| Network Working Group | G. Clemm |
| INTERNET DRAFT | IBM |
| <draft-ietf-webdav-acl-latest> | J. F. Reschke |
| Category: Standards Track | greenbytes |
| Expires: November 2004 | E. Sedlar |
| Oracle Corporation | |
| J. Whitehead | |
| U.C. Santa Cruz | |
| May 2004 |
Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
draft-ietf-webdav-acl-latest
This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at <http://www.ietf.org/ietf/1id-abstracts.txt>.
The list of Internet-Draft Shadow Directories can be accessed at <http://www.ietf.org/shadow.html>.
This Internet-Draft will expire in November 2004.
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document specifies a set of methods, headers, message bodies, properties, and reports that define Access Control extensions to the WebDAV Distributed Authoring Protocol. This protocol permits a client to read and modify access control lists that instruct a server whether to allow or deny operations upon a resource (such as HyperText Transfer Protocol (HTTP) method invocations) by a given principal. A lightweight representation of principals as Web resources supports integration of a wide range of user management repositories. Search operations allow discovery and manipulation of principals using human names.
This document is a product of the Web Distributed Authoring and
Versioning (WebDAV) working group of the Internet Engineering Task Force.
Comments on this draft are welcomed, and should be addressed to the
acl@webdav.org mailing list.
Other related documents can be found at
<http://www.example.com/acl/>
<http://www.webdav.org/acl/>
, and
<http://www.ics.uci.edu/pub/ietf/webdav/>.
1
Introduction
1.1
Terms
1.2
Notational Conventions
2
Principals
3
Privileges
3.1
DAV:read Privilege
3.2
DAV:write Privilege
3.3
DAV:write-properties Privilege
3.4
DAV:write-content Privilege
3.5
DAV:unlock Privilege
3.6
DAV:read-acl Privilege
3.7
DAV:read-current-user-privilege-set Privilege
3.8
DAV:write-acl Privilege
3.9
DAV:bind Privilege
3.10
DAV:unbind Privilege
3.11
DAV:all Privilege
3.12
Aggregation of Predefined Privileges
4
Principal Properties
4.1
DAV:alternate-URI-set
4.2
DAV:principal-URL
4.3
DAV:group-member-set
4.4
DAV:group-membership
5
Access Control Properties
5.1
DAV:owner
5.1.1
Example: Retrieving DAV:owner
5.1.2
Example: An Attempt to Set DAV:owner
5.2
DAV:group
5.3
DAV:supported-privilege-set
5.3.1
Example: Retrieving a List of Privileges Supported on a Resource
5.4
DAV:current-user-privilege-set
5.4.1
Example: Retrieving the User's Current Set of Assigned Privileges
5.5
DAV:acl
5.5.1
ACE Principal
5.5.2
ACE Grant and Deny
5.5.3
ACE Protection
5.5.4
ACE Inheritance
5.5.5
Example: Retrieving a Resource's Access Control List
5.6
DAV:acl-restrictions
5.6.1
DAV:grant-only
5.6.2
DAV:no-invert ACE Constraint
5.6.3
DAV:deny-before-grant
5.6.4
Required Principals
5.6.5
Example: Retrieving DAV:acl-restrictions
5.7
DAV:inherited-acl-set
5.8
DAV:principal-collection-set
5.8.1
Example: Retrieving DAV:principal-collection-set
5.9
Example: PROPFIND to retrieve access control properties
6
ACL Evaluation
7
Access Control and existing methods
7.1
Any HTTP method
7.1.1
Error Handling
7.2
OPTIONS
7.2.1
Example - OPTIONS
7.3
MOVE
7.4
COPY
7.5
LOCK
8
Access Control Methods
8.1
ACL
8.1.1
ACL Preconditions
8.1.2
Example: the ACL method
8.1.3
Example: ACL method failure due to protected ACE conflict
8.1.4
Example: ACL method failure due to an inherited ACE conflict
8.1.5
Example: ACL method failure due to an attempt to set grant and deny in a single ACE
9
Access Control Reports
9.1
REPORT Method
9.2
DAV:acl-principal-prop-set Report
9.2.1
Example: DAV:acl-principal-prop-set Report
9.3
DAV:principal-match REPORT
9.3.1
Example: DAV:principal-match REPORT
9.4
DAV:principal-property-search REPORT
9.4.1
Matching
9.4.2
Example: successful DAV:principal-property-search REPORT
9.5
DAV:principal-search-property-set REPORT
9.5.1
Example: DAV:principal-search-property-set REPORT
10
XML Processing
11
Internationalization Considerations
12
Security Considerations
12.1
Increased Risk of Compromised Users
12.2
Risks of the DAV:read-acl and DAV:current-user-privilege-set Privileges
12.3
No Foreknowledge of Initial ACL
13
Authentication
14
IANA Considerations
15
Acknowledgements
16
References
16.1
Normative References
16.2
Informative References
§
Author's Addresses
A
WebDAV XML Document Type Definition Addendum
B
WebDAV Method Privilege Table (Normative)
3
Change Log (to be removed by RFC Editor before publication)
3.1
Since draft-ietf-webdav-acl-13
§
Intellectual Property and Copyright Statements
§
Index
| 15_acknowledgments | edit | closed | 2004-04-18 | julian.reschke@greenbytes.de |
| 5.5.1_principal_property | change | closed | 2004-03-08 | stefan.eissing@greenbytes.de |
| 5.7_inherited-acl-set-protected | change | closed | 2004-04-16 | eric.sedlar@oracle.com |
| 9.4_error_marshalling | edit | closed | 2004-01-09 | julian.reschke@greenbytes.de |
| ref_XML | edit | closed | 2004-04-19 | julian.reschke@greenbytes.de |
| rfc-editor | edit | editor | 2004-04-16 | rfc-editor@rfc-editor.org |
| typo | edit | editor | 2004-01-09 | julian.reschke@greenbytes.de |
| I typo (type: edit, status: editor) | ||
| julian.reschke@greenbytes.de | 2004-01-09 | (umbrella issue for typos) |
| Associated changes in this document: del-. | ||
| I ref_XML (type: edit, status: closed) | ||
| julian.reschke@greenbytes.de | 2004-04-19 | Update XML reference to XML 1.0, Third Edition, and XML Infoset reference to XML-IS, Second Edition. |
| I rfc-editor (type: edit, status: editor) | ||
| rfc-editor@rfc-editor.org | 2004-04-16 | (umbrella issue for changes made by RFC Editor) |
| Associated changes in this document: <#rfc.change.rfc-editor.1>, 1.1, 3, 3.2, 3.3, 3.4, 3.7, 4.3, 5.1.2, 5.5.1, 5.9, 5.9, 7.4, 9.3, 9.4, 9.4.1, 9.4.1, 12.2, 12.2. | ||
The goal of the WebDAV access control extensions is to provide an interoperable mechanism for handling discretionary access control for content and metadata managed by WebDAV servers. WebDAV access control can be implemented on content repositories with security as simple as that of a UNIX file system, as well as more sophisticated models. The underlying principle of access control is that who you are determines what operations you can perform on a resource. The "who you are" is defined by a "principal" identifier; users, client software, servers, and groups of the previous have principal identifiers. The "operations you can perform" are determined by a single "access control list" (ACL) associated with a resource. An ACL contains a set of "access control entries" (ACEs), where each ACE specifies a principal and a set of privileges that are either granted or denied to that principal. When a principal submits an operation (such as an HTTP or WebDAV method) to a resource for execution, the server evaluates the ACEs in the ACL to determine if the principal has permission for that operation.
Since every ACE contains the identifier of a principal, client software operated by a human must provide a mechanism for selecting this principal. This specification uses http(s) scheme URLs to identify principals, which are represented as WebDAV-capable resources. There is no guarantee that the URLs identifying principals will be meaningful to a human. For example, http://www.example.com/u/256432 and http://www.example.com/people/Greg.Stein are both valid URLs that could be used to identify the same principal. To remedy this, every principal resource has the DAV:displayname property containing a human-readable name for the principal.
Since a principal can be identified by multiple URLs, it raises the problem of determining exactly which principal is being referenced in a given ACE. It is impossible for a client to determine that an ACE granting the read privilege to http://www.example.com/people/Greg.Stein also affects the principal at http://www.example.com/u/256432. That is, a client has no mechanism for determining that two URLs identify the same principal resource. As a result, this specification requires clients to use just one of the many possible URLs for a principal when creating ACEs. A client can discover which URL to use by retrieving the DAV:principal-URL property (Section 4.2) from a principal resource. No matter which of the principal's URLs is used with PROPFIND, the property always returns the same URL.
With a system having hundreds to thousands of principals, the problem arises of how to allow a human operator of client software to select just one of these principals. One approach is to use broad collection hierarchies to spread the principals over a large number of collections, yielding few principals per collection. An example of this is a two level hierarchy with the first level containing 36 collections (a-z, 0-9), and the second level being another 36, creating collections /a/a/, /a/b/, ..., /a/z/, such that a principal with last name "Stein" would appear at /s/t/Stein. In effect, this pre-computes a common query, search on last name, and encodes it into a hierarchy. The drawback with this scheme is that it handles only a small set of predefined queries, and drilling down through the collection hierarchy adds unnecessary steps (navigate down/up) when the user already knows the principal's name. While organizing principal URLs into a hierarchy is a valid namespace organization, users should not be forced to navigate this hierarchy to select a principal.
This specification provides the capability to perform substring searches over a small set of properties on the resources representing principals. This permits searches based on last name, first name, user name, job title, etc. Two separate searches are supported, both via the REPORT method, one to search principal resources (DAV:principal-property-search, Section 9.4), the other to determine which properties may be searched at all (DAV:principal-search-property-set, Section 9.5).
