[Pipet Devel] Re: Security model

J.W. Bizzaro bizzaro at geoserve.net
Fri Apr 7 20:10:32 EDT 2000


jarl van katwijk wrote:
> 
> > Hmmm.  So, DL do authorization, but the connection between remote DL's and the
> > local BL is direct?
> 
> Direct? a DL must authenticate to the BL if this is what you want to hear (?).

Okay.

> > I'm not sure I understand why group is BL level and user is DL level.
> 
> group : a BL allows ALL nodes\subnets(?\commands?) from a DL once it's logged in.
> user: a DL grants another DL only partical access to the node space it has inside the
> BL
> 
> So a DL can only grant access to its own nodes, a BL grants all-or-nothing to the
> nodes. This is happening when the UI is closed and the nodes it has created are still
> active.

I understand.  But I think 'user' and 'group' might be confusing to Unix
people.

> > And, why would you have a group password?  The reason Unix doesn't have group
> > passwords is because everyone must log in as a user anyway.  Are you saying
> > someone can have group access without logging in as a user?
> >
> 
> Yes, I think we should see the 'group' as the main authorisation 'level', the 'USER
> level' is more detaillistic, it's only a part of the regulair used access, only a
> subset.
> 
> I'm not to happy about the naming, you can see why.

:-)  Yes, we should work on some better names for those two.

> > > We should therefor deside if it can be possible for a DL to login to another  DL
> > > and to a BL at the same time. I didn't though about the consequences yet..
> >
> > You mean in addition to logging into the root DL?
> 
> No, as this situation :
> 
> - DL1 is logged into BL1
> - DL2 is logged into BL1
> - DL2 also is logged into DL1, so it's able to use some of DL1's nodes.
> 
> This would make it possible for DL2 to combine it's nodes to DL1's nodes.
> This situation just makes me expect security holes.. i'm not sure yet.

Hmmmm.  I see.  It's an interesting idea.  I think it adds an extra dimension
to the application, but it MAY add some security problems, as you say.

Jeff
-- 
                      +----------------------------------+
                      |           J.W. Bizzaro           |
                      |                                  |
                      | http://bioinformatics.org/~jeff/ |
                      |                                  |
                      |        BIOINFORMATICS.ORG        |
                      |           The Open Lab           |
                      |                                  |
                      |    http://bioinformatics.org/    |
                      +----------------------------------+




More information about the Pipet-Devel mailing list