Good discussion.
If Michael is willing to update CUPS (to support the old and something new),
another new alternative would be to add the following Operation attribute to
Cancel-Jobs:
"all-my-jobs" (boolean) with default 'false' to the Cancel-Jobs operation
instead of adding "cancel-jobs" (boolean) with default 'false' to the
Purge-Jobs operation. Then we wouldn't have an operation attribute
("cancel-jobs") which changes an one operation (Purge-Jobs) into another
operation (Cancel-Jobs).
A variant on my alternative above which would allow the
Operator/Administrator to be able to cancel all jobs (as is possible with
current CUPS, but uses Purge-Jobs) is to add the following Operation
attribute to the Cancel-Jobs operation:
"which-jobs" (type2 keyword) with values:
'specified-job' - (default) the job specified by the supplied "job-id" or
"job-url"
'all-my-jobs' - cancel all my jobs
'all-jobs' - cancel all jobs; If the Printer's security policy does not
allow the authenticated user to cancel jobs for which the requesting user is
not the owner, then the IPP object MUST reject the operation and return
client-error-not-authorized
Following the thrust of the above alternatives which avoid having an
operation attribute change the semantics of the operation to that of another
operation, how about also adding "job-id" (integer(1:MAX)) and "job-url"
(URL) to the Purge-Jobs operation. If either are supplied, then the
specified job is purged, rather than all jobs. If the requesting user is
NOT an Operator/Administrator AND the specified job is NOT owned by the
requesting user, then the IPP object MUST reject the operation and return
client-error-not-authorized.
Think about these alternative for the discussion at the IPP WG telecon, this
Monday, October 5, 1:00 PM PDT = 4:00 PM EDT.
In the meantime, I'll post the original CUPS approach rather than making
some of these discussed changes.
Thanks,
Tom
_____
From: Michael Sweet [mailto:msweet at apple.com]
Sent: Friday, October 02, 2009 10:51
To: Ira McDonald
Cc: tom.hastings at alum.mit.edu; ipp at pwg.org
Subject: Re: {Disarmed} Re: [IPP] Descriptions of CUPS additions to the
Cancel-Job and Purge-Jobs operations
FWIW, we can rev this to use a "cancel-jobs" attribute instead of
"purge-jobs" for the Purge-Jobs operation, and I'll update CUPS accordingly
(to support both the old and new names...) so that the defaults are all
false.
On Oct 2, 2009, at 10:24 AM, Ira McDonald wrote:
Hi,
I generally agree with Mike's comments below.
But I really dislike a boolean that defaults to 'true' - this
needs work.
Cheers,
- Ira
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
winter:
579 Park Place Saline, MI 48176
734-944-0094
summer:
PO Box 221 Grand Marais, MI 49839
906-494-2434
On Fri, Oct 2, 2009 at 11:53 AM, Michael Sweet <msweet at apple.com> wrote:
Comments inline...
On Sep 30, 2009, at 7:10 PM, Tom Hastings wrote:
I'm struggling mightily to write up the Cancel-Job and Purge-Job operations
as suggested by Michael and have come up with a bunch of issues. Since HTML
may not come through the email reflector with the 5 MS-WORD ISSUE comments
intact and the table shown, I've also downloaded the .doc of just these
attributes with my suggested descriptions and the ISSUES as MS-WORD comments
to:
ftp://ftp.pwg.org/pub/pwg/ipp/wd/Attributes_to_add_to_Cancel-Job_and_Purge-J
obs_operations.doc.
The 5 ISSUES are as follows:
ISSUE 1: Allowing an unprivileged user to purge his job using Cancel-Job,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.
ISSUE 2: Allowing an unprivileged user to purge his jobs using Purge-Jobs,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.
One solution would be to only allow Purge-Jobs for operator or administrator
as in [RFC 2911].
ISSUE 3: Instead of adding "my-jobs" and "purge-job" to Purge-Jobs, a
simpler way to allow an unprivileged user to cancel all his jobs, instead of
just a specified job, would be to add "all-my-jobs" (boolean) Operation
attribute to the Cancel-Job operation. When the client supplies this
attribute with a 'true' value, the client MUST NOT supply a "job-id" or
"job-url" Operation attribute.
ISSUE 4: Or should the spec say the Printer MUST reject the Purge-Jobs
operation if the unprivileged client supplies the "my-jobs" = 'false' and
return: client-error-forbidden, client-error-not-authenticated, and
client-error-not-authorized as appropriate, as for Purge-Jobs in RFC 2911
section 3.2.9
ISSUE 5: The "purge-job" (boolean) Operation attribute has the 'true' value
here as its default. Usually, it's the 'false' value that is the default.
More confusingly, the "purge-job" (boolean) Operation attribute (correctly)
has the 'false' value in the Cancel-Job operation above.
I've included the text in the draft which I will post tomorrow for this
Monday's IPP WG telecon, October 5, at 1:00 PM PDT = 4:00 PM EDT, but I
wanted to start people thinking about these issues. Hopefully, we can
resolve these issues at the meeting so that I can update the draft for the
face to face meeting in Cupertino, the following week, October 12-14.
