... | ... | @@ -60,6 +60,13 @@ So a priori the answer is yes, read/write access is enough. |
|
|
|
|
|
**Tomek**: This is what we initially thought, but the user most vitally interested in this asked for several roles. See [support#15938, comment from Jan 31](https://support.isc.org/Ticket/Display.html?id=15938#txn-546284)
|
|
|
|
|
|
**Prototype feedback**: the read/write is enough but is only a part of the access. The prototype builds a positive (named accept) and a negative (named reject) access list from boolean operations from the known commands and:
|
|
|
- an access property (so read or write)
|
|
|
- a hook name
|
|
|
- an explicit list of commands
|
|
|
|
|
|
with in addition two flags saying what to do with commands in both lists and what to do with commands which are in no lists. So it is possible to express anything.
|
|
|
|
|
|
### question 2: what to use for credentials?
|
|
|
|
|
|
Authorization requires authentication or with other words if it is trivial to impersonate a client the access control is useless.
|
... | ... | @@ -72,6 +79,7 @@ So the usual answer is the client credential is the client certificate. |
|
|
|
|
|
**tomek**: Yes, the client certificate looks good to me.
|
|
|
|
|
|
|
|
|
### question 3: what to use in credentials to assign a role?
|
|
|
|
|
|
It is related to the way the public key infrastructure is organized:
|
... | ... | @@ -81,6 +89,8 @@ It is related to the way the public key infrastructure is organized: |
|
|
|
|
|
So even I like the issuer idea we really need guidance here.
|
|
|
|
|
|
**Prototype feedback**: The Python SSL library partially decode the peer certificate but it is possible to get it in raw (DER) format and to use another tool to extract undecided fields. The code has an access to the TLS session too including for instance the peer IP address.
|
|
|
|
|
|
### question 4: what to use for the reverse proxy base code?
|
|
|
|
|
|
The requirements on the reverse proxy base code are pretty low. In addition of the functional requirements already detailed we need:
|
... | ... | @@ -91,6 +101,8 @@ The requirements on the reverse proxy base code are pretty low. In addition of t |
|
|
|
|
|
I investigate the Python 3 solutions and the standard HTTP(S) server with the request library (not standard but used by sphinx so not a real new dependency) does the job.
|
|
|
|
|
|
(Implemented in a prototype as a premium tool in #1263 where its documentation is attached).
|
|
|
|
|
|
To summary there are a lot of possible solutions and we must reduce the choice before going further.
|
|
|
|
|
|
|
... | ... | |