Re: External group concept

From: Robert Collins <>
Date: Thu, 5 Jul 2001 23:52:46 +1000

----- Original Message -----
From: "Chemolli Francesco (USI)" <>
To: "'Robert Collins'" <>; "Henrik Nordstrom"
<>; <>
Sent: Thursday, July 05, 2001 6:53 PM
Subject: RE: External group concept

> > > I think both should match a single ACL type "group" if possible.
> >
> > Yes. Both a and b need a "group" concept in squid. Adding users to
> > groups needs a global API of some sort - probably one function to add,
> > one to test for membership and one to free. After that coding a is
> > trivial for any given scheme.
> >
> > IMO the groups shouldn't be a separate ACL type though - the
> > proxy_auth
> > acl is effectively a group acl now, just not dynamic as users
> > login. I'd
> > like the list of proxy_auth acl's to be extended as users login, and
> > users added and removed from the acl's as they login and are cleaned
> > from the user cache respectively.
> I am quite ambivalent on this, so I'll try to think in terms of
> implementation. The problem is WHEN we determine that an user
> is part of a group. You seem to imply that it should be
> externally driven (i.e. at reconfiguration). I'd rather do it lazily.

Uhmm no. What I meant is that proxy_auth acl's act like groups now if you
consider the mapping to be groupname==aclname. I was suggesting that squid
dynamically add users to proxy auth acls when informed by the helper that
was necessary.

> Begin that so, it still must be decided how to determine group membership.
> Should squid pass the helper the user's details and receive an enumeration
> of the groups the user belongs to? Or should it pass a group name and
> receive an enumeration of the user the group contains? Or again should it
> send a couple user/group and get a simple "belongs/doesn't belong"?

We can do more than 1. We can have a separate helper and/or tie it into the
authentication helper. I think thats what Henrik meant with his a)/b)

> Having a "group" ACL would help in having a cleaner request path IMO,
> because squid would know what to do before having checked the users'
> credentials.

I agree - I'm saying that "proxy_auth" IS group acls. We don't have a
user-name checking facility today. (We can't say
http_access allow userrobert
unless we define a group userrobert with the user "robert" in it.


> --
> /kinkie
Received on Thu Jul 05 2001 - 07:50:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST