Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Thursday, May 15 2008 @ 11:20 PM EDT
   

GL2 ACLs

Tuesday, June 24 2003 @ 04:51 PM EDT
Contributed by: vinny
Views: 3,798
Geeklog 2Last week I posted a variation to the below document to the geeklog-devel mailing list. After collecting some feedback, I have posted it here for several reasons. First, to garner additional input on ways to improve and or expand the described system. Second, I hope the fact that implementation of GL2 has begun will help Tony in his efforts to recruit developers and documentors to the Geeklog 2 project.

It should be noted that the ACL system described here is only responsible for controlling access to items (such as articles, polls, links, etc) and does not include user authentication or group membership which will be handled by Tony's A&A portion of Geeklog 2.



THE SYSTEM

For Geeklog2, I propose expanding the existing unix-like item permission system into a full fledged ACL system. The SQL below (created for MySQL) describes two tables and some data used to demonstrate some sample queries. The data loaded below includes three 'items' (which, in the context of Geeklog, could be articles, polls, links, etc). It also contains two users: 1, 2 and two groups: 1, 2. A couple of important things to note about these tables. First, no permissions data is kept within the items table. Second, 'item' is a foreign key within the acl table that links to 'item' in the items table.

I have chosen to use the following the access rights, each right represented by one bit in a bit field.

  • List - 1: The user has permission to list this item.
  • Read - 2: The user has permission to read or view this item.
  • Write - 4: The user has permission to append or edit this item.
  • Delete - 8: The user has permission to delete or remove this item.
  • Admin - 16: The user has permission to control access to this item.

These rights are just an initial idea of the rights usually associated with ACLs. Of course these rights should be edited and/or added to.

To make the manipulation of the rights easier, we can assign a php constant to each access level. These constants then can be bit wise And'd (&) or Or'd (|) to produce complex set of permissions. Below I will refer to these constants as LIST, READ, WRITE, DELETE, ADMIN. I will also define the composite access levels: LOOK as (LIST | READ); EDIT as (LOOK | WRITE | DELETE); OWNER as (EDIT | ADMIN).

HOW IT WILL WORK

In the code:
Implementing look-ups using this system is pretty straight forward. For instance, to list all the items that a user has LOOK access to, I'd use the following query:

SELECT items.* FROM acl, items WHERE items.item = acl.item AND
 ((acl.uid = <userid> OR acl.gid IN (<user_group_membership>))
 AND (acl.access & LOOK)) GROUP BY items.item;

To get all the access rights a user has for an item, use this:

SELECT BIT_OR(acl.access), items.item FROM acl, items WHERE items.item = acl.item
 AND items.item = <item> AND (acl.uid = <userid>
 OR acl.gid IN (<user_group_membership>)) GROUP BY items.item.

This code may seem complex but consider that, like in 1.3.x (though not fully utilized there), much of the SQL involved in fetching permissions can be generated by functions.

In the GUI:
Initially the GUI for access/permission to items can stay exactly the same as it is currently in 1.3.x. It should be clear that by having four (4) rows in the acl table for each item (one each for anonymous, members, group, and owner) we can perfectly simulate the current unix like access that 1.3.x provides.

In the long run, we can expand the capabilities of Geeklog through modifications to the GUI. These additions can be as simple or as complex as needed for a given task, and is only really limited by our imagination and ingenuity.

WHY?

Finer control. As Tony pointed out in IRC, the finer control would only be useful to about 10% (or less) of the users of Geeklog. However, for those users, this finer level of control could be very useful. We can potentially leverage ACLs to give GL2 real potential in the corporate CMS market place.

<management BS>
Geeklog has, since its inception, been a leader in security among peer software. Geeklog's access control system in particular is the most powerful of any competing software [that I know of]. To maintain this dominance and the advantages of the reputation that goes with it, I think it is necessary to expand beyond the status quo and set a new bar for security. I believe ACLs can get us there.
</management BS>

Finally, the 'coolness' factor. ACLs will be fun to implement and provide a set of manageable challenges that will keep us developers interested (well, certainly myself). Also we'll really be taking advantage of the power that relational databases provide.

FUTURE EXPANSION

What I have described above (and below in the SQL) is a fairly basic implementation of ACLs. To have a more complex implementation, and hence finer control over access to items, it would be possible to add a "negative rights table". This table would be used, once access rights for a user (and the groups he is a member of) is determined to afterwards limit that users access based on his user id and group memberships. One example of usefulness for this is if you have a group you want to grant access to item A, but there is a member of that group (user 1) that you don't want to have the same access. You could reduce that users access by adding the user and the access you wish to restrict to the "negative rights table".

The complexity of implementing this, in addition to the basic ACL tasks described above makes me hesitant to make this part of the initial requirements/release of GL2. However, adding it in the future would be possible without side effects to the permissions (ACLs) on items that would be established prior to the negative rights implementation and release.

CONCLUSION

Any feed back concerning this implementation of an ACL system would be welcome as would alternative suggestions. Even simple 'yea or nay' type feedback would be helpful.

Note: I had hoped to find a decent, generic description of what ACLs are to help people unfamiliar . My googling only came up with links to Cisco, Linux and AFS implementations (and one php implementation) of ACLs. If someone can find a link to a more generic description and post it as a comment, I'd be appreciative.

----BEGIN FILE ACL.SQL----

CREATE TABLE acl (
   id mediumint(8) AUTO_INCREMENT PRIMARY KEY,
   item varchar(20) NOT NULL,
   uid mediumint(8),
   gid mediumint(8),
   access smallint(8) NOT NULL DEFAULT 0,
   INDEX item_idx (item),
   INDEX uid_idx (uid),
   INDEX gui_idx (gid)
);

CREATE TABLE items (
   id mediumint(8) AUTO_INCREMENT PRIMARY KEY,
   item varchar(20) UNIQUE NOT NULL,
   data text
);

INSERT INTO items (item, data) VALUES ('one', 'this is just an example');
INSERT INTO items (item, data) VALUES ('two', 'this is just another example');
INSERT INTO items (item, data) VALUES ('three', 'this is just one more example');

INSERT INTO acl (item, uid, access) VALUES ('one', 1, 15);
INSERT INTO acl (item, uid, access) VALUES ('two', 1, 15);
INSERT INTO acl (item, uid, access) VALUES ('one', 2, 15);
INSERT INTO acl (item, uid, access) VALUES ('three', 3, 15);
INSERT INTO acl (item, gid, access) VALUES ('one', 1, 5);
INSERT INTO acl (item, gid, access) VALUES ('two', 1, 5);
INSERT INTO acl (item, gid, access) VALUES ('three', 1, 5);
INSERT INTO acl (item, gid, access) VALUES ('two', 2, 1);

----END FILE ACL.SQL----
 

What's Related

Story Options

GL2 ACLs | 7 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
GL2 ACLs
Authored by: krove on Tuesday, June 24 2003 @ 07:03 PM EDT
I like the finer control, but I would be hesitant about the "negative
rights control." If it were an optional add-on as you mention, then it
might not be all that bad.

I do think you want to avoid over-granularizing the ACL setup,
making the interface more complex and harder to use. Other than
that, I think it's great! GL2 should be quite the notch up.
GL2 ACLs
Authored by: Anonymous on Tuesday, June 24 2003 @ 10:57 PM EDT
You said no permissions data is kept within the items table. By items, are you referring to individual stories, polls, etc? If so, where does GL2 plan to go to pull permissions for a specific story so it knows John Jones does or does not have any rights to it?

I think the access rights need to be flexible enough where a user or module/block developer can easily add new ones like create revisions, comment, vote, moderate, attach files, dump a copy, etc. Unlike krove, I think the negative rights for an individual is a good idea. Most importantly though the GUI needs to remain very simple and easily learnable.

I also think you are underestimating the number of users who would find finer controls useful. If it's added, I would say at least 50% of the people will use it.
GL2 ACLs
Authored by: vinny on Wednesday, June 25 2003 @ 03:18 PM EDT
You said: "You said no permissions data is kept within the items table. By items, are you referring to individual stories, polls, etc? If so, where does GL2 plan to go to pull permissions for a specific story so it knows John Jones does or does not have any rights to it?"

By items I do mean individual rows in the database for stories, polls, etc. GL2 would store permission data for the individual items in a seperate table (see the SQL at the end of the story). To figure out what permissions John Jones has for a given story, GL2 would use a SQL select to join the permissions table and the item table to figure out the exact level of access (see the select statements in the story).

I hope this clarifies things a bit more.

-Vinny
GL2 ACLs
Authored by: Anonymous on Wednesday, June 25 2003 @ 08:27 PM EDT
Thanks for the info. By putting the permission data into only one table, I think this will limit scalability. Although an individual table can easily handle several millions of records, large busy sites will most likely hit table lock problems as this one table will hold permissions for everything as opposed to distributing it among several tables as is done now.
GL2 ACLs
Authored by: vinny on Wednesday, June 25 2003 @ 11:21 PM EDT
Since Geeklog has many reads but few updates against these tables, sites will not run into any locking problems (even extremely large sites).

There are plenty of sites that describe optimizations for databases for this kind of site. The database will not be any more a performance bottle-neck than it currently is for geeklog 1.3.x.

-Vinny
GL2 ACLs
Authored by: Anonymous on Thursday, June 26 2003 @ 05:10 PM EDT
Well, maybe on low to medium traffic sites. When GL2 provides an even finer grain security, it will attract people who will want to put permissions on things which don't have it today like individual comments, links, downloads, forum posts, etc. or haven't even been considered yet like executable files, pdf library, etc. The amount of updates compared to what is seen today will increase a lot and all of this will be hitting one table. Locks apply to reads as well as updates.

Achieving a finer grain permission system is very admirable. Although your approach greatly simplifies SQL calls, I don't agree with putting all this in one table. I'll bookmark this thread for when GL2 is deployed and the problem raises its head on lesser traffic than you anticipate right now.
GL2 ACLs
Authored by: krove on Friday, June 27 2003 @ 03:01 PM EDT
Without using a separate table, it becomes a nightmare to support
finer control without adding a ton of fields (thus also limiting the
extent of the finer control.

For instance, with GL 1.3.x currently, one can only assign a single
owner and group to an item (story, poll, block, whatever). In order
to allow finer control, we need to store multiple owners and multiple
groups for a single item. Creating a set number of fields in the
items table for each of this is limiting. We could create fields for 5
groups and 5 owners, but what if we wanted more?

By using a separate table, one creates the possibility to associate
multiple rows (i.e. multiple owner/multiple group right assignments)
in the access rights table that are associated with a single item. I do
understand the concern for scalability. I would suggest a
compromise of sorts by creating an access rights table for each
type of item, but that increases the complexity of the db and
probably makes for more work for plugins that what to use the
existing GL2 access rights management scheme.

Ah, implementations are so much fun. Aren't they?
© 2002-2008 Geeklog
Created this page in 0.40 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com