{Disarmed} RE: [IPP] Descriptions of CUPS additions to the Cancel-Job and Purge-Jobs operations

{Disarmed} RE: [IPP] Descriptions of CUPS additions to the Cancel-Job and Purge-Jobs operations

Tom Hastings tom.hastings at verizon.net
Thu Oct 1 02:10:52 UTC 2009 

I'm struggling mightily to write up the Cancel-Job and Purge-Job operations
as suggested by Michael and have come up with a bunch of issues.  Since HTML
may not come through the email reflector with the 5 MS-WORD ISSUE comments
intact and the table shown, I've also downloaded the .doc of just these
attributes with my suggested descriptions and the ISSUES as MS-WORD comments
to:
ftp://ftp.pwg.org/pub/pwg/ipp/wd/Attributes_to_add_to_Cancel-Job_and_Purge-J
obs_operations.doc.  

 

The 5 ISSUES are as follows:

 

ISSUE 1:  Allowing an unprivileged user to purge his job using Cancel-Job,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.

 

ISSUE 2:  Allowing an unprivileged user to purge his jobs using Purge-Jobs,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.

One solution would be to only allow Purge-Jobs for operator or administrator
as in [RFC 2911].

ISSUE 3: Instead of adding "my-jobs" and "purge-job" to Purge-Jobs, a
simpler way to allow an unprivileged user to cancel all his jobs, instead of
just a specified job, would be to add "all-my-jobs" (boolean) Operation
attribute to the Cancel-Job operation.  When the client supplies this
attribute with a 'true' value, the client MUST NOT supply a "job-id" or
"job-url" Operation attribute.

 

ISSUE 4: Or should the spec say the Printer MUST reject the Purge-Jobs
operation if the unprivileged client supplies the "my-jobs" = 'false' and
return: client-error-forbidden, client-error-not-authenticated, and
client-error-not-authorized as appropriate, as for Purge-Jobs in RFC 2911
section 3.2.9

 

ISSUE 5: The "purge-job" (boolean) Operation attribute has the 'true' value
here as its default.  Usually, it's the 'false' value that is the default.
More confusingly, the "purge-job" (boolean) Operation attribute (correctly)
has the 'false' value in the Cancel-Job operation above.

 

I've included the text in the draft which I will post tomorrow for this
Monday's IPP WG telecon, October 5, at 1:00 PM PDT = 4:00 PM EDT, but I
wanted to start people thinking about these issues.  Hopefully, we can
resolve these issues at the meeting so that I can update the draft for the
face to face meeting in Cupertino, the following week, October 12-14.

 

 

Here is what I've come up with.  Comments and suggestions are welcome:

 


4.3 Cancel-Job operation


This section specified an additional operation attribute for use with the
Cancel-Jobs operation (see [RFC2911] Section 3.3.3).


4.3.1 purge-job[th1] <>    (boolean)


The "purge-job" Operation attribute controls whether the specified job is
canceled or purged as follows:

'false':  Default value.  The Printer cancels the specified job as specified
in [RFC2911] Section 3.3.3 which MAY leave a Retained Job with document data
on the Printer for possible re-processing (e.g., using the Reprocess-Job or
Resubmit-Job operations) and/or Job History.  Note: If the client omits this
attribute or supplies the 'false' value, the behavior of the Cancel-Job
operation is as specified in [RFC2911].

'true':   If the authenticated user is the job owner of the job specified by
the "job-id" or "job-uri" operation attribute or is a privileged operator or
administrator of the Printer, the Printer MUST purge the specified job
according to the semantics of the Purge-Jobs operation independent of the
job's state, but only for the specified job, i.e., remove all record of the
specified job, including attributes, history and document data. 

The client MAY supply this Operation attribute and the Printer MAY support
this Operation attribute in the Cancel-Job operation.


4.4 Purge-Jobs operation


This section specified additional operation attributes for use with the
Cancel-Jobs operation (see [RFC2911] Section 3.3.7).


4.4.1       my-jobs[th2] <>   [th3] <>    (boolean)


The "my-jobs" Operation attribute allows the client to request the target
jobs to be (1) all jobs or (2) only jobs owned by the requesting user.
However, the Printer MUST further restrict the target jobs as follows:  

'false':  Default value.  The target jobs are all jobs, unless the
Authenticated user supplying the request is NOT an operator or administrator
of the Printer, in which case the Printer MUST restrict the target jobs to
those belonging to the requesting user.[th4] <>   

'true':   The target jobs are limited to those owned by the Authenticated
user submitting the request.   

The client MAY supply this Operation attribute and the Printer MAY support
this Operation attribute in the Purge-Jobs operation.


4.4.2       purge-job (boolean) 


The "purge-job" Operation attribute controls whether the target jobs are
canceled or purged as follows: 

'false':  The Printer cancels the target jobs as specified in [RFC2911]
Section 3.3.3 Cancel-Job which MAY leave a Retained Job with document data
on the Printer for possible re-processing (e.g., using the Reprocess-Job or
Resubmit-Job operations) and/or Job History.  

'true':   Default value[th5] <>   .  The Printer purges the target jobs as
specified in [RFC2911] Section 3.2.9 Purge-Jobs.  Note: If the client omits
this attribute or supplies the 'true' value, the behavior of the Purge-Jobs
operation is as specified in [RFC2911] for the target jobs.

The client MAY supply this Operation attribute and the Printer MAY support
this Operation attribute in the Purge-Jobs operation.

The behavior for the Purge-Jobs operation for these two Operation attributes
for unprivileged users vs. operators and administrator of the Printer is
shown in Table 2.