Once a principal has been identified in an ACE, a server evaluating that ACE must know the identity of the principal making a protocol request, and must validate that that principal is who they claim to be, a process known as authentication. This specification intentionally omits discussion of authentication, as the HTTP protocol already has a number of authentication mechanisms [RFC2617]. Some authentication mechanism (such as HTTP Digest Authentication, which all WebDAV compliant implementations are required to support) must be available to validate the identity of a principal.
The following issues are out of scope for this document:
This specification is organized as follows. Section 1.1 defines key concepts used throughout the specification, and is followed by a more in-depth discussion of principals (Section 2), and privileges (Section 3). Properties defined on principals are specified in Section 4, and access control properties for content resources are specified in Section 5. The ways ACLs are to be evaluated is described in Section 6. Client discovery of access control capability using OPTIONS is described in Section 7.2. Interactions between access control functionality and existing HTTP and WebDAV methods are described in the remainder of Section 7. The access control setting method, ACL, is specified in Section 8. Four reports that provide limited server-side searching capabilities are described in Section 9. Sections on XML processing (Section 10), Internationalization considerations (Section 11), security considerations (Section 12), and authentication (Section 13) round out the specification. An appendix (Appendix A) provides an XML Document Type Definition (DTD) for the XML elements defined in the specification.
This draft
document uses the terms defined in HTTP [RFC2616] and WebDAV
[RFC2518]. In addition, the following terms are defined:
principal
group
privilege
aggregate privilege
abstract privilege
access control list (ACL)
access control element (ACE)
inherited ACE
protected property
The augmented BNF used by this document to describe protocol elements is described in Section 2.1 of [RFC2616]. Because this augmented BNF uses the basic production rules provided in Section 2.2 of [RFC2616], those rules apply to this document as well.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Definitions of XML elements in this document use XML element type declarations (as found in XML Document Type Declarations), described in Section 3.2 of [REC-XML]. When an XML element type in the "DAV:" namespace is referenced in this document outside of the context of an XML fragment, the string "DAV:" will be prefixed to the element name.
A principal is a network resource that represents a distinct human or computational actor that initiates access to network resources. Users and groups are represented as principals in many implementations; other types of principals are also possible. A URI of any scheme MAY be used to identify a principal resource. However, servers implementing this specification MUST expose principal resources at an http(s) URL, which is a privileged scheme that points to resources that have additional properties, as described in Section 4. So, a principal resource can have multiple URIs, one of which has to be an http(s) scheme URL. Although an implementation SHOULD support PROPFIND and MAY support PROPPATCH to access and modify information about a principal, it is not required to do so.
A principal resource may be a group, where a group is a principal that represents a set of other principals, called the members of the group. If a person or computational agent matches a principal resource that is a member of a group, they also match the group. Membership in a group is recursive, so if a principal is a member of group GRPA, and GRPA is a member of group GRPB, then the principal is also a member of GRPB.
Ability to perform a given method on a resource MUST be controlled by one or more privileges. Authors of protocol extensions that define new HTTP methods SHOULD specify which privileges (by defining new privileges, or mapping to ones below) are required to perform the method. A principal with no privileges to a resource MUST be denied any HTTP access to that resource, unless the principal matches an ACE constructed using the DAV:all, DAV:authenticated, or DAV:unauthenticated pseudo-principals (see Section 5.5.1). Servers MUST report a 403 "Forbidden" error if access is denied, except in the case where the privilege restricts the ability to know the resource exists, in which case 404 "Not Found" may be returned.
Privileges may be containers of other privileges, in which case they are termed "aggregate privileges". If a principal is granted or denied an aggregate privilege, it is semantically equivalent to granting or denying each of the aggregated privileges individually. For example, an implementation may define add-member and remove-member privileges that control the ability to add and remove a member of a group. Since these privileges control the ability to update the state of a group, these privileges would be aggregated by the DAV:write privilege on a group, and granting the DAV:write privilege on a group would also grant the add-member and remove-member privileges.
Privileges may be declared to be "abstract" for a given resource, in which case they cannot be set in an ACE on that resource. Aggregate and non-aggregate privileges are both capable of being abstract. Abstract privileges are useful for modeling privileges that otherwise would not be exposed via the protocol. Abstract privileges also provide server implementations with flexibility in implementing the privileges defined in this specification. For example, if a server is incapable of separating the read resource capability from the read ACL capability, it can still model the DAV:read and DAV:read-acl privileges defined in this specification by declaring them abstract, and containing them within a non-abstract aggregate privilege (say, read-all) that holds DAV:read, and DAV:read-acl. In this way, it is possible to set the aggregate privilege, read-all, thus coupling the setting of DAV:read and DAV:read-acl, but it is not possible to set DAV:read, or DAV:read-acl individually. Since aggregate privileges can be abstract, it is also possible to use abstract privileges to group or organize non-abstract privileges. Privilege containment loops are not allowed; therefore, a privilege MUST NOT contain itself. For example, DAV:read cannot contain DAV:read.
