Changes between Version 7 and Version 8 of TracDev/Proposals/EvenFinerGrainedPermissions
- Timestamp:
- Jun 28, 2015, 11:09:27 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracDev/Proposals/EvenFinerGrainedPermissions
v7 v8 1 = Even finer grained permissions ...1 = Even finer grained permissions 2 2 3 Starting with [milestone:0.11] and the completion of the TracDev/SecurityBranch, we enabled to have a [TracFineGrainedPermissions fine-grained permission model] at the level of individual Trac resources, making it possible to write all sorts ofnew permission policies.3 Starting with [milestone:0.11] and the completion of the TracDev/SecurityBranch, we enabled to have a [TracFineGrainedPermissions fine-grained permission model] at the level of individual Trac resources, making it possible to write new permission policies. 4 4 5 5 == Problem 6 6 7 However, there are a few shortcomings with this model: 7 8 - incomplete information over the '''user''', notably identifying special relationships between the user and the resource being checked … … 24 25 The advantage of such an approach is that we could reduce the available actions to a minimum, and at the same time give more freedom over the precision of the checks. 25 26 26 Also, mixing the ''realm'' of resources into the name of actions is only a legacy of the pre-0.11 period, and besides backward compatibility there's no longer a need for that, as permissions are checked against specific resources (including `("realm", None)`-style resources representing a realm of resources in general).27 Also, mixing the ''realm'' of resources into the name of actions is only a legacy of the pre-0.11 period, and besides backward compatibility there's no longer a need for that, as permissions are checked against specific resources, including `("realm", None)`-style resources representing a realm of resources in general. 27 28 28 29 == Solution … … 32 33 For introducing more elaborate concepts about the '''user''', we could use virtual groups. In a similar way than the ''authenticated'' group currently represents the sets of authenticated users, we could imagine group providers attributing special membership to an user, depending on which ''resource'' is being targeted. Therefore we could imagine an ''owner'' or ''author'' virtual groups (#7438). 33 34 34 35 35 == Performance 36 37 36 38 37 Even today, lots of permission checks and lots of policies could have a non-negligible performance impact, not to mention the complete inefficiency of some kind of permission related queries (#4245 - who are the users having that permission?). 39 38 40 If we're going to add even more checks like suggested here, we will also need a somewhatmore efficient infrastructure for performing those checks.39 If we're going to add even more checks like suggested here, we will also need a more efficient infrastructure for performing those checks. 41 40 42 41 A few ideas: 43 42 - policy registration: each `IPermissionPolicy` can register "patterns" of actions, resources and users it is interested in; only fire the permissions that match. Of course, there's a balance to find, and the pattern matching should not "cost" more than firing the rule. Also, determination of group membership should be cached when possible. 44 - resource cache: some permission policies need to retrieve informationsabout the resources they're checking (e.g. [source:tags/trac-0.12/sample-plugins/permissions/vulnerability_tickets.py]). This could be avoided if the properties have already been retrieved before and we have a way to "reuse" them 45 43 - resource cache: some permission policies need to retrieve information about the resources they're checking, eg [source:tags/trac-0.12/sample-plugins/permissions/vulnerability_tickets.py]). This could be avoided if the properties have already been retrieved before and we have a way to "reuse" them. 46 44 47 45 ----