Safer Apache Driving with AAA
In the interim between Apache 2.0.43 and Apache 2.0.44, some very substantial changes went into the authentication/authorization/access control (collectively referred to as AAA) code in Apache. This caused some panic in people that were paying attention. In particular, there was some consternation in the documentation team, as this meant that in a minor point-release of Apache, there were changes that would require that Apache administrators change the way that they configured AAA on their servers. Authentication/authorization/access control in Apache is due for a huge overhaul in Apache 2.1, the development branch that will eventually be released as Apache 2.2. Rich Bowen covers some of these changes and how they may affect your Apache server.
As a response to this consternation, many of these changes were either backed out, or altered such that existing configuration files would continue to work, and that people could get used to the configuration changes gradually. The full changes will be in Apache 2.1, which is the development branch that will be eventually released as Apache 2.2.
As one of the people that panicked, I feel somewhat responsible for keeping some real goodness from the Apache-using population for longer than was really necessary. So, this article is in penance for my role in that. Because, you see, my panic was rather misplaced. The new AAA stuff makes more sense than the old, is more logical, far more flexible and extensible, and is a perfect example of the incredible talent that exists within the Apache Software Foundation.
And so, before we go on, I want to make sure to give credit where credit is due. Much of the work on this new AAA system was done by Justin Erenkrantz, including the unfortunate task of retrofitting it so that it kept working with old configuration file.
Definition of terms
As you are probably already aware, AAA is divided into three parts that have important differences, but which are often smushed together in peoples' minds due to the current implementation, which makes very little distinction between them.
Authentication is the process if finding out if you are who you claim to be. In the real world, this is often accomplished with some form of photo identification. This illustrates that some higher authority (like the state government, for example) certifies that you are who you claim to be. In the networked world, this usually takes the form of a username and password, which, presumably, nobody else knows.
Authorization is determining, once we know who you are, whether you are allowed in. I usually make the analogy to a plane ticket, which is required in addition to your identification (authentication) in order to get on a plane.
Finally, access control is the application of some other, and usually unrelated, criteria, to control access. This can be your network address, the time of the day, or the phase of the moon. (Yes, I have written an AC module that restricts access based on the phase of the moon.)
In Apache 1.3, and Apache 2.0, these three processes tend to get slightly jumbled together -- particularly the first two. This is probably more the fault of the various auth tutorials out there, which tend to make the distinction, and then proceed to ignore it.
In the Apache 2.1 AAA framework, these things are more clearly separated. This is primarily to the benefit of module developers, but also helps the server administrator to have an enormous amount of additional control over how things happen.