For$
<!-- begin site header -->
<div id=

Author Topic: User permissions/groups  (Read 12102 times)

bakkdoor

  • Developer
  • Newbie
  • ****
  • Posts: 8
    • View Profile
User permissions/groups
« on: December 05, 2010, 02:30:20 pm »
Hi.
I want to work on a permission system. Talked to ReDucTor about it on irc.
The idea was to have a certain amount of permissions/groups built-in with the option to allow custom permissions. The reason for the built-in permissions is speed, since we can use a simple bitmask for it and have a special bit be set for any custom permissions, which will then take a slow path for acessing/checking those. The reason is that permissions will most likely be checked on blocks being placed/destroyed etc. so having good performance there is essential for the common cases.

My question now is: Which permissions/groups should be provide built-in to the server?

Some suggestions: Guest (can't build/destroy things, just walk around and chat), Member (can build & destroy, chat), Operator (can teleport self & others, chat, give items, change user permissions up to Operator, kick, ban etc.), Admin (same as Operator as well as stop, start & reload server, change user permissions up to Admin, motd, etc.)

croxis

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: User permissions/groups
« Reply #1 on: December 06, 2010, 04:47:41 am »
Why have the levels hard coded? It would be a lot more flexible for the server owner to define their own levels, with sane defaults of course.

bakkdoor

  • Developer
  • Newbie
  • ****
  • Posts: 8
    • View Profile
Re: User permissions/groups
« Reply #2 on: December 06, 2010, 06:18:36 am »
I talked to reductor about this. Mostly for performance reasons, you'll want to have the checks for the most common used permission levels be as fast as possible, since they might be checked upon touching every block.
I'll work on an easy way to extend it with custom permissions. For the most widely used permissions we have up to 32 bits (that just boils down to working with bitmasks and is quite fast), of which one is used for a "custom" bit, which indicates it's a custom permission (e.g. from a plugin or whatever) and so it will have to take a "slow path" for dealing with those (but more flexible of course).

Right now each available command can be assigned to a minimum level. I also thought about allowing custom groups etc. but that should be discussed as well I think. It could also be done via a plugin. Don't know if this is wanted in the core server.
« Last Edit: December 06, 2010, 06:20:19 am by bakkdoor »

Delirium

  • Newbie
  • *
  • Posts: 27
    • View Profile
Re: User permissions/groups
« Reply #3 on: February 27, 2011, 12:38:54 pm »
I've taken a look at the permissions system, and in my opion, its far from perfect.

It would be nice to seperate permission into namespaces, like the permissions plugin for bukkit does - except yaml, which sucks.

Let's give an example. This is how it looks currently:

Code: [Select]
load         = admin
unload       = admin
reload       = admin
save         = admin
settime      = admin
regen        = admin
adminonlymsg = admin

I'm a big fan of XML by the way, so my preferred permissions structure would be something like
Code: [Select]
<groups>
<group>
<name>Admin</name>
<permissions>
<permission>mineserver.server.load</permission>
<permission>mineserver.server.unload</permission>
<permission>mineserver.server.reload</permission>
<permission>mineserver.world.save</permission>
<permission>mineserver.world.settime</permission>
<permission>mineserver.world.regen</permission>
<permission>mineserver.chat.adminonlymsg</permission>
</permissions>
</group>
</groups>

which can be easily compressed to
Code: [Select]
<groups>
<group>
<name>Admin</name>
<permissions>
<permission>mineserver.server.*/permission>
<permission>mineserver.world.*</permission>
<permission>mineserver.chat.*</permission>
</permissions>
</group>
</groups>
Note: a star gives permission to all permissions in that namespace.
which I can further compress to
Code: [Select]
<groups>
<group>
<name>Admin</name>
<permissions>
<permission>mineserver.*</permission>
</permissions>
</group>
</groups>
this gives admins full control over the things in the namespace mineserver. But what if a plugin uses a different root namespace?
Code: [Select]
<groups>
<group>
<name>Admin</name>
<permissions>
<permission>*</permission>
</permissions>
</group>
</groups>

I hope you get my thoughts. I've created the XSD Schema definition for the above samples. It would simplify the permissions system a lot.

Code: [Select]
<?xml version="1.0" encoding="utf-16"?>
<xsd:schema attributeFormDefault="unqualified" elementFormDefault="qualified" version="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <xsd:element name="groups">
    <xsd:complexType>
      <xsd:sequence>
        <xsd:element maxOccurs="unbounded" name="group">
          <xsd:complexType>
            <xsd:sequence>
              <xsd:element name="name" type="xsd:string" />
              <xsd:element name="permissions">
                <xsd:complexType>
                  <xsd:sequence>
                    <xsd:element name="permission" type="xsd:string" />
                  </xsd:sequence>
                </xsd:complexType>
              </xsd:element>
            </xsd:sequence>
          </xsd:complexType>
        </xsd:element>
      </xsd:sequence>
    </xsd:complexType>
  </xsd:element>
</xsd:schema>
Make it idiot proof and someone will make a better idiot.

