[Cosmo-dev] Re: securing access to items in multiple collections

Morgen Sagen morgen at osafoundation.org
Wed Nov 7 09:23:39 PST 2007 

Questions inline...

On Nov 6, 2007, at 9:50 AM, Randy Letness wrote:

> Ok brining this thread back from the dead:
>
> I was thinking about this a little more and I like the idea of cosmo  
> moving to a tighter access control mechanism.  What about the  
> following restrictions:
>
> 1. A request must authenticate as a single principal.
> 2. A principal is either a User or Ticket
> 3. A Ticket grants access to a single resource

Is a resource a collection?

> 4. A User has access to multiple resources through ACLs
> 5. Publishing an item to multiple collections requires a User  
> principal.

It's not immediately obvious to me that #5 needs to be a requirement,  
but you must have a reason. :-)

> 6. A User principal that presents a ticket automatically has an ACE  
> added to the ticket's resource for that user.
>
> The idea is that you can only authenticate using a single ticket, or  
> as a user.  If you authenticate as a single ticket, then you have  
> access to that resource only.  This means you can't add an existing  
> item to the collection because that single ticket won't grant you  
> access to the existing item, only the target collection.  You can  
> update and add new items to the target collection.
>
> In order to publish an existing item into another collection, you  
> must be authenticated as a user and that user must have permissions  
> (through the ACL) for that item.  This prevents adding an item to  
> another collection just using a ticket.

Again, I'm not sure why this limitation is desirable.  If I have  
tickets that provide write access to two collections, shouldn't I be  
able to copy items between them?

>   So how does the user get access to the existing item?  That user  
> could be added to the ACL for the existing item/collection but that  
> would require more client work (security dialogue).  Cosmo could  
> also support adding a user to an ACL by presenting a ticket.  A  
> ticket is associated to a single resource, so if a user presents  
> that ticket, then the server could add the permissions for the user  
> to that resource.  This could  happen automatically by including a  
> set of relevant tickets in a header (an ACE for the user would be  
> added to each resource associated to each ticket).
>
> This moves cosmo to a tighter security model and paves the way for  
> true ACL support.  Thoughts?
> -Randy

A while back I proposed having the client include all relevant tickets  
when making a morsecode request:

    http://tinyurl.com/2ptlmm

Is your proposal a twist on mine except that the server *remembers*  
what tickets are associated with a user's account?  Maybe you could  
give some example scenarios and describe what gets sent back and forth.

~morgen

More information about the cosmo-dev mailing list