diff options
| author | Russ Allbery <rra@stanford.edu> | 2013-03-27 12:51:46 -0700 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2013-03-27 12:52:58 -0700 |
| commit | f6c63bdb2be5ccc0c6133bf87025d37805579005 (patch) | |
| tree | c027fed89455b36e386722a63cce9c77d90ebffa /docs | |
| parent | b273cc907951a8b7dfcd4095ab58b6ae74c7d87e (diff) | |
Allow owners of objects to destroy them by default
Owners of wallet objects are now allowed to destroy them. In previous
versions, a special destroy ACL had to be set and the owner ACL wasn't
used for destroy actions, but operational experience at Stanford has
shown that letting owners destroy their own objects is a better model.
Change-Id: I0e97d7a000e62cf5321add7b44140db6edc6769f
Reviewed-on: https://gerrit.stanford.edu/973
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/design | 6 | ||||
| -rw-r--r-- | docs/notes | 12 |
2 files changed, 9 insertions, 9 deletions
diff --git a/docs/design b/docs/design index 4bb5587..8f4b20d 100644 --- a/docs/design +++ b/docs/design @@ -148,9 +148,9 @@ Server Design * Optional ACLs for get, store, show, destroy, and flag operations. If there is an ACL for get, store, or show, that overrides the - normal permissions of the owner. In the absence of an ACL for - destroy or flag, only wallet administrators can destroy an object or - set flags on that object. This entry would need no special ACLs. + normal permissions of the owner. In the absence of an ACL for flag, + only wallet administrators can set flags on that object. This entry + would need no special ACLs. * Trace fields storing the user, remote host, and timestamp for when this object was last created, stored, and downloaded. @@ -46,7 +46,7 @@ Server Issues ACL Management - Supported operations are: get, store, create (possibly triggered by a + Supported operations are: get, store, create (possibly triggered by a get or store of something that didn't already exist), destroy, show, and setting or clearing flags. Each of these need a separate ACL potentially. Not sure if we're going to need separate ACLs for each @@ -62,10 +62,9 @@ Server Issues that returns a default ACL given the object type and name if the object doesn't already exist. - Owner rights provides get, store, and show, but not destroy or setting - or clearing flags (not destroy because it's too destructive and we - don't want it done accidentally). This can be overridden by more - precise ACL settings. So the ACL logic would go like this: + Owner rights provides get, store, show, and destroy, but not setting + or clearing flags. This can be overridden by more precise ACL + settings. So the ACL logic would go like this: * If the user is an administrator and the operation isn't get or store, operation is permitted. @@ -74,7 +73,8 @@ Server Issues that specific ACL, apply that ACL. * If the object exists but with no specific ACL setting and the - operation is one of get, store, or show, apply the owner ACL. + operation is one of get, store, show, or destroy, apply the owner + ACL. * If the object doesn't exist and the action is get, store, or create, punt to a local policy if it exists and see if it returns a |