Ligustah

  • Newbie
  • *
  • Posts: 42
    • View Profile
Re: User permissions/groups
« Reply #4 on: February 27, 2011, 02:21:46 pm »
XML is a pretty good format to reflect tree-like structures, but i personally hate having to write all those XML tags, <>, stuff like that just to get my config done.

Even your compressed forms are a bit bloated, i mean you can of course compare the compressed XML with the uncompressed flat file, but that's not a fair comparison.

I'd rather go with the standard mineserver config file format.

Make it like
Code: [Select]
permissions.admin = ("*");
XML will never be able to beat that for sure. In my opinion it's much more straigh forward.

-- Ligustah

Delirium

  • Newbie
  • *
  • Posts: 27
    • View Profile
Re: User permissions/groups
« Reply #5 on: April 08, 2011, 11:33:53 am »
Well, XML can be easily processed by 3rd-party-applications, like a graphical permissions editor as well as an graphical configuration editor. The positive side on XML is also the strict definition with the XSD and the ability to extend it easily. What you forget in your system is the ability to create user defined groups, which can inherit permissions from other group, exclude permissions and so on. If you don't like to type all these tags, you can simply write a config generator, I would do that too xP

Also, if I understand you correctly, if the default user has got the permission to build and use a hypothetical plugin warp:
Code: [Select]
permissions.user = ("mineserver.build", "plugin.warp.warpto");
If you assign many different permissions on one user, this format produces endless lines and sucks therefor pretty much.

You can always use some autocompleting software to write the config (MS XML Notepad 2007 on Windows, Eclipse with web extensions should do it on Linux) - can't be easier.

You always have to design a system for the DAU (German abbreviation for "Dümmster anzunehmender User", Stupidest user possible), and in my opinion, XML is best suited for this. I can easily write some applications for easy configuration and easy permissions editing.

Oh, by the way, some in-game commands to change permissions would be very nice. Like add users to groups, give groups additional permissions, create groups and so on.
Make it idiot proof and someone will make a better idiot.

Ligustah

  • Newbie
  • *
  • Posts: 42
    • View Profile
Re: User permissions/groups
« Reply #6 on: April 08, 2011, 02:47:01 pm »
I see the advantage of XML being a widely used standard, including editors.

However, i think that user based permissions should not be done in the main configuration anyways. In my opinion those could be done perfectly fine on-demand (e.g. ingame). That would consort with what you said at the end of your post.

If DAU's are the main target audience, then of course shiny GUI tools with lots of buttons and boxes would suit best, but being a server administrator i personally prefer things that can be easily done from a linux shell. You might want to have a look at the config files used by Apache, Lighttpd, MySQL or even IRC daemons. There is no XML involved there for a good reason i suppose.

On the other hand, i see that most of the Minecraft people might not be among the server administrators.

I think there should be some sort of balance between the two solutions. If i am not mistaken you're good with .NET stuff (which you probably referred to, when mentioning your configuration tool idea), so i guess it should not be hard to adapt the config parser that mineserver makes use of internally. The DAU's will never touch the config anyways,
so why make it harder for the server admins?

Hope you see my point :)

Delirium

  • Newbie
  • *
  • Posts: 27
    • View Profile
Re: User permissions/groups
« Reply #7 on: April 08, 2011, 06:37:35 pm »
I think, in minecraft community, the real server administrators are a very small community. As you can see in bukkit forums, there are mostly script kiddies and not so advanced users around, running their servers on their own machine at home. These People are confused with YAML (which bukkit permission system uses) anyways, they're demanding a reasonable interface. This is ATM done ingame but not suitable for the initial configuration.

As far as the main configuration is concernd, I'm very happy with the format used now. It can be easily generated from a web interface for example  (wouldn't a webinterface for configuration be cool?). This should't be changed anyways, it's readable enough to be understandable for DAUs. And server admins can edit it easily.

I just think that format used in the main config is not suitable for handling permissions.
Make it idiot proof and someone will make a better idiot.

Ligustah

  • Newbie
  • *
  • Posts: 42
    • View Profile
Re: User permissions/groups
« Reply #8 on: April 08, 2011, 08:50:46 pm »
It might be possible to make a few scripts (perl, python, php, whatever) to aid making/editing the permission files.
I'm all with XML as long as i never have to touch it myself :P

Compiling a little php lib might be a good idea, that would allow for cli uses as well as web interfaces.