jsdsi-users

[Jsdsi-users] Tag problem

[Sean R. <sra...@ae...>]

Sameer,

Did you have any thoughts on how I could implement my 'FilepathTag'
problem that I mentioned last week better using standard jsdsi tag
types?


Regards,

Sean

P.S. I hope to run my junit tests againgst the latest CVS code this w/e.


> > 2. Added a new Tag type (FilepathTag which is to specify a
Principal's
> > access rights to a file hierarchy)
> 
> Shouldn't this just be a combination of SimpleTags, SetTags, and
> PrefixTags?  For example:
> (file-access (*set read execute) (*prefix /home/ajmani))
> would grant read and execute permision on any files under my home
> directory.

One would think so. However at the time there were some issues in doing
this for the particular application (which is a bit of a playground
app)... The one I can think of at present is:

(file-access read /home/ajmani/ant/)
implies
(file-access read /home/ajmani/) and
(file-access read /home/) etc
but does not imply
(file-access read /home/ajmani/ant/bear)

whereas

(file-access admin /home/ajmani/ant/)
does not imply
(file-access admin /home/ajmani/) or
(file-access admin /home/) etc
but does imply
(file-access admin /home/ajmani/ant/bear)

I can see that one could model the 'admin' version using a PrefixTag for
the path element, but one as far as I can see one would need some form
of SuffixTag (ReversePrefixTag) for the 'read' version.

Can you see a way of doing it better?


-- 
Dr. Sean Radford, MBBS, MSc
sra...@ae...

Re: [Jsdsi-users] Tag problem

[Sameer A. <aj...@cs...>]

If I'm understanding correctly, you want 'admin' to allow access to a
directory and all its subdirectories, but not its superdirectories.  As
you pointed out, this can be done using a PrefixTag:
(tag (file-access admin (*prefix /home/ajmani)))

But you want 'read' to allow access to a directory and all its
superdirectories, but not its subdirectories.  The way this is
traditionally done in filesystems is with explicit permissions on each
superdirectory.  You could do this with an explicit SetTag:
(tag (file-access read (*set / /home /home/ajmani)))

There's no "suffix" tag in SPKI, but if there were, I guess you could do
this:
(tag (file-access read (*suffix /home/ajmani)))

Would this be useful?  It would not be too hard to implement.
Sameer

> Sameer,
>
> Did you have any thoughts on how I could implement my 'FilepathTag'
> problem that I mentioned last week better using standard jsdsi tag
> types?
>
>
> Regards,
>
> Sean
>
> P.S. I hope to run my junit tests againgst the latest CVS code this w/e.
>
>
>> > 2. Added a new Tag type (FilepathTag which is to specify a
> Principal's
>> > access rights to a file hierarchy)
>>
>> Shouldn't this just be a combination of SimpleTags, SetTags, and
>> PrefixTags?  For example:
>> (file-access (*set read execute) (*prefix /home/ajmani))
>> would grant read and execute permision on any files under my home
>> directory.
>
> One would think so. However at the time there were some issues in doing
> this for the particular application (which is a bit of a playground
> app)... The one I can think of at present is:
>
> (file-access read /home/ajmani/ant/)
> implies
> (file-access read /home/ajmani/) and
> (file-access read /home/) etc
> but does not imply
> (file-access read /home/ajmani/ant/bear)
>
> whereas
>
> (file-access admin /home/ajmani/ant/)
> does not imply
> (file-access admin /home/ajmani/) or
> (file-access admin /home/) etc
> but does imply
> (file-access admin /home/ajmani/ant/bear)
>
> I can see that one could model the 'admin' version using a PrefixTag for
> the path element, but one as far as I can see one would need some form
> of SuffixTag (ReversePrefixTag) for the 'read' version.
>
> Can you see a way of doing it better?
>
>
> --
> Dr. Sean Radford, MBBS, MSc
> sra...@ae...
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Jsdsi-users mailing list
> Jsd...@li...
> https://lists.sourceforge.net/lists/listinfo/jsdsi-users


http://ajmani.net