[Python-Dev] Capabilities (we already got one)

Zooko zooko@zooko.com
Wed, 02 Apr 2003 18:08:12 -0500

(I, Zooko, wrote the lines prepended with "> > ".)

 Ping wrote:
> > I think that in restricted-execution-mode (hereafter: "REM", as per Greg Ewing's
> > suggestion [1]), Python objects have encapsulation -- one can't access their
> > private data without their permission.
> >
> > Once this is done, Python references are capabilities.
> Aaack!  I wish you would *stop* saying that!
> There is no criterion by which a reference is or is not a capability.
> To talk in such terms only confuses the issue.

Let me be a little more precise.

Once Python objects are encapsulated, then possession of a reference is 
constrained in the following way: you can have a reference only if another 
object that had it chose to give it to you (or if you create something yourself, 
in which case you get the first-ever reference to it).

This constraint happens to be the same constraint that the rule of capabilities 
imposes on the transmission of capabilities: you can have a capability only if 
someone else who had it chose to give it to you (or if you create something 
yourself, in which case you get the first-ever capability to it).

Therefore, if you wish to use capability access control to manage access to 
resources in Python you can use the following technique:

1.  Encapsulate the resource that you wish to control in a Python object.
2.  Say to yourself "References are capabilities!".  
3.  Control the way references to that object are shared.

Doing it this way will yield the advantages that capability access control 
enjoys over alternative access control models.  It also has the advantage that 
your skills at Python programming can be applied directly to the problem of 
managing access control, without requiring you to learn any new policy language 
or new concepts.

You are quite right, Ping, that capability access control could be enforced in 
other ways in Python.  I didn't mean to say "capabilities are Python 
references", which would imply that capability access control could not be 
implemented in any other way.

I'm deliberately refraining from posting about the issue of controlling import 
of modules and builtins in an attempt to "slow down" the discussion until Guido 
returns from Python UK.



         ^-- under re-construction: some new stuff, some broken links