annotate xmpp/xep-proto-abac.xml @ 124:8ea34bd97286

CR de l'AG ordinaire 2016 à Prague
author souliane <souliane@mailoo.org>
date Fri, 14 Oct 2016 18:38:33 +0200
parents 57dfd2ab2881
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
38
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
1 <?xml version='1.0' encoding='UTF-8'?>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
2 <!DOCTYPE xep SYSTEM 'xep.dtd' [
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
3 <!ENTITY % ents SYSTEM 'xep.ent'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
4 %ents;
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
5 ]>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
6 <?xml-stylesheet type='text/xsl' href='xep.xsl'?>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
7 <xep>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
8 <header>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
9 <title>Attribute Based Access Control</title>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
10 <abstract>This specification adapt Attribute Based Access Control (ABAC) model to XMPP</abstract>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
11 <legal>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
12 <copyright>This XMPP Extension Protocol is copyright (c) 1999 - 2014 by the XMPP Standards Foundation (XSF).</copyright>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
13 <permissions>Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the &quot;Specification&quot;), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.</permissions>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
14 <warranty>## NOTE WELL: This Specification is provided on an &quot;AS IS&quot; BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. In no event shall the XMPP Standards Foundation or the authors of this Specification be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification. ##</warranty>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
15 <liability>In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising out of the use or inability to use the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.</liability>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
16 <conformance>This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which may be found at &lt;<link url='http://xmpp.org/extensions/ipr-policy.shtml'>http://xmpp.org/extensions/ipr-policy.shtml</link>&gt; or obtained by writing to XSF, P.O. Box 1641, Denver, CO 80201 USA).</conformance>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
17 </legal>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
18 <number>xxxx</number>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
19 <status>ProtoXEP</status>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
20 <type>Standards Track</type>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
21 <sig>Standards</sig>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
22 <approver>Council</approver>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
23 <dependencies>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
24 <spec>XMPP Core</spec>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
25 <spec>XEP-0114</spec>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
26 <spec>XEP-0004</spec>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
27 </dependencies>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
28 <supersedes/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
29 <supersededby/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
30 <shortname>NOT_YET_ASSIGNED</shortname>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
31 <author>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
32 <firstname>Jérôme</firstname>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
33 <surname>Poisson</surname>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
34 <email>goffi@goffi.org</email>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
35 <jid>goffi@jabber.fr</jid>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
36 </author>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
37 <revision>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
38 <version>0.0.1</version>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
39 <date>2014-05-09</date>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
40 <initials>jp</initials>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
41 <remark><p>First draft.</p></remark>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
42 </revision>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
43 </header>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
44
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
45 <section1 topic='Introduction' anchor='intro'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
46 <p>Different access control models are used in XMPP, most of time Role Based Access Model (RBAC) like in MUC, or Identity Based Access Model (IBAC) like [...]</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
47 <p>Privileged entities have numerous advantages, including:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
48 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
49 <li>a step forward in decentralization: it is possible for an entity to do tasks which were before reserved to server itself. For example, a privileged pubsub component can offer access model based on publisher's roster</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
50 <li>better integration of components: a gateway can add items to an entity roster itself</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
51 <li>possibility to overpass a server limitation (typically: incomplete PEP implementation)</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
52 <li>quick development cycle: developers can implement the components they need without waiting for a new server release</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
53 <li>server agnostic</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
54 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
55 <p>Privileged entity has been created with the main goal to create an external, server agnostic, PEP service. It is restricted to only a couple of features, see <link url='#acks'>Acknowledgements section</link> for more details</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
56 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
57
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
58 <section1 topic='Requirements' anchor='reqs'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
59 <p>A privileged entity must be able to do what a PEP service can do and to access roster, so it must be able to (according to configuration):</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
60 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
61 <li>get and modify the roster of any entity managed by the server</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
62 <li>send a &MESSAGE; stanza on behalf of the server</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
63 <li>access &PRESENCE; informations for entities in a managed entity's roster (and for managed entity itself)</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
64 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
65 <p>The privilege mechanism MUST be totally transparent for the managed entities.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
