[asterisk-dev] Asterisk 12 API improvements

[Matthew Jordan]

On 12/01/2012 02:10 AM, Olle E. Johansson wrote:
> "Authorization: No immediate need for multiple levels or granular permissions inside the api."
> 
> I disagree. Some of my patches have been focused on being able to host multiple companies in one PBX.
> We do need authorization so we can implement "realms" within Asterisk - which channels are one 
> particular user (or group) allowed to follow, manipulate and originate?
> 

It feels like this could be broken up into Identity - being able to
associate groups of endpoints/channels with a particular domain - and
authentication/authorization - i.e., who can see who and what a client
can do.

I'm definitely behind the idea of Identity - there should be a way to
differentiate between clients of the API.

Authentication/authorization is tricky.  It'd be nice if that could be
deferred outside of the API itself to some external provider, i.e., you
tell Asterisk how who can see who and how.

I'm all with Josh that class authorizations (ala AMI) are *not* the way
to go.  The trap AMI fell into was providing authorizations implemented
by an interface that had no relevant implementation in the Asterisk core
itself.  An 'originate' class authorization isn't understood or
implemented by the code that executes channel origination, and the code
that executes channel origination has no concept of a connected user.
Even so, it *could* have still worked, had AMI not completed the coup de
grace and provided what amounts to 'root' access in Asterisk to the
outside world.

The way I view it: AMI still exists, and always will, if you need that
kind of low level, system altering power.  The Stasis API gives you a
safe, stable way of building telephony applications, but without the
need (and more importantly: ability) to do some of the scarier use cases
AMI provided.

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org