Understanding ACLs

One of the confusing things about our wiki pages (even to me!) is understanding how access control lists (ACLs) work.

ACLs tell the wiki server who has access rights to any given wiki page. There are five types of access rights that can be assigned:

read - read access to a wiki page

write - write (ie: editing) rights to a wiki page

delete - the ability to delete a wiki page

revert - the ability to return a wiki page to an earlier version

admin - admin rights to a page, which realistically means the ability to create new pages

These rights can be assigned to a single user, a group of users, or to "All" (which in practical terms means "everybody else").

All members of any given lab who have an account on the wiki server are a member of the lab's group. For example, if Joe Blow is a member of the HLP lab and has an account on the wiki server, he's typically made a member of the "HlpLabGroup". This is done primarily to make it easy to give people access rights to the wiki.

The entire wiki site belonging to a lab is called a wiki instance. Each instance has a configuration file that I set up, and that configuration file contains the default ACLs for that wiki instance. Our wikis specify three types of default access rights:

If you create a new wiki page and the default access rights for your lab are appropriate for that page, you don't need to do anything special in the way the wiki page is written. The server will simply apply the default rights for your wiki instance.

If the default access rights are NOT appropriate and you want to modify them, you do this by adding a special line of code at the very top of the wiki page that explicitly defines the access rights for that page. It *must* be the very first line in the wiki page's code.

The syntax for this special line of code is:

#acl <whatever rights you want to set>

The rights specified in an #acl line supercede the wiki instance's default rights.

For example, let's say that the default rights for your instance are set so the group "LabGroup" has full access rights, and everybody else (ie: "All") have read-only access. You create a page that you do NOT want the general public to be able to read. As such, you would add an ACL line at the very top of the page that looks like this:

#acl LabGroup:read,write,delete,revert,admin All:

Here, you've specified that "LabGroup" has all five of the necessary access rights for full access, and "All" has *no* rights. As such, the server will give everybody who is a member of "LabGroup" full access rights, and give everybody else no rights at all. (I as administrator automatically get full access rights...the #acl line has no effect on this.)

Now for some examples. Let's say that Joe Blow is a member of "LabGroup" and he creates a wiki page, but he wants to be the only one who has any access rights to it. As such, Joe would add this ACL line at the top of his wiki page:

#acl JoeBlow:read,write,delete,revert,admin All:

Here, Joe has assigned himself full rights, and everybody else no rights. "LabGroup" is part of "All" in this case because no explicit rights for "LabGroup" were specified, so all of the members of "LabGroup", except for Joe Blow, have no rights to this page. Joe could also be more explicit about rights by using this line instead, which is functionally equivalent to the line above:

#acl JoeBlow:read,write,delete,revert,admin LabGroup: All:

The important concept to understand with ACLs is that the server reads ACL lines from left to right, looking to match you to an entry in the line. As soon as it finds a match, it will apply the access rights it finds for you and stop looking for more access rights for you. As such, when you create an "#acl" line, the order in which you list users must go from most specific to least specific to ensure that all users get the correct rights.

For example, if you were going to explicitly assign access rights to an individual user, your lab's group, and the general public, then your ACL line should be in this order:

#acl IndividualUser:<rights> LabGroup:<rights> All:<rights>

This guarantees that each person gets the correct rights. If you were to write the ACL like this:

#acl All:<rights> LabGroup:<rights> IndividualUser:<rights>

Then everybody would get the rights for "All", because the server first checks to see if you match "All", and everybody matches "All". It stops looking for more ACLs for you, and thus skips over the rest of the line.

Now let's say that Marge Simpson is a member of "LabGroup", and wants to create a wiki page that everybody in "LabGroup" can access EXCEPT for Joe Blow. She also wants to make sure the general public can't read the page. To accomplish this, her ACL line would look like this:

#acl JoeBlow: LabGroup:read,write,delete,revert,admin All:

Since Joe is a member of "LabGroup", Marge must explicitly deny Joe's rights before specifying the rights for "LabGroup". The server will deny him rights based on this first entry, then proceed to give all other members the group full rights because they match the "LabGroup" entry. Finally, everybody else matches "All", so everybody else gets no rights.

Hopefully this gives you a better understanding of how ACLs work. If you have any questions, please let me know.


ComputerHelp: UnderstandingAcls (last edited 2016-03-18 15:07:53 by WikiAdministrator)

MoinMoin Appliance - Powered by TurnKey Linux