ACL Change notifications
Sébastien Michel
sebastien.michel at atos.net
Mon Aug 19 12:02:51 EDT 2013
Hi Jeroen,
Sorry for my late reply but I missed your mail ...
2013/6/19 Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
> Hi there,
>
> as part of an exercise to make use of event notifications for the purposes
> of auditing (non-syslog), I wanted to add an event notification for ACL
> changes.
>
> Please find attached a patch for your review, an aggregate of the work in
> dev/acl-change-notification[1]**.
>
> I have a couple of things I myself am pondering as well;
>
> - ACL change notifications are not a part of any RFC as such (but for
> [2]), and therefore the fields aclSubject / aclRights may need a 'vnd.cmu'
> prefix? Does the event name "AclChange" need a similar prefix?
>
According to RFC 5423 [1], we should use 'vnd.' to prefix both private
event names and private event parameters. However the RFC don't require it
(no MUST statement)
I questionned myself too and choosen to prefix by vnd. because Cyrus is
mostly compliant with RFC rules.
However :
- IMHO I would prefer not prefix with vnd.
- RFC 6648 [2] depreciates such construction for most cases
[1] http://tools.ietf.org/html/rfc5423#section-6
[2] http://www.rfc-editor.org/rfc/rfc6648.txt
- In relation to the previous consideration, this change (in part) could
> relate to "Access Control List Changes in IMAP NOTIFY"[2].
>
> Unfortunately this section is not really helpful for us to choose event
name and event parameters.
Notice that IMAP4 ACL Extension [3] is very similar to IMAP STORE : they
both use "+" to add rights or flags, "-" to remove rights or flags and
nothing to replace existing rights or flags.
Thus, I would suggest to define ACL change like events related to changes
in message flags : AclsSet (or maybe AclSet ?) and AclsClear (or maybe
AclClear ?) instead of AclChange.
I'm OK with "aclSubject", it's shorten than "aclIdentifier".
[3] http://tools.ietf.org/html/rfc4314
- The event (type) could perhaps use a separate "event_groups" in
> imapd.conf(5), but for now I stuffed them under "access" - the fields
> themselves could also be subject to inclusion in event_extra_params
> instead, perhaps.
>
> Semantically it is good to reuse "access" group to enable ACL change
notification. The downside is that you will be flooded with Login and
Logout notifications which may not interest you. Maybe "mailbox" group
would be better.
Regards,
Sébastien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20130819/3955a5ae/attachment.html
More information about the Cyrus-devel
mailing list