The set of privileges that apply to a particular resource may vary with the DAV:resourcetype of the resource, as well as between different server implementations. To promote interoperability, however, this specification defines a set of well-known privileges (e.g., DAV:read, DAV:write, DAV:read-acl, DAV:write-acl, DAV:read-current-user-privilege-set, and DAV:all), which can at least be used to classify the other privileges defined on a particular resource. The access permissions on null resources (defined in [RFC2518], Section 3) are solely those they inherit (if any), and they are not discoverable (i.e., the access control properties specified in Section 5 are not defined on null resources). On the transition from null to stateful resource, the initial access control list is set by the server's default ACL value policy (if any).
Server implementations MAY define new privileges beyond those defined in this specification. Privileges defined by individual implementations MUST NOT use the DAV: namespace, and instead should use a namespace that they control, such as an http scheme URL.
The read privilege controls methods that return information about the state of the resource, including the resource's properties. Affected methods include GET and PROPFIND. Any implementation-defined privilege that also controls access to GET and PROPFIND must be aggregated under DAV:read - if an ACL grants access to DAV:read, the client may expect that no other privilege needs to be granted to have access to GET and PROPFIND. Additionally, the read privilege MUST control the OPTIONS method.
<!ELEMENT read EMPTY>
The write privilege controls methods that lock a resource or modify the content, dead properties, or (in the case of a collection) membership of the resource, such as PUT and PROPPATCH. Note that state modification is also controlled via locking (see section 5.3 of [RFC2518]), so effective write access requires that both write privileges and write locking requirements are satisfied. Any implementation-defined privilege that also controls access to methods modifying content, dead properties or collection membership must be aggregated under DAV:write, e.g., if an ACL grants access to DAV:write, the client may expect that no other privilege needs to be granted to have access to PUT and PROPPATCH.
<!ELEMENT write EMPTY>
The DAV:write-properties privilege controls methods that modify the dead properties of the resource, such as PROPPATCH. Whether this privilege may be used to control access to any live properties is determined by the implementation. Any implementation-defined privilege that also controls access to methods modifying dead properties must be aggregated under DAV:write-properties - e.g., if an ACL grants access to DAV:write-properties, the client can safely expect that no other privilege needs to be granted to have access to PROPPATCH.
<!ELEMENT write-properties EMPTY>
The DAV:write-content privilege controls methods that modify the content of an existing resource, such as PUT. Any implementation-defined privilege that also controls access to content must be aggregated under DAV:write-content - e.g., if an ACL grants access to DAV:write-content, the client can safely expect that no other privilege needs to be granted to have access to PUT. Note that PUT - when applied to an unmapped URI - creates a new resource and therefore is controlled by the DAV:bind privilege on the parent collection.
<!ELEMENT write-content EMPTY>
The DAV:unlock privilege controls the use of the UNLOCK method by a principal other than the lock owner (the principal that created a lock can always perform an UNLOCK). While the set of users who may lock a resource is most commonly the same set of users who may modify a resource, servers may allow various kinds of administrators to unlock resources locked by others. Any privilege controlling access by non-lock owners to UNLOCK MUST be aggregated under DAV:unlock.
A lock owner can always remove a lock by issuing an UNLOCK with the correct lock token and authentication credentials. That is, even if a principal does not have DAV:unlock privilege, they can still remove locks they own. Principals other than the lock owner can remove a lock only if they have DAV:unlock privilege and they issue an UNLOCK with the correct lock token. Lock timeout is not affected by the DAV:unlock privilege.
<!ELEMENT unlock EMPTY>
The DAV:read-acl privilege controls the use of PROPFIND to retrieve the DAV:acl property of the resource.
<!ELEMENT read-acl EMPTY>
The DAV:read-current-user-privilege-set privilege controls the use of PROPFIND to retrieve the DAV:current-user-privilege-set property of the resource.
Clients are intended to use this property to visually indicate in
their UI items that are dependent on the permissions of a
resource, for example, by graying out resources that are not
writeable.
This privilege is separate from DAV:read-acl because there is a need to allow most users access to the privileges permitted the current user (due to its use in creating the UI), while the full ACL contains information that may not be appropriate for the current authenticated user. As a result, the set of users who can view the full ACL is expected to be much smaller than those who can read the current user privilege set, and hence distinct privileges are needed for each.
<!ELEMENT read-current-user-privilege-set EMPTY>
The DAV:write-acl privilege controls use of the ACL method to modify the DAV:acl property of the resource.
<!ELEMENT write-acl EMPTY>
The DAV:bind privilege allows a method to add a new member URL to the specified collection (for example via PUT or MKCOL). It is ignored for resources that are not collections.
<!ELEMENT bind EMPTY>
The DAV:unbind privilege allows a method to remove a member URL from the specified collection (for example via DELETE or MOVE). It is ignored for resources that are not collections.
