[Cosmo-dev] Sharing format questions
morgen at osafoundation.org
Tue Jul 25 12:14:23 PDT 2006
On Jul 25, 2006, at 7:55 AM, Brian Moseley wrote:
> On 7/24/06, Bobby Rullo <br at osafoundation.org> wrote:
>> In a world without hierarchies, what is a child/parent? If parents
>> are tags or collections, how would you resolve situations where an
>> item is in multiple collections, and those collections all have
>> different ACL's? Would you choose the most restrictive ACL? Or the
>> least? Or something else?
> i don't believe we have any plans to share by tag, so i don't think
> that's an issue. as for collections, i'd suggest applying the acl of
> the collection under consideration, then overriding it with the
> contained item's acl.
Depending on how you look at it, tags are equivalent to collections.
I was thinking about how to deal with items, collections/tags and
ACLs this morning, and I am starting to like this approach:
- On Cosmo, Items are in a soup, identified by UUID.
- We define the term "Principal" which represents a Ticket, an
Account, or a Group (where a Group can contain Accounts or other Groups)
- There are two types of Permissions: Read-only and Read-write
- An "Access Control Entry" (ACE) indicates a certain Principal has a
given Permission for a given Item
- An "Access Control List" (ACL) is a list of ACEs
- There are special items called Tags which contain an ACL
- The Principal who originally PUTs an item to Cosmo is the "owner"
and always has full permission to that item regardless of ACLs
- An Item may be "tagged" (associated with existing Tag items) or
- A Principal's access to an Item is determined by iterating all the
Tags associated with that Item and examining the ACEs to see if any
match that Principal; the most lenient permission wins (Read-write
- A Principal which has Read-only permission to an item may not alter
it in any way (including tagging/untagging); this solves the problem
of someone getting a hold of an item Read-only and then moving to a
collection they have Read-write access to and suddenly being able to
modify that item.
- A Principal which has Read-write permission to an item may modify
or delete it; they may also tag or untag the item using any Tag that
the Principal has Read-write access to. Therefore if a Principal
only has Read-only access to a Tag, they may not associate that Tag
with any items even if they have Read-write access to those items.
In other words, just because I have write access to an Item doesn't
mean I can add it to any Tag I want -- I must have been granted Read-
write permission for that Tag also.
There are some details to work out, for sure. Such as:
- Who can modify the ACL of a Tag? Any Principal which has a Read-
write ACE in that ACL?
- Should Tags be hierarchical?
More information about the cosmo-dev