[asterisk-dev] Pinemango -- Authorization API
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Tue Oct 14 15:33:04 CDT 2008
On Tuesday 14 October 2008 11:25:09 Brian Degenhardt wrote:
> Russell Bryant wrote:
> > Johansson Olle E wrote:
> >> The fact that Russell, who's the current maintainer of Asterisk, votes
> >> for taking authorization out of the
> >> picture is very disappointing to me.
> >
> > I do not vote for taking it out of the picture. I am simply in
> > agreement with the things that Brian, Tim and now Kevin have been
> > saying, which is that we should allow the framework to handle policy
> > decisions.
>
> The hooks component from the PineMango diagram is a great way to do this
> too. The hooks don't even have to be really security-related. Imagine
> that asterisk executed a hook every time the following things happened:
>
> * SIP registration
> * Codec negotiation
> * SIP REINVITE
> * res_features transfer
> * Barge/Whisper/Spy toggle
> * External MWI Event/NOTIFY
>
> If my app controlling Asterisk is asked, via a hook, each time these
> things happen, I can then impose my external business-rules governed
> security policy. Maybe the user hasn't paid for MWI service, or perhaps
> they are only allowed to Barge on certain callers. Possibly they can
> only register phones on nights and weekends.
>
> I don't need a mechanism to define these policies in the core. I
> desperately need a mechanism to control these things from outside of
> Asterisk.
The hooks, alone, aren't a good way, either. Consider two companies on the
same machine. A hook as the entire implementation of an authorization
model would allow Company A to prohibit any activity that Company B wants
to do that requires a hook, simply by denying all activity that it does not
recognize.
--
Tilghman
More information about the asterisk-dev
mailing list