<!ELEMENT unbind EMPTY>
DAV:all is an aggregate privilege that contains the entire set of privileges that can be applied to the resource.
<!ELEMENT all EMPTY>
Server implementations are free to aggregate the predefined privileges (defined above in Sections 3.1-3.10) subject to the following limitations:
DAV:read-acl MUST NOT contain DAV:read, DAV:write, DAV:write-acl, DAV:write-properties, DAV:write-content, or DAV:read-current-user-privilege-set.
DAV:write-acl MUST NOT contain DAV:write, DAV:read, DAV:read-acl, or DAV:read-current-user-privilege-set.
DAV:read-current-user-privilege-set MUST NOT contain DAV:write, DAV:read, DAV:read-acl, or DAV:write-acl.
DAV:write MUST NOT contain DAV:read, DAV:read-acl, or DAV:read-current-user-privilege-set.
DAV:read MUST NOT contain DAV:write, DAV:write-acl, DAV:write-properties, or DAV:write-content.
DAV:write MUST contain DAV:bind, DAV:unbind, DAV:write-properties and DAV:write-content.
Principals are manifested to clients as a WebDAV resource, identified by a URL. A principal MUST have a non-empty DAV:displayname property (defined in Section 13.2 of [RFC2518]), and a DAV:resourcetype property (defined in Section 13.9 of [RFC2518]). Additionally, a principal MUST report the DAV:principal XML element in the value of the DAV:resourcetype property. The element type declaration for DAV:principal is:
<!ELEMENT principal EMPTY>
This protocol defines the following additional properties for a principal. Since it can be expensive for a server to retrieve access control information, the name and value of these properties SHOULD NOT be returned by a PROPFIND allprop request (as defined in Section 12.14.1 of [RFC2518]).
This protected property, if non-empty, contains the URIs of network resources with additional descriptive information about the principal. This property identifies additional network resources (i.e., it contains one or more URIs) that may be consulted by a client to gain additional knowledge concerning a principal. One expected use for this property is the storage of an LDAP [RFC2255] scheme URL. A user-agent encountering an LDAP URL could use LDAP [RFC2251] to retrieve additional machine-readable directory information about the principal, and display that information in its user interface. Support for this property is REQUIRED, and the value is empty if no alternate URI exists for the principal.
<!ELEMENT alternate-URI-set (href*)>
A principal may have many URLs, but there must be one "principal URL" that clients can use to uniquely identify a principal. This protected property contains the URL that MUST be used to identify this principal in an ACL request. Support for this property is REQUIRED.
<!ELEMENT principal-URL (href)>
This property of a group principal identifies the principals that are direct members of this group. Since a group may be a member of another group, a group may also have indirect members (i.e., the members of its direct members). A URL in the DAV:group-member-set for a principal MUST be the DAV:principal-URL of that principal.
<!ELEMENT group-member-set (href*)>
This protected property identifies the groups in which the principal is directly a member. Note that a server may allow a group to be a member of another group, in which case the DAV:group-membership of those other groups would need to be queried in order to determine the groups in which the principal is indirectly a member. Support for this property is REQUIRED.
<!ELEMENT group-membership (href*)>
This specification defines a number of new properties for WebDAV resources. Access control properties may be retrieved just like other WebDAV properties, using the PROPFIND method. Since it is expensive, for many servers, to retrieve access control information, a PROPFIND allprop request (as defined in Section 12.14.1 of [RFC2518]) SHOULD NOT return the names and values of the properties defined in this section.
Access control properties (especially DAV:acl and DAV:inherited-acl-set) are defined on the resource identified by the Request-URI of a PROPFIND request. A direct consequence is that if the resource is accessible via multiple URI, the value of access control properties is the same across these URI.
HTTP resources that support the WebDAV Access Control Protocol MUST contain the following properties. Null resources (described in Section 3 of [RFC2518]) MUST NOT contain the following properties.
This property identifies a particular principal as being the "owner" of the resource. Since the owner of a resource often has special access control capabilities (e.g., the owner frequently has permanent DAV:write-acl privilege), clients might display the resource owner in their user interface.
Servers MAY implement DAV:owner as protected property and MAY return an empty DAV:owner element as property value in case no owner information is available.
<!ELEMENT owner (href?)>
This example shows a client request for the value of the DAV:owner property from a collection resource with URL http://www.example.com/papers/. The principal making the request is authenticated using Digest authentication. The value of DAV:owner is the URL http://www.example.com/acl/users/gstein, wrapped in the DAV:href XML element.