Here is what I've come up with. Comments and suggestions are welcome:
4.3 Cancel-Job operation
This section specified an additional operation attribute for use with the
Cancel-Jobs operation (see [RFC2911] Section 3.3.3).
4.3.1 purge-job[th1] (boolean)
The "purge-job" Operation attribute controls whether the specified job is
canceled or purged as follows:
'false': Default value. The Printer cancels the specified job as specified
in [RFC2911] Section 3.3.3 which MAY leave a Retained Job with document data
on the Printer for possible re-processing (e.g., using the Reprocess-Job or
Resubmit-Job operations) and/or Job History. Note: If the client omits this
attribute or supplies the 'false' value, the behavior of the Cancel-Job
operation is as specified in [RFC2911].
'true': If the authenticated user is the job owner of the job specified by
the "job-id" or "job-uri" operation attribute or is a privileged operator or
administrator of the Printer, the Printer MUST purge the specified job
according to the semantics of the Purge-Jobs operation independent of the
job's state, but only for the specified job, i.e., remove all record of the
specified job, including attributes, history and document data.
The client MAY supply this Operation attribute and the Printer MAY support
this Operation attribute in the Cancel-Job operation.
I'd just make the authenticated user case more generic, and also document
that Cancel-Jobs with purge-jobs=true will fail if the user is not
authorized, e.g.:
'true': If the authenticated user is allowed to purge a job by the
Printer's security policy (typically if the owner of the job specified by
the "job-id" or "job-uri" operation attribute matches) or is a privileged
operator or administrator of the Printer, the Printer MUST purge the
specified job according to the semantics of the Purge-Jobs operation
independent of the job's state, but only for the specified job, i.e., remove
all record of the specified job, including attributes, history and document
data. Otherwise, the IPP object MUST reject the operation and return:
client-error-forbidden, client-error-not-authenticated, and
client-error-not-authorized as appropriate.
The wording of the last sentence matches RFC 2911's Purge-Jobs description.
4.4 Purge-Jobs operation
This section specified additional operation attributes for use with the
Cancel-Jobs operation (see [RFC2911] Section 3.3.7).
4.4.1 my-jobs[th2] [th3] (boolean)
The "my-jobs" Operation attribute allows the client to request the target
jobs to be (1) all jobs or (2) only jobs owned by the requesting user.
However, the Printer MUST further restrict the target jobs as follows:
'false': Default value. The target jobs are all jobs, unless the
Authenticated user supplying the request is NOT an operator or administrator
of the Printer, in which case the Printer MUST restrict the target jobs to
those belonging to the requesting user.[th4]
'true': The target jobs are limited to those owned by the Authenticated
user submitting the request.
The client MAY supply this Operation attribute and the Printer MAY support
this Operation attribute in the Purge-Jobs operation.
I'd add the following to the 4.4 introduction to address th2-th5:
Access Rights: The following attributes may allow the authenticated user
(see RFC 2911 section 8.3) performing this operation to be an ordinary user
depending on the Printer's security policy. When ordinary users are not
allowed to use the Purge-Jobs operation, the IPP object MUST continue to
reject the operation and return: client-error-forbidden,
client-error-not-authenticated, and client-error-not-authorized as
appropriate.
Then move the table into 4.4, before the description of the attributes.
4.4.2 purge-job (boolean)
The "purge-job" Operation attribute controls whether the target jobs are
canceled or purged as follows:
'false': The Printer cancels the target jobs as specified in [RFC2911]
Section 3.3.3 Cancel-Job which MAY leave a Retained Job with document data
on the Printer for possible re-processing (e.g., using the Reprocess-Job or
Resubmit-Job operations) and/or Job History.
'true': Default value[th5] . The Printer purges the target jobs as
specified in [RFC2911] Section 3.2.9 Purge-Jobs. Note: If the client omits
this attribute or supplies the 'true' value, the behavior of the Purge-Jobs
operation is as specified in [RFC2911] for the target jobs.
The client MAY supply this Operation attribute and the Printer MAY support
this Operation attribute in the Purge-Jobs operation.
The behavior for the Purge-Jobs operation for these two Operation attributes
for unprivileged users vs. operators and administrator of the Printer is
shown in Table 2.
Table 2: Interaction of "my-jobs" and "purge-jobs" attributes in the
Purge-Jobs operation
Operation attributes
Unprivileged user
Operator or Administrator of the Printer
"my-jobs" = 'false' or omitted
"purge-jobs" = 'false'
Cancel only my jobs (Printer overrides "my-jobs" = 'false')
Cancel all jobs
"my-jobs" = 'true'
"purge-jobs" = 'false'
Cancel only my jobs
Cancel only my jobs
"my-jobs" = 'false' or omitted
"purge-jobs" = 'true' or omitted
Purge only my jobs (Printer overrides "my-jobs" = 'false')
Purge all jobs
"my-jobs" = 'true'
"purge-jobs" = 'true' or omitted
Purge only my jobs
Purge only my jobs
-----Original Message-----
From: <mailto:ipp-bounces at pwg.org> ipp-bounces at pwg.org [mailto:
<mailto:ipp-bounces at pwg.org> ipp-bounces at pwg.org] On Behalf Of Michael Sweet
Sent: Monday, September 14, 2009 14:41
To: <mailto:ipp at pwg.org> ipp at pwg.org
Subject: [IPP] Descriptions of CUPS additions to the Cancel-Job and
Purge-Jobs operations
All,
Here are the descriptions for the CUPS additions to the Cancel-Job and
Purge-Jobs operations. These came up in today's conference call...
