Clarify security; state what [] means
#4007
Conversation
rvedotrc
force-pushed
the
warn-about-ambiguity
branch
3 times, most recently
from
914c581
to
581ec03
Compare
handrews
added
security
security: config
rvedotrc
force-pushed
the
warn-about-ambiguity
branch
from
f6d013a
to
546ea6f
Compare
Port of OAI#4007 to v3.2.0-dev
Port of OAI#4007 to v3.0.4-dev
Port of OAI#4007 to v3.2.0-dev
Port of OAI#4007 to v3.0.4-dev
Port of OAI#4007 to v3.2.0-dev
|
My thoughts after today's TDC call:
Note that we have a whole section on "filtering" an OAD due to security constraints, and also a note that allows an empty Paths Object because a filtered OAD might filter out all of the Path Item Objects if the target audience is not allowed to see them. So I think the right thing to do here is to acknowledge the ambiguities:
I no longer think there is an "undefined" or "implementation-defined" thing here. Lack of |
Explicit in the sense that it's hard to argue that there's a different, better interpretation, yes :-) I'll have a go at creating a wording to match what you just wrote @handrews |
rvedotrc
changed the title
security; state that [] is undefined behavioursecurity; state what [] means
rvedotrc
force-pushed
the
warn-about-ambiguity
branch
from
94f0ae3
to
e878b96
Compare
There was a problem hiding this comment.
After some thought and investigation, I do not think any changes are needed to clarify the behavior of the security field in the current specifications. I've given an explanation for this in a comment on Issue 3938.
My recommendation is that we close this PR without merge.
I am 100% in agreement with @mikekistler |
|
TDC agrees that this is too much additional content, we only need a small clarification on what the empty array can mean, we will try to work on wording to answer #3938 |
|
Security: [] in an operation is the same as not defining a security property at the root of the document. It is saying "I have not specified in this API Description what the security requirements are". This goes back to the open/closed system debate we had years ago. The absence of some description does not say anything, positive or negative. e.g. Just because I don't declare an operation can return a 503 doesn't mean it will not return a 503. Just because I didn't tell you what security I mechanisms I use doesn't mean I don't have security on my API. |
based on discussions * OAI#3938 (comment) * OAI#4007
based on discussions * OAI#3938 (comment) * OAI#4007
based on discussions * OAI#3938 (comment) * OAI#4007
based on discussions * OAI#3938 (comment) * OAI#4007
based on discussions * OAI#3938 (comment) * OAI#4007
based on discussions * OAI#3938 (comment) * OAI#4007
based on discussions * OAI#3938 (comment) * OAI#4007
A partial fix for #3938 (partial because this PR only addresses 3.1.1-dev). Note that I have also created draft PRs to port this to the other two
-devbranches. I have no opinion on in which order they should be merged.Thoughts as far as I can tell so far, as we still try to find some consensus.
Mostly we're talking about two cases: (1) security is not specified, and (2) security is specified but empty (
[]); and for each of those two cases, obvious options include (a) define it as "allow all" aka "no security"; (b) define it as "deny all" aka "there is no way to authorize"; (c) state that the behaviour is undefined; (d) state that the behaviour is implementation-defined.Case 1: Leaving
securityunspecifiedsecurityshould actually be a required field). I don't think anyone is suggesting this option either.Case 2:
securityis[]security: []is how you express "deny all", andsecurity: [{}]is one way of expressing "allow all".Whichever one we opt for, could we also state that
security: []is deprecated? "Implementers of services SHOULD NOT introduce new instances ofsecurity: [], and SHOULD seek an alternative formulation.", for example?