66 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
67
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
68 <section1 topic='Glossary' anchor='glossary'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
69 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
70 <li><strong>Privileged entity</strong> the entity which has a privileged status.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
71 <li><strong>Managed entity</strong> the entity that is managed by a privileged entity.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
72 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
73 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
74
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
75 <section1 topic='Accessing roster' anchor='access_roster'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
76
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
77 <section2 topic='Server Allows Roster Access' anchor='server_roster'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
78 <p>Roster access is granted in the server configuration. Roster access can have 4 types:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
79 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
80 <li><strong>none</strong> the entity is not allowed to access managed entity roster at all. This MUST be the default value.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
81 <li><strong>get</strong> the entity is allowed to send &IQ; stanzas of type <em>'get'</em> for the namespace 'jabber:iq:roster'.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
82 <li><strong>set</strong> the entity is allowed to send &IQ; stanzas of type <em>'set'</em> for namespace 'jabber:iq:roster'.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
83 <li><strong>both</strong> the entity is allowed to send &IQ; stanzas of type <em>'get'</em> and <em>'set'</em> for namespace 'jabber:iq:roster'.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
84 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
85 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
86
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
87 <section2 topic='Server Advertise Entity Of Allowed Permission' anchor='advertise_roster'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
88 <p>Once an entity is authenticated and stream is started, the server send it a &MESSAGE; stanza with a &lt;privilege&gt; elements which MUST have the namespace 'urn:xmpp:privilege:0'. This element contains &lt;perm&gt; elements which MUST contain a 'namespace' attribute of the value "jabber:iq:roster" and a 'type' attribute which must correspond to the type configured as specified in <link url='#server_roster'>"Server Allows Roster Access" section</link></p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
89 <example caption='Server Advertise Roster Privilege'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
90 <message from='capulet.net' to='pubub.capulet.lit' id='12345'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
91 <privilege xmlns='urn:xmpp:privilege:0'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
92 <perm namespace='jabber:iq:roster' type='both'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
93 </privilege>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
94 </message>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
95 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
96 <p>Here <em>pubsub.capulet.lit</em> is allowed to do <em>get</em> and <em>set</em> operations on all entities managed by capulet.lit</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
97 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
98
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
99 <section2 topic='Privileged Entity Manage Roster' anchor='priv_manage_roster'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
100 <p>Doing a <em>get</em> or <em>set</em> operation on the roster of a managed entity is done in the usual way (as described in &rfc6121; section 2), except that the 'to' attribute is set to the attribute of the managed entity. The server MUST check that the privileged entity has right to <em>get</em> or <em>set</em> the roster of managed entity, and MUST return a &forbidden; error if it is not the case:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
101 <example caption='Privileged Entity Get Managed Entity Roster'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
102 <iq id='roster1'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
103 from='pubsub.capulet.lit'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
104 to='juliet@example.com'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
105 type='get'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
106 id='roster1'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
107 <query xmlns='jabber:iq:roster'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
108 </iq>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
109 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
110
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
111 <p>The server then answers normally, as it would have done to the managed entity:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
112 <example caption='Server Answers To Privileged Entity'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
113 <iq id='roster1'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
114 from='juliet@example.com'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
115 to='pubsub.capulet.net'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
116 type='result'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
117 <query xmlns='jabber:iq:roster' ver='ver7'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
118 <item jid='nurse@example.com'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
119 <item jid='romeo@example.net'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
120 </query>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
121 </iq>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
122 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
123
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
124 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
125 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
126
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
127 <section1 topic='Message Permission' anchor='message'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
128 <section2 topic='Authorizing Messages' anchor='auth_mess'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
129 <p>In some cases, it can be desirable to send notifications (e.g. PEP service), so the privileged entity must be able to send &MESSAGE; stanzas. This is allowed in server configuration in the same way as for roster permission. The permission type can have the following values:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
130 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
131 <li><strong>none</strong> the entity is not allowed to send &MESSAGE; stanza in the name of the server. This MUST be the default value.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
132 <li><strong>outgoing</strong> the entity is allowed to send &MESSAGE; stanzas in the name of the server, according to following restrictions.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
133 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
