Menu
▾
▴
Re: [Exist-development] Granular access to system functions, WAS: util:system-property() should run under dba
|
From: James F. <jam...@ex...> - 2010-07-29 08:51:31
|
On 29 July 2010 10:40, Thomas White <tho...@gm...> wrote: > James, > > I think we need to define the access to the variety of system commands on a > more granular level. > > I would like to propose a design that will not only keep the current > execution restrictions but also adds an option to grand access to a module > or even to a specific function to group. > > For every function that needs to have a controlled manner of execution, we > can have a list of group names that are allowed to call this function. The > default group names are DBA and a group with name as the name of the > module. Then every eXist instance may add application specific groups with > rights to execute a function or all functions for a module. > > We can have the default list of groups in a config file that will be > imported into the db initially and later only the db version will be used. good ideas, though whatever effort we do we need to be mindful that we may eventually end up with http://exist.sourceforge.net/xacml-intro.html which is already integrated into eXist, though I know not the status of this code (I think its best to view this code stale and untested). I think we need to be pragmatic with our approach, but admittedly I don't have well formed ideas of just how to do this. J |
