From b56f7889a26db5bb34f9bcef8fdf51be55f429cd Mon Sep 17 00:00:00 2001
From: Nicolas Favre-Felix <n.favrefelix@gmail.com>
Date: Fri, 31 Dec 2010 13:41:22 +0100
Subject: [PATCH] ACL doc.

---
 README.markdown | 31 +++++++++++++++++++++++++++++++
 webdis.json     | 23 +++--------------------
 2 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/README.markdown b/README.markdown
index b6e267a..e6b43cf 100644
--- a/README.markdown
+++ b/README.markdown
@@ -51,6 +51,37 @@ The URI `/COMMAND/arg0/arg1/.../argN` executes the command on Redis and returns
 * `GET /COMMAND/arg0/.../argN`
 * `POST /` with `COMMAND/arg0/.../argN` in the HTTP body.
 
+# ACL
+Access control is configured in `webdis.json`. Each configuration tries to match a client profile according to two criterias:
+
+* [CIDR](http://en.wikipedia.org/wiki/CIDR) subnet + mask
+* [HTTP Basic Auth](http://en.wikipedia.org/wiki/Basic_access_authentication) in the format of "user:password".
+
+Each ACL contains two lists of commands, `enabled` and `disabled`. All commands being enabled by default, it is up to the administrator to disable or re-enable them on a per-profile basis.
+Examples:
+<pre>
+{
+	"disabled":	["DEBUG", "FLUSHDB", "FLUSHALL"],
+},
+{
+	"http_basic_auth": "user:password",
+	"disabled":	["DEBUG", "FLUSHDB", "FLUSHALL"],
+	"enabled":	["SET"]
+},
+
+{
+	"ip": 		"192.168.10.0/24",
+	"enabled":	["SET"]
+},
+
+{
+	"http_basic_auth": "user:password",
+	"ip": 		"192.168.10.0/24",
+	"enabled":	["SET", "DEL"]
+}
+</pre>
+ACLs are interpreted in order, later authorizations superseding earlier ones if a client matches several.
+
 # JSON output
 JSON is the default output format. Each command returns a JSON object with the command as a key and the result as a value.
 
diff --git a/webdis.json b/webdis.json
index 10051dc..611c3f5 100644
--- a/webdis.json
+++ b/webdis.json
@@ -8,30 +8,13 @@
 	"http_port":	7379,
 
 	"acl": [
-
-		{
-			"http_basic_auth": "user:password",
-			"disabled":	["DEBUG", "FLUSHDB", "FLUSHALL"],
-			"enabled":	["SET"]
-		},
-
-		{
-			"ip": 		"192.168.10.0/24",
-			"disabled":	["SET", "FLUSHDB", "FLUSHALL"],
-			"enabled":	["*"]
-		},
-
 		{
-			"http_basic_auth": "user:password",
-			"ip": 		"192.168.10.0/24",
-			"disabled":	["FLUSHDB", "FLUSHALL"],
-			"enabled":	["SET", "*"]
+			"disabled":	["DEBUG"]
 		},
 
 		{
-			"ip": 		"0.0.0.0/0",
-			"disabled":	["SET"],
-			"enabled":	["SET"]
+			"http_basic_auth":	"user:password",
+			"enabled":		["DEBUG"]
 		}
 	]
 }