134 <p>A privileged entity can then send message on the behalf either of the server or of a bare JID of the server, using &xep0297;, with the following restrictions:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
135 <ol>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
136 <li>forwarded &MESSAGE; 'type' attribute has the value of "headline"</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
137 <li>forwarded &MESSAGE; 'from' attribute MUST be a bare JID from the server, no resource is allowed</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
138 </ol>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
139 <p>If any of this rules is violated, the server MUST return a &lt;not-authorized/&gt; stream error and close the connection, as explained in &rfc6120; section 4.9.3.12.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
140 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
141
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
142 <section2 topic='Advertising Permission' anchor='advertise_mess'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
143 <p>Server advertise "message" permission in the same way as for "roster" permission, except that 'namespace' attribute has the value of "message", and the 'type' attribute as a value of 'outgoing':</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
144 <example caption='Server Advertise Roster And Message Privileges'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
145 <message from='capulet.net' to='pubub.capulet.lit' id='54321'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
146 <privilege xmlns='urn:xmpp:privilege:0'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
147 <perm namespace='jabber:iq:roster' type='both'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
148 <perm namespace='message' type='outgoing'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
149 </privilege>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
150 </message>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
151 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
152 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
153
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
154 <section2 topic='Sending messages' anchor='sending_mess'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
155 <p>Now that <em>pubsub.capulet.lit</em> is allowed, it can send messages using &lt;forwarded/&gt; elements.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
156 <example caption='privileged entity send a notificaction message'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
157 <message from='pubsub.capulet.lit' to='capulet.lit' id='notif1'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
158 <forwarded xmlns='urn:xmpp:forward:0'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
159 <message from='juliet@capulet.lit'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
160 id='foo'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
161 to='romeo@montague.lit/orchard'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
162 type='headline'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
163 xmlns='jabber:client'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
164 <event xmlns='http://jabber.org/protocol/pubsub#event'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
165 <items node='http://jabber.org/protocol/tune'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
166 <item>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
167 <tune xmlns='http://jabber.org/protocol/tune'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
168 <artist>Gerald Finzi</artist>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
169 <length>255</length>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
170 <source>Music for "Love's Labors Lost" (Suite for small orchestra)</source>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
171 <title>Introduction (Allegro vigoroso)</title>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
172 <track>1</track>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
173 </tune>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
174 </item>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
175 </items>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
176 </event>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
177 <delay xmlns='urn:xmpp:delay' stamp='2014-11-25T14:34:32Z'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
178 </message>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
179 </forwarded>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
180 </message>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
181 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
182 <p>The server sees that forwarded message type is '<em>headline</em>', that <em>juliet@capulet.lit</em> is a bare JID of the server, and that outgoing message permission was granted in admin mode (so all bare JIDs from server are allowed); it can now send the notification:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
183 <example caption='server sends the notification as if it was originating from him'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
184 <message from='juliet@capulet.lit'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
185 id='bar'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
186 to='romeo@montague.lit/orchard'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
187 type='headline'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
188 <event xmlns='http://jabber.org/protocol/pubsub#event'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
189 <items node='http://jabber.org/protocol/tune'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
190 <item>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
191 <tune xmlns='http://jabber.org/protocol/tune'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
192 <artist>Gerald Finzi</artist>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
193 <length>255</length>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
194 <source>Music for "Love's Labors Lost" (Suite for small orchestra)</source>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
195 <title>Introduction (Allegro vigoroso)</title>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
196 <track>1</track>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
197 </tune>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
198 </item>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
199 </items>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
200 </event>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
201 <delay xmlns='urn:xmpp:delay' stamp='2014-11-25T14:34:32Z'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
202 </message>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
203 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
204 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
205 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
206
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
207 <section1 topic='Presence Permission' anchor='presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
208 <section2 topic='Managed Entity Presence' anchor='managed_ent_presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
209 <p>It can be often desirable for a privileged entity to have presence information of the managed entities (e.g. to know when to send them notificiations). As privileges must be transparent for the managed entity, this presence has to be sent by the server without modifying managed entity roster.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