Table 2: Interaction of "my-jobs" and "purge-jobs" attributes in the
Purge-Jobs operation


Operation attributes

Unprivileged user

Operator or Administrator of the Printer


"my-jobs" = 'false' or omitted
"purge-jobs" = 'false'

Cancel only my jobs (Printer overrides "my-jobs" = 'false')

Cancel all jobs


"my-jobs" = 'true'
"purge-jobs" = 'false'

Cancel only my jobs

Cancel only my jobs


"my-jobs" = 'false' or omitted
"purge-jobs" = 'true' or omitted

Purge only my jobs (Printer overrides "my-jobs" = 'false')

Purge all jobs


"my-jobs" = 'true'
"purge-jobs" = 'true' or omitted

Purge only my jobs

Purge only my jobs

 

 

 

 

-----Original Message-----
From: ipp-bounces at pwg.org [mailto:ipp-bounces at pwg.org] On Behalf Of Michael
Sweet
Sent: Monday, September 14, 2009 14:41
To: ipp at pwg.org
Subject: [IPP] Descriptions of CUPS additions to the Cancel-Job and
Purge-Jobs operations

 

All,

 

Here are the descriptions for the CUPS additions to the Cancel-Job and  

Purge-Jobs operations. These came up in today's conference call...

 

------------------------------------------------------

 

Cancel Job Operation

 

The Cancel-Job operation (0x0008) cancels the specified job. CUPS 1.4  

adds a new purge-job (boolean) attribute that allows you to purge both  

active and completed jobs, removing all history and document files for  

the job as well.

 

Cancel-Job Request

 

The following groups of attributes are supplied as part of the Cancel- 

Job request:

 

Group 1: Operation Attributes

 

Natural Language and Character Set:

     The "attributes-charset" and "attributes-natural-language"  

attributes as described in section 3.1.4.1 of the IPP Model and  

Semantics document.

 

"printer-uri" (uri) and "job-id" (integer)

OR

"job-uri":

     The client MUST supply a URI for the specified printer and a job  

ID number, or the job URI.

 

"purge-job" (boolean):

     The client OPTIONALLY supplies this attribute. When true, all job  

files (history and document) are purged. The default is false, leading  

to the standard IPP behavior.

 

 

Cancel-Job Response

 

The following groups of attributes are send as part of the Cancel-Job  

Response:

 

Group 1: Operation Attributes

 

Status Message:

     The standard response status message.

 

Natural Language and Character Set:

     The "attributes-charset" and "attributes-natural-language"  

attributes as described in section 3.1.4.2 of the IPP Model and  

Semantics document.

 

 

Purge-Jobs Operation

 

The Purge-Jobs operation (0x0012) cancels all of the jobs on a given  

destination and optionally removes all history and document files for  

the jobs as well.

 

Purge-Jobs Request

 

The following groups of attributes are supplied as part of the Purge- 

Jobs request:

 

Group 1: Operation Attributes

 

Natural Language and Character Set:

     The "attributes-charset" and "attributes-natural-language"  

attributes as described in section 3.1.4.1 of the IPP Model and  

Semantics document.

 

"printer-uri" (uri):

     The client MUST supply a URI for the specified printer or
"ipp://.../printers 

" for all printers and classes.

 

"requesting-user-name" (name(MAX)):

     The client OPTIONALLY supplies this attribute to specify whose  

jobs jobs are purged or canceled.

 

"my-jobs" (boolean):

     The client OPTIONALLY supplies this attribute to specify that  

only the jobs owned by the requesting user are purged or canceled. The  

default is false.

 

"purge-jobs" (boolean):

     The client OPTIONALLY supplies this attribute to specify whether  

the jobs are purged (true) or just canceled (false). The default is  

true.

 

 

Purge-Jobs Response

 

The following groups of attributes are send as part of the Purge-Jobs  

Response:

 

Group 1: Operation Attributes

 

Status Message:

     The standard response status message.

 

Natural Language and Character Set:

     The "attributes-charset" and "attributes-natural-language"  

attributes as described in section 3.1.4.2 of the IPP Model and  

Semantics document.

 

 

___________________________________________________

Michael Sweet, Senior Printing System Engineer

 

 

 

 

-- 

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.

 

_______________________________________________

ipp mailing list

ipp at pwg.org

https://www.pwg.org/mailman/listinfo/ipp

  _____  

 ISSUE:  Allowing an unprivileged user to purge his job using Cancel-Job,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.

 ISSUE:  Allowing an unprivileged user to purge his jobs using Purge-Jobs,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.

 

One solution would be to only allow Purge-Jobs for operator or administrator
as in [RFC 2911].

 ISSUE: Instead of adding "my-jobs" and "purge-job" to Purge-Jobs, a simpler
way to allow an unprivileged  user to cancel all his jobs, instead of just a
specified job, would be to add "all-my-jobs" (boolean) Operation attribute
to the Cancel-Job operation.  When the client supplies this attribute with a
'true' value, the client MUST NOT supply a "job-id" or "job-url" Operation
attribute.

 ISSUE: Or should the spec say the Printer MUST reject the operation and
return: client-error-forbidden, client-error-not-authenticated, and
client-error-not-authorized as appropriate, as for Purge-Jobs in RFC 2911
section 3.2.9

 ISSUE: The "purge-job" (boolean) Operation attribute has the 'true' value
here as its default.  Usually, it's the 'false' value that is the default.
More confusingly, the "purge-job" (boolean) Operation attribute (correctly)
has the 'false' value in the Cancel-Job operation above.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20090930/65eb4704/attachment-0001.html>

More information about the ipp mailing list