Clarify discovery, reading, and writing auxiliary resources #252
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
acoburn
approved these changes
Mar 16, 2021
TallTed
reviewed
Mar 16, 2021
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
matthieubosquet
approved these changes
Mar 17, 2021
| @@ -572,7 +572,7 @@ <h4 property="schema:name">Description Resource</h4> | |||
|
|
|||
| <p>Servers MUST NOT directly associate more than one description resource to a subject resource.</p> | |||
|
|
|||
| <p>When a HTTP request targets a description resource, the server MUST apply the authorization policy that is used for the subject resource that the description resource is associated with.</p> | |||
| <p>When an HTTP request targets a description resource, the server MUST apply the authorization policy that is used for the subject resource with which the description resource is associated.</p> | |||
There was a problem hiding this comment.
Could we simplify further?
"A subject resource's authorization MUST apply to its description resource."
There was a problem hiding this comment.
That implies that the resource's authorization is the thing taking action.
The imperative is on the server, to apply the same authorization as is on the resource to the description resource(s), and I think we've got just about the simplest, clearest possible wording.
dmitrizagidulin
approved these changes
Mar 17, 2021
RubenVerborgh
approved these changes
Mar 17, 2021
michielbdejong
approved these changes
Mar 19, 2021
There was a problem hiding this comment.
LGTM, thanks for looking into this so thoroughly Sarven!
I closed #248 in favour of this one.
timbl
approved these changes
Mar 23, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces minimal changes necessary to clarify discovery, reading and writing of ACL and Description resources (specifically under Auxiliary Resources) - to be consistent with the rest of the Protocol. Further re-organisation of content is left for future PRs.
The PR also address the key concerns raised in PRs #248 and #250 . If accepted and merged, then those two PRs should be closed immediately.
Access controls that are required to read-write ACL resources are specified by the WAC specification. The outer Protocol - in this case the Auxiliary Resources section - must take care to not introduce potential confusion or conflicts.
As it stands, access controls required to read-write Resource Descriptions are specified in the Auxiliary Resource section.
On the removal of line:
As per ACL Ontology: having Control access on a subject resource allows an agent to Read and Write the ACL resource that's associated with it. The text "read, create, or modify" is redundant and should be avoided.
WAC currently does not specify access controls needed for the discovery of an ACL resource via the subject resource it is associated with (ie. Link rel=acl). However, the discovery of a ACL resource associated with the subject resource is already described in the Auxiliary Resources section, and currently relies on Read rights:
It alludes to server including the Link header to allow a client to discover the ACL resource when agent has Read access on the subject resource.
Aside: It is still possible to specify the inclusion of the Link header also part of 4xx responses, but this is left for a future PR.
On the removal of line:
The WAC spec will cover this in detail.
On modifying the lines for creating, modifying, discovering, reading description resources:
The change simply states that access privileges on description resources come from subject resource's.
For discovery, same reason as earlier when a client can observe the link relation targeting an auxiliary resource. At this time, the commonality is that Read is required on the subject resource for the purpose of discovery.