs
Lisa Dusseault
Microsoft
Agenda
• Background
• Scenarios
• Goals
Background
• draft-ietf-webdav-acreq-01.txt
• draft-ietf-webdav-acl-00.txt
• Terms– ACL– ACE– Principal
File System ACLs
• Resource x principal x right --> yes/no
• Each resource (file or directory) has its own list
• Each list has entries for various principals and rights
• “All Users” principal
• Groups as well as individual users
File System ACLs
• Common rights: read, write, execute
• Other rights: list members, read ACLs, write ACLs, synchronize
• Directories may be treated differently than files
• Access rights may be denied as well as granted
File System ACLs
• Ownership
• Inheritance
• Rules for avoiding conflict
Scenarios
• Different authors on different resources within one collection
• Deny access to a member of a group
• Delegation without relinquishing control
• Disallow from seeing the presence of a resource in a collection??
• Roles: Authors, editors, maintainers, managers, contributors...
Goals
• Allow access controls to be read and set
• Support most frequently used rights– read, write, delete, add child, list children,
delete children, read ACL, write ACL
• Support grant, deny
• Access controls must apply to resources and should apply to properties
Goals Continued
• Flexible principal specification– userid & domain, group & domain, all, all
authorized
• Ability to add and remove access settings without resetting entire list
Inheritance goals
• Static inheritance
• Dynamic inheritance
• Top-down vs. leaf-only inheritance (“walk the path”)
• What to do if leaf has empty acls
Extensibility and Discovery
• Add new types of rights to resources or types of resources
• Ability to discover new rights
Security Goals
• Allow administrators to block/log access control requests
• Allow resource/collection managers to grant and deny access to read and write access settings
Security: Ownership
• “Owner” is the principal to whom permissions cannot be effectively denied
• Useful to have “set owner” as well as “set ACLs” right (solves delegation scenario)
• Must be supported
Security: Encryption
• Encryption could greatly reduce chance of snooping
• Snooping is particularly dangerous when account names are sent across the wire
• Recommend but not require that implementations support encryption
• Allow implementations to refuse non-encrypted requests
Security: Certificates
• Could have certificates issuable which mean “I have permission to write to this resource” even though certificate holder is not known
• Would access certificates override the access list?
• Should we support this use of certificates?• DAV ACL design will be functional without
certificate-based delegation.
Predictability Goal
• Ability for clients to predict access levels
• Completeness • include all administrators that could delete the file?
• Evaluation must be unambiguously defined
• Behaviour must be entirely consistent or discoverable