210 <p>This is allowed in server configuration in the same way as for <em>roster</em> and <em>message</em> permissions. The "presence" type can have the following values:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
211 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
212 <li><strong>none</strong> the entity is not allowed to access &PRESENCE; informations at all. This MUST be the default value.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
213 <li><strong>managed_entity</strong> the entity is allowed to receive managed entity presence (see below).</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
214 <li><strong>roster</strong> the entity is allowed to receive presence informations of managed entity contacts, see <link url='#roster_presence'>Roster Presence section</link>.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
215 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
216 <p>If the privilege is granted, the server MUST use a directed presence, as specified in &rfc6121; section 4.6 on the behalf of managed entity each time its presence information change.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
217 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
218
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
219 <section2 topic='Advertising Permission' anchor='advertise_managed_presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
220 <p>Server advertise "presence" permission in the same way as for "roster" or "message" permissions, except that 'namespace' attribute has the value of "presence", and the 'type' attribute has a value of "managed_entity"</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
221 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
222
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
223 <section2 topic="Server Send presence informations" anchor='server_send_presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
224 <p>Once the "presence" permission is granted, the server send presence informations:</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
225 <example caption='server receives new presence from Juliet'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
226 <presence from='juliet@capulet.lit/balcony'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
227 id='presence1'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
228 xml:lang='en'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
229 <show>chat</show>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
230 <status>Staying on the balcony</status>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
231 </presence>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
232 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
233
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
234 <example caption='server redirects presence to privileged entity'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
235 <presence from='juliet@capulet.lit/balcony'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
236 to='pubsub.capulet.lit'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
237 id='presence1'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
238 xml:lang='en'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
239 <show>chat</show>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
240 <status>Staying on the balcony</status>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
241 </presence>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
242 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
243
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
244 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
245
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
246 <section2 topic='Roster Presence' anchor='roster_presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
247 <p>In addition to "<link url='#managed_ent_presence'>managed entity presence</link>", a privileged entity may need to know when a contact in managed entity roster is online (for example, it's necessary for a PEP service because of the presence default access model).</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
248 <p>As for other permissions, the access in granted in server's configuration, but there is a additional restriction: the privileged entity MUST have read permission on roster namespace (i.e. 'type' attribute in allowed &lt;perm&gt; of namespace <em>jabber:iq:roster</em> MUST have a value of either <strong>get</strong> or <strong>both</strong>).</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
249 <p>If the delegation is granted, the server MUST send to the privileged entity every presence information that the privileged entity is receiving. Having "roster" type for "presence" permission imply that you have also implicitly "managed_entity" type.</p><p>The server MUST reject the permission if the privileged entity doesn't have read permission on roster namespace.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
250 <p>Note: this permission should be given carefully, as it gives access to presence of potentially a lot of entities to the privileged entity (see <link url='#security'>security considerations</link>).</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
251 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
252
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
253 <section2 topic='Advertising Permission' anchor='advertise_roster_presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
254 <p>Server advertise roster "presence" permission in the same way as for other permissions, except that the 'namespace' attribute has the value of "presence", and the 'type' attribute has a value of "roster"</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
255 <example caption='Server Advertise Roster, Message, Managed Entity Presence and Roster Presence Privileges'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
256 <message from='capulet.net' to='pubub.capulet.lit' id='54321'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
257 <privilege xmlns='urn:xmpp:privilege:0'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
258 <perm namespace='jabber:iq:roster' type='both'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
259 <perm namespace='message'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
260 <perm namespace='presence' type='roster'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
261 </privilege>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
262 </message>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
263 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
264 <p>Note the presence of <em>jabber:iq:roster</em> permission request.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
265 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
266
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
267 <section2 topic="Privileged Entity Receive Roster Presences" anchor='priv_rec_roster_presence'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
268 <example caption="server receives new presence from Romeo, which is in Juliet's roster"><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
269 <presence from='romeo@montaigu.lit/orchard'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
270 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
