[Python-Dev] Capabilities (we already got one)
Wed, 02 Apr 2003 18:08:12 -0500
(I, Zooko, wrote the lines prepended with "> > ".)
> > I think that in restricted-execution-mode (hereafter: "REM", as per Greg Ewing's
> > suggestion ), Python objects have encapsulation -- one can't access their
> > private data without their permission.
> > Once this is done, Python references are capabilities.
> Aaack! I wish you would *stop* saying that!
> There is no criterion by which a reference is or is not a capability.
> To talk in such terms only confuses the issue.
Let me be a little more precise.
Once Python objects are encapsulated, then possession of a reference is
constrained in the following way: you can have a reference only if another
object that had it chose to give it to you (or if you create something yourself,
in which case you get the first-ever reference to it).
This constraint happens to be the same constraint that the rule of capabilities
imposes on the transmission of capabilities: you can have a capability only if
someone else who had it chose to give it to you (or if you create something
yourself, in which case you get the first-ever capability to it).
Therefore, if you wish to use capability access control to manage access to
resources in Python you can use the following technique:
1. Encapsulate the resource that you wish to control in a Python object.
2. Say to yourself "References are capabilities!".
3. Control the way references to that object are shared.
Doing it this way will yield the advantages that capability access control
enjoys over alternative access control models. It also has the advantage that
your skills at Python programming can be applied directly to the problem of
managing access control, without requiring you to learn any new policy language
or new concepts.
You are quite right, Ping, that capability access control could be enforced in
other ways in Python. I didn't mean to say "capabilities are Python
references", which would imply that capability access control could not be
implemented in any other way.
I'm deliberately refraining from posting about the issue of controlling import
of modules and builtins in an attempt to "slow down" the discussion until Guido
returns from Python UK.
^-- under re-construction: some new stuff, some broken links