[CalendarServer-users] Read only access to CardDAV
dre at apple.com
Mon Dec 17 13:09:35 PST 2012
On Dec 17, 2012, at 12:55 PM, Andre LaBranche <dre at apple.com> wrote:
> On Dec 17, 2012, at 12:42 PM, Thomas Harvey <harvey.t at mac.com> wrote:
>> Thanks dre, I realised after asking that it had moved to a postgres backed datastore.
>> Although, I guess we could have 2 cardDAV servers running, one in read only and the other in read-write, but both on the same DB backend? In the read only server, authentication would be valid for all listed in the ou=people branch of the directory, but the read-write server would only allow connection from specific roles...just a thought, or is this completely outrageous?
> It sounds completely outrageous, but it might actually work :) The 'read only server' option is a caldavd.plist setting, and (afaik) merely disables write operations. So really all you need to do is deploy multiple server instances pointed at the same DB backend, and with the same configuration (except for the read-only setting). Normally in a multi-server config, you want all servers behind a load balancer, but in this case, you want them discretely addressable on purpose. Be aware that in such a config, there would be nothing to stop the user from connecting to the writable service - if that's a consideration, you'll need to implement your own measures for doing this. Directly using LDAP concepts for authorization, such as record location within the LDAP tree, is bordering on out of scope for Calendar Server. However, there are bits in the accounts and augments files that can be set as a result of your policy evaluations - see these:
> Here's a doc that can help you get to a multi-server config:
> The config option for read-only mode is called EnableReadOnlyServer, and is false by default.
One thing to know: as noted in the multi-server doc I linked, because both servers have to share the same memcache pools, it's possible that user-level authorization settings such as <enable-addressbook>true</enable-addressbook> (from augments.xml) get cached in memcache. If so, the first entry in 'wins', and the other server will behave as though it were configured with the cached setting.
But I'm not totally sure this particular data gets cached in memcache. Just something to watch out for :)
>> I'll also be sure to check out gaya's branch to see what direction is being taken there, perhaps I can help out with that.
>> On Dec 17, 2012, at 08:32 PM, Andre LaBranche <dre at mac.com> wrote:
>>> On Dec 14, 2012, at 5:30 AM, Thomas Harvey <harvey.t at mac.com> wrote:
>>> > I've got myself a nice new CardDAV server setup and I'm working on the user accounts - just through the XML based directory. I would like to have one collection of contacts which has an admin user with read/write access but to also have a subordinate user who can connect to this collection with read only access. I don't particularly need to be able to provide a separate contacts collection for the subordinate user.
>>> > The current thinking is to have a Principal which is listed in the caldavd.plist as a ReadPrincipal and then to symlink the folder for that principal into another location, which is listed as AdminPrincipals - Is this really the best way to do this?
>>> Symlinks probably won't help you here; the Calendar Server backend is a postgres database. It used to be a filesystem, but that was a long time ago...
>>> Unfortunately I don't think there's currently any support in the server for what you're asking for. There is a 'read only server' switch, but it's global for the entire service. There is some CardDAV sharing stuff in development, but it's not release-quality yet. Here's the branch if you're curious what is being done:
>> calendarserver-users mailing list
>> calendarserver-users at lists.macosforge.org
> calendarserver-users mailing list
> calendarserver-users at lists.macosforge.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the calendarserver-users