271 <example caption='server sends the presence as usually, but also to the privileged entity'><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
272 <presence from='romeo@montaigu.lit/orchard'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
273 to='juliet@capulet.lit'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
274 <presence from='romeo@montaigu.lit/orchard'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
275 to='pubsub.capulet.lit'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
276 ]]></example>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
277 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
278 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
279
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
280 <section1 topic='Security Considerations' anchor='security'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
281 <ol>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
282 <li>Privileged entitiy has access to sensitive data, and can act as the server itself, permissions should be granted carefuly, only if you absolutely trust the entity.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
283 <li><link url='#roster_presence'>Roster presence</link> is particulary sensitive, because presence informations of whole rosters are shared.</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
284 </ol>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
285 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
286
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
287 <section1 topic='IANA Considerations' anchor='iana'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
288 <p>This document requires no interaction with &IANA;.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
289 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
290
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
291 <section1 topic='XMPP Registrar Considerations' anchor='registrar'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
292 <section2 topic='Protocol Namespaces' anchor='ns'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
293 <p>The &REGISTRAR; includes 'urn:xmpp:privilege:0' in its registry of protocol namespaces (see &NAMESPACES;).</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
294 <ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
295 <li>urn:xmpp:privilege:0</li>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
296 </ul>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
297 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
298 <section2 topic='Protocol Versioning' anchor='registrar-versioning'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
299 &NSVER;
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
300 </section2>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
301 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
302
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
303 <section1 topic='XML Schema' anchor='schema'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
304 <code><![CDATA[
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
305 <?xml version='1.0' encoding='UTF-8'?>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
306
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
307 <xs:schema
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
308 xmlns:xs='http://www.w3.org/2001/XMLSchema'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
309 targetNamespace='urn:xmpp:privilege:0'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
310 xmlns='urn:xmpp:privilege:0'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
311 elementFormDefault='qualified'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
312
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
313 <xs:element name='privilege'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
314 <xs:complexType>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
315 <xs:element name='perm'
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
316 maxOccurs='unbounded'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
317 <xs:complexType>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
318 <xs:attribute name='namespace' use='required' type='xs:string'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
319 <xs:simpleType base='xs:NMTOKEN'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
320 <xs:enumeration value='jabber:iq:roster'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
321 <xs:enumeration value='message'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
322 <xs:enumeration value='presence'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
323 </xs:simpleType>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
324 <xs:attribute name='type' use='required'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
325 <xs:simpleType base='xs:NMTOKEN'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
326 <xs:enumeration value='none'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
327 <xs:enumeration value='get'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
328 <xs:enumeration value='set'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
329 <xs:enumeration value='both'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
330 <xs:enumeration value='outgoing'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
331 <xs:enumeration value='managed_entity'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
332 <xs:enumeration value='roster'/>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
333 </xs:simpleType>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
334 </xs:attribute>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
335 </xs:complexType>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
336 </xs:element>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
337 </xs:complexType>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
338 </xs:element>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
339
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
340 </xs:schema>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
341 ]]></code>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
342 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
343
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
344 <section1 topic='Acknowledgements' anchor='acks'>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
345 <p>Thanks to Sergey Dobrov, Dave Cridland, Steven Lloyd Watkin, Lance Stout and Johannes Hund for their feedbacks. Thanks to Adrien Cossa for his typos/style corrections.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
346 <p>Privileged entity was initialy written to be a generic identity based access control (IBAC) which allows an entity to access sensitive data. After <link url='http://mail.jabber.org/pipermail/standards/2014-December/029378.html'>a discussion on standard mailing list</link>, it has been decided to restrict the current XEP to immediate needs to build an external PEP service, and to implement separately an Attribute Based Access Control (ABAC) which is more modern, generic and flexible. This XEP is still interesting for being easy to implement and doing the job.</p>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
347
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
348 </section1>
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
349
57dfd2ab2881 association: updated location (article 3) in statuts
Goffi <goffi@goffi.org>
parents:
diff changeset
350 </xep>