- From: Geoffrey M. Clemm <geoffrey.clemm@rational.com>
- Date: Mon, 31 Jan 2000 10:37:24 -0500
- To: w3c-dist-auth@w3.org
From: jamsden@us.ibm.com <geoff> ... if clients aren't going to restrict themselves to using the lock tokens that they created via LOCK, but will grab any lock-token that was created by their principal, then there is no reason to have the complexity of lock-tokens in the protocol. </geoff> <jra> We're getting there. The reason for associating the lock token with a principal is to give that principal the flexibility of running concurrent clients that may update the same resource. A principal can run concurrent clients that may update the same resource, whether or not a lock token is associated with a principal. Since not all these clients actually locked the resource but got the lock token some other way, they are aware that there might be other clients that have the same lock token and can warn the principal before using the lock token to update a locked resource. So every time such a client does a PUT/PROPPATCH to a "locked" resource, it pops up a warning message saying "this might overwrite updates pending in other clients working on your behalf, but I have no idea whether it does or not because we use each others' lock tokens". This is not a behavior for which I would deliberately design a protocol. Alternatively, the clients could be written to first UNLOCK a resource that was locked by some other client, and then that other client (whether it belonged to you or some other principal) would know this has occurred as soon as it tries to make its next update, and could then notify that other client's user that a merge conflict has occurred because someone UNLOCK'ed your lock. ... 3. Multiple clients run by the same principal would have to get there own possibly exclusive write locks which would limit data availability by a single principal who likely knows what they are doing at the moment, and if it is safe to proceed with an update. For example, the principal may be running many concurrent clients, but only one of them is active at a time. The others are all waiting for input. As a side note, "shared locks" are just, well, to be blunt, silly. RFC2518 says you can take out a shared lock if you are a "principal with appropriate access". But if you are a principal with appropriate access, you should just UNLOCK the resource and take out your own exclusive lock on it. This gives you all the benefits of "shared locks", without losing the overwrite protection of exclusive locks. Perhaps "silly" is a bit harsh ... or perhaps it is not harsh enough (:-). Now as for the limiting data availability, how does the need to first UNLOCK a locked-by-another client resource limit data availability? Your client confirms (by asking you) that you really want to "steal" the resource from another client (using the DAV:owner field to give a more informative message), then UNLOCKs the resource, and then LOCKs the resource to get its own locktoken. I believe that you are try to get ACL behavior out of locktokens ... I'd prefer to use ACL's to get ACL behavior (:-). An ACL lets you control which principals have write access to a resource (to prevent damage from "hostile" principals), while locktokens lets cooperating clients avoid merge conflicts. An ACL is resource based and associated with principals; a locktoken is URL-based and associated with clients. So I think associating the lock token with a principal is a reasonable and useful compromise. It doesn't give absolute and complete overwrite protection for multiple current clients run by the same principal, but it does guarantee overwrite protection between principals. Associating a lock token with a principal is both too strong (it prevents another principal with the same or higher access rights from authoring that resource) and is too weak (it doesn't help avoid merge conflicts between clients acting on behalf of the same client). If this approach were consistent with our future direction (associating ACL's with resources), I'd be more willing to accept it, but it isn't. Requiring that only a principal that issued a LOCK can cancel that LOCK will conflict with any attempts to allow a wider "trust" group for that operation. Note that GULP R8 is consistent with associating principals with lock tokens. Yes, that has been fixed (:-). All mention of a "principal" has been removed from R8. Cheers, Geoff
Received on Monday, 31 January 2000 10:38:34 UTC