Re: External group concept

Robert Collins wrote:

> > For auth groups, no separate group definitions are required. Simply
> > cache the group memberships returned by the helper in the users auth
> > cache entry, and for speed of lookup maintain a group->user index.
>
> ... If no definition is required, how do the groups get tested against in
> http_access rules? This is where I'm suggesting we use the proxy_auth acl
> names.

I have been a bit unclear there I admit. Easily gets that way when one
prematurely jumps into details

As you correctly say group definitions are needed one way or another.
Where we differ is how these definitions are to be maintained.

Your proposal is to make the auth code automatically modify proxy_auth
ACL's to show group membership.

I at intuitively dislike this, but it may have some merit. If we do a
union of both yours and mine proxy_auth related proposal I think there
is a acceptable design.

Your other proposal is to have auth group names the same as acl names.
This I see as unacceptable because

a) It may be convenient to make unions of several auth groups into one
Squid ACL to easily refer to both groups of users in a single
http_access line.

b) Group names are often selected in a context quite far from Squid
configuration, making them somewhat unsuitable for good looking Squid
configs.

proxy_auth configuration syntax is extended with references to auth
groups.

authenticated users are added to any proxy_auth ACL who referes to any
of the users group memberships, with a flag indicating that this user
entry is "group internal".

When a user auth cache entry is expired or new group membership
information has been received from helper revalidation, the user is
first removed from any proxy_auth ACL's refering to it's (old) group
memberships.

This way we have a nice and clean lookup path, combined with a
reasonable configuration syntax.

The only indexes needed to be added is "group name" -> "proxy_auth ACL
names".

Now the final questions:

* How to syntactically refer to group names in proxy_auth?

* How to extend the helper protocols to return group memberships?

Note: I see this restricted to groups which can only be returned as part
of the authentication process. For groups which are not tied to "logging
in" see "external ACL".

--
Henrik