[rt-devel] Rights revoke on queue level
Stanislav Sinyagin
ssinyagin at yahoo.com
Thu Jul 31 16:03:18 EDT 2003
Hi Jesse,
--- Jesse Vincent <jesse at bestpractical.com> wrote:
> On Wed, Jul 30, 2003 at 06:14:59AM -0700, Stanislav Sinyagin wrote:
> > There are some global group rights that permit something
> > to some privileged users. It would be interesting for certain queues
> > to prohibit some of those rights from the global configuration.
> >
> > Same thing would be interesting for certain users out of a group to override
> > (and revoke) the group rights.
>
>
> It would definitely be interesting and when I designed the ACL system we
> have now, I spent a long time thinking about how we could accomplish
> this without crippling the system's performance. I didn't have any
> bright ideas. Do you?
As far as I understand, now you follow down the group hierarchy and global->queue level
hierarchy until you find the required privilege.
In this new feature design, we follow the hierarchy down to the end
and collect the information about required privilege.
Thus the lower levels of the hierarchy may have a chance to revoke
the right if it's given on upper level.
Then we store it in a cache, which should be designed to give three types
of answers:
-- Principal A has privilege B for object C
-- Principal A does not have privilege B for object C
-- There is no information in the cache about this (A,B,C) triple.
When the privileges are edited, the cache should be cleaned in that part that
is concerned. Or, probably it's easier to clean the whole cache.
seems quite affordable to me...
Stan
More information about the Rt-devel
mailing list