[Python-Dev] Capabilities (we already got one) (original) (raw)

Zooko zooko@zooko.com
Wed, 02 Apr 2003 18:08:12 -0500

• Previous message: [Python-Dev] python-dev Summary for 2003-03-16 through 2003-03-31
• Next message: [Python-Dev] Capabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(I, Zooko, wrote the lines prepended with "> > ".)

Ping wrote:

> I think that in restricted-execution-mode (hereafter: "REM", as per Greg Ewing's > suggestion [1]), Python objects have encapsulation -- one can't access their > private data without their permission. > > Once this is done, Python references are capabilities. Aaack! I wish you would stop saying that! There is no criterion by which a reference is or is not a capability. To talk in such terms only confuses the issue.

Let me be a little more precise.

Once Python objects are encapsulated, then possession of a reference is constrained in the following way: you can have a reference only if another object that had it chose to give it to you (or if you create something yourself, in which case you get the first-ever reference to it).

This constraint happens to be the same constraint that the rule of capabilities imposes on the transmission of capabilities: you can have a capability only if someone else who had it chose to give it to you (or if you create something yourself, in which case you get the first-ever capability to it).

Therefore, if you wish to use capability access control to manage access to resources in Python you can use the following technique:

1. Encapsulate the resource that you wish to control in a Python object.
2. Say to yourself "References are capabilities!".
3. Control the way references to that object are shared.

Doing it this way will yield the advantages that capability access control enjoys over alternative access control models. It also has the advantage that your skills at Python programming can be applied directly to the problem of managing access control, without requiring you to learn any new policy language or new concepts.

You are quite right, Ping, that capability access control could be enforced in other ways in Python. I didn't mean to say "capabilities are Python references", which would imply that capability access control could not be implemented in any other way.

I'm deliberately refraining from posting about the issue of controlling import of modules and builtins in an attempt to "slow down" the discussion until Guido returns from Python UK.

Regards,

Zooko

http://zooko.com/ ^-- under re-construction: some new stuff, some broken links

• Previous message: [Python-Dev] python-dev Summary for 2003-03-16 through 2003-03-31
• Next message: [Python-Dev] Capabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]