>> Request <<
PROPFIND /papers/ HTTP/1.1
Host: www.example.com
Content-type: text/xml; charset="utf-8"
Content-Length: xxx
Depth: 0
Authorization: Digest username="jim",
realm="users@example.com", nonce="...",
uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?>
<D:propfind xmlns:D="DAV:">
<D:prop>
<D:owner/>
</D:prop>
</D:propfind>
>> Response <<
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset="utf-8"
Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>http://www.example.com/papers/</D:href>
<D:propstat>
<D:prop>
<D:owner>
<D:href>http://www.example.com/acl/users/gstein</D:href>
</D:owner>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
The following example shows a client request to modify the value
of the DAV:owner property on the resource with URL
<http://www.example.com/papers>. Since DAV:owner is a protected property
on this particular server, it responds with a 207 (Multi-Status) response
that contains a 403 (Forbidden) status code for the act of setting
DAV:owner. Section 8.2.1 of [RFC2518] describes PROPPATCH status
code information, Section 11 of [RFC2518] describes the
Multi-Status response
and Sections 1.6 and 3.12 of [RFC3253] describe
additional error marshalling for PROPPATCH attempts on protected properties.
>> Request <<
PROPPATCH /papers/ HTTP/1.1
Host: www.example.com
Content-type: text/xml; charset="utf-8"
Content-Length: xxx
Depth: 0
Authorization: Digest username="jim",
realm="users@example.com", nonce="...",
uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?>
<D:propertyupdate xmlns:D="DAV:">
<D:set>
<D:prop>
<D:owner>
<D:href>http://www.example.com/acl/users/jim</D:href>
</D:owner>
</D:prop>
</D:set>
</D:propertyupdate>
>> Response <<
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset="utf-8"
Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>http://www.example.com/papers/</D:href>
<D:propstat>
<D:prop><D:owner/></D:prop>
<D:status>HTTP/1.1 403 Forbidden</D:status>
<D:responsedescription>
<D:error><D:cannot-modify-protected-property/></D:error>
Failure to set protected property (DAV:owner)
</D:responsedescription>
</D:propstat>
</D:response>
</D:multistatus>
This property identifies a particular principal as being the "group" of the resource. This property is commonly found on repositories that implement the Unix privileges model.
Servers MAY implement DAV:group as protected property and MAY return an empty DAV:group element as property value in case no group information is available.
<!ELEMENT group (href?)>
This is a protected property that identifies the privileges defined for the resource.
<!ELEMENT supported-privilege-set (supported-privilege*)>
Each privilege appears as an XML element, where aggregate privileges list as sub-elements all of the privileges that they aggregate.
<!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)> <!ELEMENT privilege ANY>
An abstract privilege MUST NOT be used in an ACE for that resource. Servers MUST fail an attempt to set an abstract privilege.
<!ELEMENT abstract EMPTY>
A description is a human-readable description of what this privilege controls access to. Servers MUST indicate the human language of the description using the xml:lang attribute and SHOULD consider the HTTP Accept-Language request header when selecting one of multiple available languages.
<!ELEMENT description #PCDATA>
It is envisioned that a WebDAV ACL-aware administrative client would list the supported privileges in a dialog box, and allow the user to choose non-abstract privileges to apply in an ACE. The privileges tree is useful programmatically to map well-known privileges (defined by WebDAV or other standards groups) into privileges that are supported by any particular server implementation. The privilege tree also serves to hide complexity in implementations allowing large number of privileges to be defined by displaying aggregates to the user.
This example shows a client request for the DAV:supported-privilege-set property on the resource http://www.example.com/papers/. The value of the DAV:supported-privilege-set property is a tree of supported privileges (using "[XML Namespace , localname]" to identify each privilege):
[DAV:, all] (aggregate, abstract)
|
+-- [DAV:, read] (aggregate)
|
+-- [DAV:, read-acl] (abstract)
+-- [DAV:, read-current-user-privilege-set] (abstract)
|
+-- [DAV:, write] (aggregate)
|
+-- [DAV:, write-acl] (abstract)
+-- [DAV:, write-properties]
+-- [DAV:, write-content]
|
+-- [DAV:, unlock]
This privilege tree is not normative (except that it reflects the normative aggregation rules given in Section 3.12), and many possible privilege trees are possible.
