Hi Jarl; > I've been thinking a lot about how we'll do the > security model, > it's complicated stuff :) I know :-) > What do you think about this : I like it! I think this is a really good model to start with. I'm just going to kind of talk myself through what needs to be done to make it happen. > 1a- BL's authenticate DL's for applying XML into > the processing engine. Okay, we have this setup with the dl->bl idl. > 1b- The 1st DL loggin into the BL is automatically > the 'root' DL, > and has the ability to grant other DL's > access. This will work through your authorize function. > 1c- Other DL's (local and remote) can connect via > CORBA after > the root DL has granted them access. This "connection" will be mediated by the local DL, right? So a remote DL will never directly communicate with a local BL. The local DL will accept some XML to be processed from the remote DL, and then submit this to the local BL under its own dlId and uri instanceID. So this DL authentication (to gain access to nodes) will need to mediated through a dl->dl connection that I'll need to do. > 1d- DL's can connect to multiple BL's. Okay. This will be through the mechanism we already have for 1a. > 1e- BL nodes (or: VSH subnets) can communicate > with other BL nodes > only if both nodes have the same parent > DL. Makes sense for bl security. This will be something that'll need to go into the bl code. > 2a- a DL authenticates other DL's for access to > its nodes\subnets. Right, this is what I mentioned in 1c, and is something I'll have to do. > 2b- DL's can connect to other DL's and > upload\download XML > documents outof and into. This is again the dl->dl idl that I'll need to work out (same idl as 1c,2a). > 2c- No DL can connect to the root DL, so no > non-root DL has ability 2a. This makes a lot of sense for security reasons. This way, no one can remotely get access to a root DL. So before the local DL starts allowing remote DLs access, the local root DL will have to create a new DL to allow this access. Am I reading you right on this one? > thoughts? How will the permissions for node access by assigned? All authorized DLs (by tha authorize function) have access to the same nodes as their parent (the DL that created them)? If we want to restrict access to only certain nodes for local DLs, then we will need a more complicated authorization scheme. I'm not sure if we really need this kind of fine scale authorization, and would rather leave it out, but it is up to you :-) Thanks for putting things together so concisely! I'm going to forward these two messages to the vsh list so other people can look at the scheme. Talk to you soon. Brad