[Pipet Devel] Re: Security model

Brad Chapman chapmanb at arches.uga.edu
Thu Apr 6 09:52:54 EDT 2000

Hi Jarl;

> I've been thinking a lot about how we'll do the
> security model,
> it's complicated stuff :)

I know :-)

> What do you think about this :

I like it! I think this is a really good model to start with. I'm just 
to kind of talk myself through what needs to be done to make it happen.

> 1a- BL's authenticate DL's for applying XML into
> the processing engine.

Okay, we have this setup with the dl->bl idl.

> 1b- The 1st DL loggin into the BL is automatically
> the 'root' DL,
>        and has the ability to grant other DL's
> access.

This will work through your authorize function.

> 1c- Other DL's (local and remote) can connect via
> CORBA after
>        the root DL has granted them access.

This "connection" will be mediated by the local DL, right? So a remote 
DL will never directly communicate with a local BL. The local DL will 
accept some XML to be processed from the remote DL, and then submit 
this to the local BL under its own dlId and uri instanceID. So this 
DL authentication (to gain access to nodes) will need to mediated 
through a dl->dl connection that I'll need to do.

> 1d- DL's can connect to multiple BL's.

Okay. This will be through the mechanism we already have for 1a.

> 1e- BL nodes (or: VSH subnets) can communicate
> with other BL nodes
>        only if both nodes have the same parent
> DL.

Makes sense for bl security. This will be something that'll need to go 
into the bl code.
> 2a- a DL authenticates other DL's for access to
> its nodes\subnets.

Right, this is what I mentioned in 1c, and is something I'll have to 

> 2b- DL's can connect to other DL's and
> upload\download XML
>        documents outof and into.

This is again the dl->dl idl that I'll need to work out (same idl as 

> 2c- No DL can connect to the root DL, so no
> non-root DL has ability 2a.

This makes a lot of sense for security reasons. This way, no one can 
remotely get access to a root DL. So before the local DL starts 
allowing  remote DLs access, the local root DL will have to create a 
new DL to allow this access. Am I reading you right on this one?

> thoughts?

    How will the permissions for node access by assigned? All 
authorized DLs (by tha authorize function) have access to the same 
nodes as their parent (the DL that created them)? 
    If we want to restrict access to only certain nodes for local DLs, 
then we will need a more complicated authorization scheme. I'm not 
sure if we really need this kind of fine scale authorization, and 
would rather leave it out, but it is up to you :-)

Thanks for putting things together so concisely! I'm going to forward 
these two messages to the vsh list so other people can look at the 
scheme. Talk to you soon. 


More information about the Pipet-Devel mailing list