Re: External group concept

From: Robert Collins <robert.collins@dont-contact.us>
Date: Fri, 6 Jul 2001 00:06:08 +1000

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
Cc: "'Robert Collins'" <robert.collins@itdomain.com.au>;
<squid-dev@squid-cache.org>
Sent: Thursday, July 05, 2001 7:39 PM
Subject: Re: External group concept

> Chemolli Francesco (USI) wrote:
>
> > I am quite ambivalent on this, so I'll try to think in terms of
> > implementation. The problem is WHEN we determine that an user
> > is part of a group. You seem to imply that it should be
> > externally driven (i.e. at reconfiguration). I'd rather do it lazily.
>
> As you may have seen from my previous message, I have somewhat changed
> my mind. auth groups should be separate from "non-auth groups".
>
> For auth groups, no separate group definitions are required. Simply
> cache the group memberships returned by the helper in the users auth
> cache entry, and for speed of lookup maintain a group->user index.

... If no definition is required, how do the groups get tested against in
http_access rules? This is where I'm suggesting we use the proxy_auth acl
names.

> There is no ambigouity on when a user is member of a auth group or not.
> The user is member of the groups last returned by the auth helper.

For auth groups, why not just add to proxy_auth acl's with names matching
the group name? Then cache the nodes we added in the auth cache entry, so we
can clean them later. Then no extra checks are needed by squid over and
above the existing proxy_auth mechanism.

> In addition to this, we also need a more flexible mechanism for external
> ACL's. See my reply to Robert.

See my other reply :]

> --
> Henrik
>
Received on Thu Jul 05 2001 - 08:03:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST