Re: RFC-2518 LOCK-TOKEN: header from Geoffrey M. Clemm on 2000-01-31 (w3c-dist-auth@w3.org from January to March 2000)

From: Geoffrey M. Clemm <geoffrey.clemm@rational.com>
Date: Mon, 31 Jan 2000 10:37:24 -0500
To: w3c-dist-auth@w3.org
Message-Id: <10001311537.AA01179@tantalum>
   From: jamsden@us.ibm.com

   <geoff>
   ... if clients aren't going to restrict themselves to using
   the lock tokens that they created via LOCK, but will grab any
   lock-token that was created by their principal, then there is no
   reason to have the complexity of lock-tokens in the protocol.
   </geoff>

   <jra>
   We're getting there. The reason for associating the lock token with a
   principal is to give that principal the flexibility of running concurrent
   clients that may update the same resource.

A principal can run concurrent clients that may update the same resource,
whether or not a lock token is associated with a principal.

   Since not all these clients
   actually locked the resource but got the lock token some other way, they
   are aware that there might be other clients that have the same lock token
   and can warn the principal before using the lock token to update a locked
   resource.

So every time such a client does a PUT/PROPPATCH to a "locked" resource,
it pops up a warning message saying "this might overwrite updates pending
in other clients working on your behalf, but I have no idea whether it
does or not because we use each others' lock tokens".  This is not a
behavior for which I would deliberately design a protocol.

Alternatively, the clients could be written to first UNLOCK a resource that
was locked by some other client, and then that other client (whether it
belonged to you or some other principal) would know this has occurred as
soon as it tries to make its next update, and could then notify that other
client's user that a merge conflict has occurred because someone
UNLOCK'ed your lock.

   ...
   3. Multiple clients run by the same principal would have to get there own
   possibly exclusive write locks which would limit data availability by a
   single principal who likely knows what they are doing at the moment, and if
   it is safe to proceed with an update. For example, the principal may be
   running many concurrent clients, but only one of them is active at a time.
   The others are all waiting for input.

As a side note, "shared locks" are just, well, to be blunt, silly.
RFC2518 says you can take out a shared lock if you are a "principal
with appropriate access".  But if you are a principal with appropriate
access, you should just UNLOCK the resource and take out your own
exclusive lock on it.  This gives you all the benefits of "shared
locks", without losing the overwrite protection of exclusive locks.
Perhaps "silly" is a bit harsh ... or perhaps it is not harsh enough (:-).

Now as for the limiting data availability, how does the need to first
UNLOCK a locked-by-another client resource limit data availability?
Your client confirms (by asking you) that you really want to "steal" the
resource from another client (using the DAV:owner field to give a more
informative message), then UNLOCKs the resource, and then LOCKs
the resource to get its own locktoken.

I believe that you are try to get ACL behavior out of locktokens ...
I'd prefer to use ACL's to get ACL behavior (:-).  An ACL lets
you control which principals have write access to a resource (to prevent
damage from "hostile" principals), while locktokens lets cooperating
clients avoid merge conflicts.  An ACL is resource based and associated
with principals; a locktoken is URL-based and associated with clients.

   So I think associating the lock token with a principal is a reasonable and
   useful compromise. It doesn't give absolute and complete overwrite
   protection for multiple current clients run by the same principal, but it
   does guarantee overwrite protection between principals.

Associating a lock token with a principal is both too strong (it prevents
another principal with the same or higher access rights from authoring
that resource) and is too weak (it doesn't help avoid merge conflicts
between clients acting on behalf of the same client).

If this approach were consistent with our future direction (associating
ACL's with resources), I'd be more willing to accept it, but it isn't.
Requiring that only a principal that issued a LOCK can cancel that LOCK
will conflict with any attempts to allow a wider "trust" group for
that operation.

   Note that GULP R8 is consistent with associating principals with lock
   tokens.

Yes, that has been fixed (:-).  All mention of a "principal" has been
removed from R8.

Cheers,
Geoff
Received on Monday, 31 January 2000 10:38:34 UTC