------------------------------------------------------
Cancel Job Operation
The Cancel-Job operation (0x0008) cancels the specified job. CUPS 1.4
adds a new purge-job (boolean) attribute that allows you to purge both
active and completed jobs, removing all history and document files for
the job as well.
Cancel-Job Request
The following groups of attributes are supplied as part of the Cancel-
Job request:
Group 1: Operation Attributes
Natural Language and Character Set:
The "attributes-charset" and "attributes-natural-language"
attributes as described in section 3.1.4.1 of the IPP Model and
Semantics document.
"printer-uri" (uri) and "job-id" (integer)
OR
"job-uri":
The client MUST supply a URI for the specified printer and a job
ID number, or the job URI.
"purge-job" (boolean):
The client OPTIONALLY supplies this attribute. When true, all job
files (history and document) are purged. The default is false, leading
to the standard IPP behavior.
Cancel-Job Response
The following groups of attributes are send as part of the Cancel-Job
Response:
Group 1: Operation Attributes
Status Message:
The standard response status message.
Natural Language and Character Set:
The "attributes-charset" and "attributes-natural-language"
attributes as described in section 3.1.4.2 of the IPP Model and
Semantics document.
Purge-Jobs Operation
The Purge-Jobs operation (0x0012) cancels all of the jobs on a given
destination and optionally removes all history and document files for
the jobs as well.
Purge-Jobs Request
The following groups of attributes are supplied as part of the Purge-
Jobs request:
Group 1: Operation Attributes
Natural Language and Character Set:
The "attributes-charset" and "attributes-natural-language"
attributes as described in section 3.1.4.1 of the IPP Model and
Semantics document.
"printer-uri" (uri):
The client MUST supply a URI for the specified printer or
"ipp://.../printers
" for all printers and classes.
"requesting-user-name" (name(MAX)):
The client OPTIONALLY supplies this attribute to specify whose
jobs jobs are purged or canceled.
"my-jobs" (boolean):
The client OPTIONALLY supplies this attribute to specify that
only the jobs owned by the requesting user are purged or canceled. The
default is false.
"purge-jobs" (boolean):
The client OPTIONALLY supplies this attribute to specify whether
the jobs are purged (true) or just canceled (false). The default is
true.
Purge-Jobs Response
The following groups of attributes are send as part of the Purge-Jobs
Response:
Group 1: Operation Attributes
Status Message:
The standard response status message.
Natural Language and Character Set:
The "attributes-charset" and "attributes-natural-language"
attributes as described in section 3.1.4.2 of the IPP Model and
Semantics document.
__________________________________________________
Michael Sweet, Senior Printing System Engineer
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
ipp mailing list
ipp at pwg.orghttps://www.pwg.org/mailman/listinfo/ipp
_____
ISSUE: Allowing an unprivileged user to purge his job using Cancel-Job,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.
ISSUE: Allowing an unprivileged user to purge his jobs using Purge-Jobs,
could circumvent accounting in those systems that use Retained Jobs and Job
History for accounting.
One solution would be to only allow Purge-Jobs for operator or administrator
as in [RFC 2911].
ISSUE: Instead of adding "my-jobs" and "purge-job" to Purge-Jobs, a simpler
way to allow an unprivileged user to cancel all his jobs, instead of just a
specified job, would be to add "all-my-jobs" (boolean) Operation attribute
to the Cancel-Job operation. When the client supplies this attribute with a
'true' value, the client MUST NOT supply a "job-id" or "job-url" Operation
attribute.
ISSUE: Or should the spec say the Printer MUST reject the operation and
return: client-error-forbidden, client-error-not-authenticated, and
client-error-not-authorized as appropriate, as for Purge-Jobs in RFC 2911
section 3.2.9
ISSUE: The "purge-job" (boolean) Operation attribute has the 'true' value
here as its default. Usually, it's the 'false' value that is the default.
More confusingly, the "purge-job" (boolean) Operation attribute (correctly)
has the 'false' value in the Cancel-Job operation above.
__________________________________________________
Michael Sweet, Senior Printing System Engineer
--
This message has been scanned for viruses and
dangerous content by <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.
_______________________________________________
ipp mailing list
ipp at pwg.orghttps://www.pwg.org/mailman/listinfo/ipp
___________________________________________________
Michael Sweet, Senior Printing System Engineer
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20091003/001fb2f7/attachment-0001.html>