Transcript DAV ACLs Lisa Lippert Microsoft

DAV ACLs
Lisa Lippert
Microsoft
Agenda
• Background
– drafts, terms, how file systems use ACLs
– Other ACLs efforts
• Scenarios
• Goals
– goals, may-haves, won’t-haves
Background
• Drafts:
– draft-ietf-webdav-acl-reqts-00.txt
– draft-ietf-webdav-acl-00.txt (expired)
• Terms
– ACL
– ACE
– Principal
File System ACLs
•
•
•
•
•
•
•
•
•
Resource x principal x right --> yes/no
Each resource (file or directory) has its own list
Each list has entries for various principals and rights
Users, groups, “All Users” principal
Common rights: read, write, execute
Other rights: list members, read ACLs, write ACLs...
Directories may be treated differently than files
Access rights may be denied as well as granted
Various rules for ownership, inheritance, avoiding conflict
Other ACLs efforts
• LDAP
• IMAP: rfc2086
– lookup, read, write, insert, post, create, delete,
administer, keep seen/unseen info across sessions
– Rights apply only to mailboxes
• CAP (Calendar Access Protocol)
• CAT
Scenarios
• Basic allow read/write scenario
• Different authors on different resources
within one collection
• Deny access to a member of a group
• Delegation without relinquishing control
• High-security: no evidence that a hidden
file exists
Goals
• Allow access controls to be read and set
• Support most frequently used rights
– read, write, delete, add child, list children,
delete children, read ACL, write ACL
• Support grant, deny
• Allow access controls to apply to resources
and collections
Goals Continued
• Flexible principal specification
– userid & domain, group & domain, all, all
authenticated
• Ability to add and remove access settings
without resetting entire list
Inheritance goals
• Static inheritance
• Dynamic inheritance
Extensibility and Discovery
• Add new types of rights to resources or
types of resources
• Ability to discover new rights
Security: Ownership
• Allow resource managers to grant and deny
access to read and write access settings
• Ownership
– “Owner” is the principal to whom permissions
cannot be effectively denied
– Useful to have “set owner” as well as “set
ACLs” right (solves delegation scenario)
– Must be supported
Security: Encryption
• To protect the ACL as sensitive data
– Encryption could reduce chance of snooping
– Snooping is particularly dangerous when
account names are sent across the wire
• June WG decision:
– there should be on-the-wire protection of ACL
data
– It should be possible to deny unprotected
transactions
May-have
• Property-level access control
• Roles (problematic)
• Management: easy to block or log ACLs
Out of Scope
• how groups are or should be modeled
• Use of certificates to prove that a user has
access
• Time-out access control
• Absolute predictability
• Sensitivity
• Delegation