[asterisk-dev] AstriDevCon - PineMango

[Kevin P. Fleming]

Johansson Olle E wrote:

> And how do the SIP channel know who's allowed to do what?
> It all comes down to the core anyway. The SIP channel will hopefully
> move towards a more domain based segmentation. I need a way
> to find out who's allowed to touch which sip channels, subscriptions,
> transfers etc.

Well, this is really not possible. We've had this discussion many times
before, in different contexts, but in essence, it boils down to
mechanism vs. policy. In Asterisk, we're trying (at least with all new
development) to never define *how* someone would use (or be able to use)
a mechanism that we build, just provide the mechanism itself and let the
imaginative users find out how it can be used.

When it comes to issues like authentication and authorization, we could
attempt to build a 'rules engine' inside the modules that have to
implement the results of the AA checks, but defining such a rules engine
will be very hard, and inevitably (and I mean within six months),
application developers will tell us that our rules engine doesn't
provide the sort of rules that they need. In that case, are we better
off to continue extending the rules engine with more and more complex
rules, or are we better off to just push the rules out of the core
completely and let the application framework/developer define the rules
and let us know whether a particular operation should be allowed,
disallowed or limited in some way?

It certainly seems that the general consensus in this thread is that the
latter is preferable, and I'm in agreement there. Even if we do end up
building AA-related functionality in Asterisk, I don't think it will be
in the API calls themselves, but parallel to the API, and associated
with the API 'session' and any objects created or managed by the session.

> How can we enforce segmentation throughout the core, so that we can
> allow everything from javascript voicemail check clients to adhersion  
> frameworks to access
> the core without colliding and only accessing what they're allowed to
> access? Even if you guys write a wonderful framework that you think
> solves all issues, someone will add another plugin on top of the
> same pbx.

Or they'll write a C module that breaks the rules and convince the same
system administrator to install it. At some point, we have to just defer
responsibility to the administrator of the system involved. If they
allow uncontrolled access to the internals of the system, then they'll
be exposed to that sort of problem.

> You can argue that the core need to ask each layer, but I think that's  
> the
> wrong architecture.

Well, that's why we're having this discussion :-) I think that the
general opinion here, and some of it based on experience with other
frameworks and systems, is that the implementation layer is forced to
get AA input/feedback/etc. from other layers.

-- 
Kevin P. Fleming
Director of Software Technologies
Digium, Inc. - "The Genuine Asterisk Experience" (TM)