readers.conf proposal: (was Re: incoming.conf length limits)

Jeffrey M. Vinocur jeff at litech.org
Thu Jan 30 23:43:41 UTC 2003 

On Thu, 30 Jan 2003, Russ Allbery wrote:

> It makes sense in isolation, but I'm a bit worried that it's going to add
> even more to the logical complexity of readers.conf, 

Hmm, that's true.


> how patterns like "foo.*, at foo.bar.*" append to "!*bar*,*foo*".

I've never liked the semantics of ME in newsfeeds either.  But I think 
straight concatenation would work (especially since if you want to append 
something but the original has a "trailing exclusion" you can just stick 
that exclusion in another block to be append after all the intermediate 
stuff).

If that makes any sense.

But in general, I think something like this would be helpful.


> Part of me is inclined to argue that anyone doing the sort of access
> control that really needs this level of detail ideally wants to just
> construct a custom group pattern for each user entirely inside their
> custom-written authentication hook, and if we add that to the external
> auth protocol like it already is in the Perl and Python hooks, that will
> address the problem.  But that's something of a cop-out, since I can
> easily construct artificial examples where that would require writing a
> custom authenticator where one isn't necessary now.

Ah, but this is fundamentally access control, and not authorization.  I 
definitely don't want to duplicate my (hypothetical) "take the union of 
all these access lists" code into every authenticator and resolver I use!

The only way to do this properly at present is with perl_access, or to 
give up on readers.conf entirely and reimplement the "try multiple 
methods" functionality from scratch.

I think.


> The advantage of using access_additions or something similar to that as a
> separate group is that it doesn't add to the complexity at all for people
> who don't use it.

Just making the current behavior the default would get that, though.  As 
long as the default is "break: true" (or conversly "fallthru: false"), 
existing files will be fine exactly as is.


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list