>> Request <<
PROPFIND /papers/ HTTP/1.1
Host: www.example.com
Content-type: text/xml; charset="utf-8"
Content-Length: xxx
Depth: 0
Authorization: Digest username="gclemm",
realm="users@example.com", nonce="...",
uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?>
<D:propfind xmlns:D="DAV:">
<D:prop>
<D:supported-privilege-set/>
</D:prop>
</D:propfind>
>> Response <<
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset="utf-8"
Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>http://www.example.com/papers/</D:href>
<D:propstat>
<D:prop>
<D:supported-privilege-set>
<D:supported-privilege>
<D:privilege><D:all/></D:privilege>
<D:abstract/>
<D:description xml:lang="en">
Any operation
</D:description>
<D:supported-privilege>
<D:privilege><D:read/></D:privilege>
<D:description xml:lang="en">
Read any object
</D:description>
<D:supported-privilege>
<D:privilege><D:read-acl/></D:privilege>
<D:abstract/>
<D:description xml:lang="en">Read ACL</D:description>
</D:supported-privilege>
<D:supported-privilege>
<D:privilege>
<D:read-current-user-privilege-set/>
</D:privilege>
<D:abstract/>
<D:description xml:lang="en">
Read current user privilege set property
</D:description>
</D:supported-privilege>
</D:supported-privilege>
<D:supported-privilege>
<D:privilege><D:write/></D:privilege>
<D:description xml:lang="en">
Write any object
</D:description>
<D:supported-privilege>
<D:privilege><D:write-acl/></D:privilege>
<D:description xml:lang="en">
Write ACL
</D:description>
<D:abstract/>
</D:supported-privilege>
<D:supported-privilege>
<D:privilege><D:write-properties/></D:privilege>
<D:description xml:lang="en">
Write properties
</D:description>
</D:supported-privilege>
<D:supported-privilege>
<D:privilege><D:write-content/></D:privilege>
<D:description xml:lang="en">
Write resource content
</D:description>
</D:supported-privilege>
</D:supported-privilege>
<D:supported-privilege>
<D:privilege><D:unlock/></D:privilege>
<D:description xml:lang="en">
Unlock resource
</D:description>
</D:supported-privilege>
</D:supported-privilege>
</D:supported-privilege-set>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
DAV:current-user-privilege-set is a protected property containing the exact set of privileges (as computed by the server) granted to the currently authenticated HTTP user. Aggregate privileges and their contained privileges are listed. A user-agent can use the value of this property to adjust its user interface to make actions inaccessible (e.g., by graying out a menu item or button) for which the current principal does not have permission. This property is also useful for determining what operations the current principal can perform, without having to actually execute an operation.
<!ELEMENT current-user-privilege-set (privilege*)> <!ELEMENT privilege ANY>
If the current user is granted a specific privilege, that privilege must belong to the set of privileges that may be set on this resource. Therefore, each element in the DAV:current-user-privilege-set property MUST identify a non-abstract privilege from the DAV:supported-privilege-set property.
Continuing the example from Section 5.3.1, this example shows a client requesting the DAV:current-user-privilege-set property from the resource with URL http://www.example.com/papers/. The username of the principal making the request is "khare", and Digest authentication is used in the request. The principal with username "khare" has been granted the DAV:read privilege. Since the DAV:read privilege contains the DAV:read-acl and DAV:read-current-user-privilege-set privileges (see Section 5.3.1), the principal with username "khare" can read the ACL property, and the DAV:current-user-privilege-set property. However, the DAV:all, DAV:read-acl, DAV:write-acl and DAV:read-current-user-privilege-set privileges are not listed in the value of DAV:current-user-privilege-set, since (for this example) they are abstract privileges. DAV:write is not listed since the principal with username "khare" is not listed in an ACE granting that principal write permission.
>> Request <<
PROPFIND /papers/ HTTP/1.1
Host: www.example.com
Content-type: text/xml; charset="utf-8"
Content-Length: xxx
Depth: 0
Authorization: Digest username="khare",
realm="users@example.com", nonce="...",
uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?>
<D:propfind xmlns:D="DAV:">
<D:prop>
<D:current-user-privilege-set/>
</D:prop>
</D:propfind>
>> Response <<
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset="utf-8"
Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>http://www.example.com/papers/</D:href>
<D:propstat>
<D:prop>
<D:current-user-privilege-set>
<D:privilege><D:read/></D:privilege>
</D:current-user-privilege-set>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
This is a protected property that specifies the list of access control entries (ACEs), which define what principals are to get what privileges for this resource.
<!ELEMENT acl (ace*) >
Each DAV:ace element specifies the set of privileges to be either granted or denied to a single principal. If the DAV:acl property is empty, no principal is granted any privilege.
<!ELEMENT ace ((principal | invert), (grant|deny), protected?,
inherited?)>
The DAV:principal element identifies the principal to which this ACE applies.
<!ELEMENT principal (href | all | authenticated | unauthenticated | property | self)>
The current user matches DAV:href only if that user is authenticated as being (or being a member of) the principal identified by the URL contained by that DAV:href.
The current user always matches DAV:all.
<!ELEMENT all EMPTY>
The current user matches DAV:authenticated only if authenticated.
<!ELEMENT authenticated EMPTY>
The current user matches DAV:unauthenticated only if not authenticated.
<!ELEMENT unauthenticated EMPTY>
DAV:all is the union of DAV:authenticated, and DAV:unauthenticated. For a given request, the user matches either DAV:authenticated, or DAV:unauthenticated, but not both (that is, DAV:authenticated and DAV:unauthenticated are disjoint sets).
