[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[leafnode-list] Re: authentication questions

On Fri-2009/01/23-17:26 Eric S. Johansson wrote:

> I know from the documentation, it's possible to authenticate using
> PAM.  That authentication gives you access to all the newsgroups on
> a server.  is it possible to restrict specific newsgroups to subset of
> the entire user population?

Hi Eric,

how do you want to configure this per-group authorization feature?  Have
you thought about that?  With Lua, admins get a normal leafnode2 with
callouts littered all over the code.  The callouts are quite generic,
meaning the scripting backend calls user supplied Lua functions with
predefined names that are given certain arguments, usually strings
representing copies of some string or numeric variables.

I am currently cooking up a sample, and it goes like this:  the admin
defines groups of commands (loosely related to NNTP protocol commands),
groups of users and groups of group names.  He gets to define as many as
he likes, and combines them into a table.  This table is iterated over
until Lua finds a match, upon which the current user is granted access.
If none of the combinations match, the user may not use the current
command, or its output is filtered to hide some group or article.


UNAUTHENTICATED_USER is the constant naming users not having
authenticated yet or not having authenticated successfully.  The global
variable AUTHENTICATED_USER containes either this value or the name
(user-ID) of the user who knew his password.

-- A leading "!" means negation

user_low_priv = "chillun_anny|chillun_sammy"
user_low_priv = user_low_priv .. "|" .. UNAUTHENTICATED_USER
user_hi_priv = "!chillun_anny|chillun_sammy"
user_hi_priv = user_hi_priv .. "|" .. UNAUTHENTICATED_USER

-- matches every command
command_any = "."

-- matches the substring "rockets" prefixed with some punctuation
-- character.
groups_hi_priv = "."
groups_low_priv = "!%prockets"

group_auth {
    {command_any, user_hi_priv, groups_hi_priv},
    {command_any, user_low_priv, groups_low_priv}

"group_auth" is the central table mentioned above.  Admins may further
define sets of commands some user group may use, but denying access
will not automatically lead to visible protocol errors.  I have tried to
implement hiding of groups or articles instead of thinking up artificial
protocol errors, so "illegal commands" will work as expected, but return
empty results to the connecting client.  The possibility to define
command sets is just there to have more fine grained control in the
configuration table.

All the access checks are based on two C-routines:  one registers
a user, the other gets to see every command he issues on any group or
article.  The code is written and lightly tested on the C-side and there
is a proof-of-concept on the Lua-side.  The design of the sample is
outlined above, but not finished yet.

Is all this ok with you, or at least understandable?  Since you asked
for the feature, Eric, you may well have to be the guinea-pig.  On the
lighter side, testing should be very easy:  as leafnode sees client
connections on stdin and stdout, you just compile the source with
Lua enabled, call "./leafnode -e -l `pwd`/script-groupauth.lua" from
the shell and start typing NNTP commands.  You can do this without
installing the entire package or the script, until you think things are
working out.  Then you could make a temporary setup or go all the way,
backup the current leafnode and install the new one for testing with
a normal client.

regards, clemens

leafnode-list mailing list