<div dir="ltr">Hi Brian - I was just making a generic statement about staying away from pattern matching in ACLs given it is hard to debug and the possibility of Allow instead of Deny in unintended cases. Having explicit grants will make it cleaner.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 25, 2016 at 9:28 AM, Brian Stansberry <span dir="ltr"><<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 4/25/16 8:09 AM, Anil Saldanha wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The challenge with pattern based matching is that you provide access when you should not. Explicit definition of the grants is recommended.<br>
<br>
So I support your thinking, Brian.<br>
<br>
</blockquote>
<br></span>
Did you mean you support Ladislav's thinking? His proposed approach is more explicit.<div class="HOEnZb"><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Apr 25, 2016, at 7:55 AM, Brian Stansberry <<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>> wrote:<br>
<br>
Perhaps. I'm a bit bit reluctant to move away from something powerful<br>
and standard to something custom. Mostly because it's hard to move the<br>
other way in the future while remaining compatible. But your point is<br>
well taken.<br>
<br>
How would you propose discriminating these cases?<br>
<br>
1) /subsystem=messaging is not allowed but its children are.<br>
<br>
2) /subsystem=messaging and its children are.<br>
<br>
We also need to think about ObjectName patterns, which are not<br>
inherently hierarchical.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 4/23/16 1:38 AM, Ladislav Thon wrote:<br>
I only have a single comment: writing a regular expression can sometimes<br>
be a bit tricky. Just see the example you used:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
(/profile=[^/]+)??/subsystem=logging(/.*)*<br>
</blockquote>
<br>
It's also fairly easy to write a regular expression that doesn't quite<br>
do what you want it to do, in some corner cases. Finally, some<br>
well-crafted regular expressions have running time in years or more (at<br>
least in the java.util.regex implementation).<br>
<br>
This all leads me to believe that maybe regular expressions are not the<br>
best choice.<br>
<br>
Instead, I'm thinking about address prefixes. So the role would be<br>
specified by a set of valid addresses (including the "*" wildcard), and<br>
only the specified resources and all their children would be accessible.<br>
<br>
I'm specifically not thinking about _textual_ prefix, so e.g. prefix of<br>
/subsystem=messaging would give you access to the old messaging<br>
subsystem, but it _wouldn't_ give you access to the new<br>
/subsystem=messaging-activemq, even if /subsystem=messaging is a textual<br>
prefix.<br>
<br>
Granted, that's way less powerful than regular expressions, but also<br>
easier and safer to use.<br>
<br>
WDYT? Am I being too paranoid here?<br>
<br>
LT<br>
_______________________________________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a><br>
</blockquote>
<br>
<br>
--<br>
Brian Stansberry<br>
Senior Principal Software Engineer<br>
JBoss by Red Hat<br>
_______________________________________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a><br>
</blockquote></blockquote>
<br>
<br>
-- <br>
Brian Stansberry<br>
Senior Principal Software Engineer<br>
JBoss by Red Hat<br>
</div></div></blockquote></div><br></div>