The current user matches a DAV:property principal in a DAV:acl property of a resource only if the value of the identified property of that resource contains at most one DAV:href XML element, the URI value of DAV:href identifies a principal, and the current user is authenticated as being (or being a member of) that principal. For example, if the DAV:property element contained <DAV:owner/>, the current user would match the DAV:property principal only if the current user is authenticated as matching the principal identified by the DAV:owner property of the resource.
| I 5.5.1_principal_property (type: change, status: closed) | ||
| stefan.eissing@greenbytes.de | 2004-03-08 |
The DAV:property principal requires some clarification:
1) is it required that a DAV:property principal, set by a client, will be reported as DAV:property principal by the server? Or, putting it another way, is the server allowed to "resolve" a DAV:property principal on set and report on that ACE the resolved principal *at the time of ACE update*? I think the server should not be allowed to do that and has to report DAV:property principals back. 2) Is every server expected to support DAV:property principals as described in 1)? That should be a "no", unless we allow resolving principals on updating ACL. 3) How is a client supposed to learn about support of DAV:property principals in the server? One thing is to define a precondition DAV:property-principal to be used in response bodies. More desirable would be a DAV:unsupported-principals property, which could list DAV:property or even DAV:unauthorized to be not supported by the server. We are very late in the process. I think adding another precondition should not be a problem, if we can agree. |
| 2004-03-17 | Resolution:
No change. Explanation: 1) The server is not allowed to do that and has to report DAV:property principals back. 2) Servers do not have to support this. 3) Use the DAV:allowed-principals precondition. |
|
<!ELEMENT property ANY>
The current user matches DAV:self in a DAV:acl property of the resource only if that resource is a principal and that principal matches the current user or, if the principal is a group, a member of that group matches the current user.
<!ELEMENT self EMPTY>
Some servers may support ACEs applying to those users NOT matching the current principal, e.g., all users not in a particular group. This can be done by wrapping the DAV:principal element with DAV:invert.
<!ELEMENT invert principal>
Each DAV:grant or DAV:deny element specifies the set of privileges to be either granted or denied to the specified principal. A DAV:grant or DAV:deny element of the DAV:acl of a resource MUST only contain non-abstract elements specified in the DAV:supported-privilege-set of that resource.
<!ELEMENT grant (privilege+)> <!ELEMENT deny (privilege+)> <!ELEMENT privilege ANY>
A server indicates an ACE is protected by including the DAV:protected element in the ACE. If the ACL of a resource contains an ACE with a DAV:protected element, an attempt to remove that ACE from the ACL MUST fail.
<!ELEMENT protected EMPTY>
The presence of a DAV:inherited element indicates that this ACE is inherited from another resource that is identified by the URL contained in a DAV:href element. An inherited ACE cannot be modified directly, but instead the ACL on the resource from which it is inherited must be modified.
Note that ACE inheritance is not the same as ACL initialization. ACL initialization defines the ACL that a newly created resource will use (if not specified). ACE inheritance refers to an ACE that is logically shared - where an update to the resource containing an ACE will affect the ACE of each resource that inherits that ACE. The method by which ACLs are initialized or by which ACEs are inherited is not defined by this document.
<!ELEMENT inherited (href)>
Continuing the example from Sections 5.3.1 and 5.4.1, this example shows a client requesting the DAV:acl property from the resource with URL http://www.example.com/papers/. There are two ACEs defined in this ACL:
ACE #1: The group identified by URL http://www.example.com/acl/groups/maintainers (the group of site maintainers) is granted DAV:write privilege. Since (for this example) DAV:write contains the DAV:write-acl privilege (see Section 5.3.1), this means the "maintainers" group can also modify the access control list.
ACE #2: All principals (DAV:all) are granted the DAV:read privilege. Since (for this example) DAV:read contains DAV:read-acl and DAV:read-current-user-privilege-set, this means all users (including all members of the "maintainers" group) can read the DAV:acl property and the DAV:current-user-privilege-set property.
>> Request <<
PROPFIND /papers/ HTTP/1.1
Host: www.example.com
Content-type: text/xml; charset="utf-8"
Content-Length: xxx
Depth: 0
Authorization: Digest username="masinter",
realm="users@example.com", nonce="...",
uri="/papers/", response="...", opaque="..."
<D:propfind xmlns:D="DAV:">
<D:prop>
<D:acl/>
</D:prop>
</D:propfind>
>> Response <<
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset="utf-8"
Content-Length: xxx
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>http://www.example.com/papers/</D:href>
<D:propstat>
<D:prop>
<D:acl>
<D:ace>
<D:principal>
<D:href
>http://www.example.com/acl/groups/maintainers</D:href>
</D:principal>
<D:grant>
<D:privilege><D:write/></D:privilege>
</D:grant>
</D:ace>
<D:ace>
<D:principal>
<D:all/>
</D:principal>
<D:grant>
<D:privilege><D:read/></D:privilege>
</D:grant>
</D:ace>
</D:acl>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
This protected property defines the types of ACLs supported by this server, to avoid clients needlessly getting errors. When a client tries to set an ACL via the ACL method, the server may reject the attempt to set the ACL as specified. The following properties indicate the restrictions the client must observe before setting an ACL: