[翻译]PhpGACL手册（三）

今天继续翻，先前写的已经有人指出问题了，讨论讨论，觉得自己也进步了不少，有反馈才会有动力嘛，记得鲁迅先生不也有"叫嚣于生人之中"的感叹吗？没有反馈是多么的可怕呀！所以，在此我真的诚心希望朋友们的评论，鼓励使我奋进，批评使我反醒。

Adding groups

添加组

Han feels this ACL is starting to look a little complicated. There are so many exceptions! Perhaps he should make another group, "Engineers", containing the people who are allowed access to the Engines and Guns. That group should contain Han and R2D2 since they're both capable of repairing the engines and guns. This means Han can remove some of those messy exceptions-to-the-rules, and that has the benefit of making the description clearer:

Han觉得这个ACL列表看上去有点复杂，那儿有太多的例外了！也许他可以设一个"工程师"组，以便将那些有权进入发动机室和武器室的人包含在这个组里。这个组里包括Han和R2D2，因为他们两个都有修理发动机和武器的能力。这就意味着Han可以删除一些乱七八糟的例外规则，并且可以描述地再清楚
缺省：全部拒绝

千年隼号乘客

├─船员 [允许：全部]

│├─Han

│└─Chewie [拒绝：发动机室]

├─乘客 [允许：休息室 ]

│├─绝地战士 [允许：驾驶室]

││├─Obi-wan

││└─Luke [允许：武器室]

│├─R2D2 [允许：发动机室]

│└─C3PO

└─工程师[/u] [[/u]允许：发动机室，武器室[/u]][/u]

├─Han[/u]

└─R2D2[/u]
We can read this as "By default, no-one has access to anywhere. Crew have access to everywhere (except Chewie, who has no access to the Engines). Passengers only have access to the Lounge, except Jedi who also have access to the Cockpit. Luke has access to the Guns too. Engineers are allowed access to the Engines and Guns."

我们可以这样理解"缺省状态下，没有人可以进入任何房间。船员有权进入任何房间（Chewie除外，他没权进入发动机室）。乘客只有进休息室的权限，除了绝对战士可以进入驾驶室，Luke也有权进入武器室。工程师则被允许进入发动机室和武器室。"
Most importantly, we can see that Han and R2D2 are now in two places in the ACL. It is not necessary for them to be uniquely categorized at all. This defines the policy more clearly to the reader: "Ahh, Han and R2D2 have access to the Engines and Guns because they're engineers."

最重要的是，我们现在看到Han和R2D2在ACL列表中出现了两次。将他们放入唯一的分类中是根本没有必要的。这样的设置策略对人们来说更清楚："啊，Han和R2D2有权进入发动机室和武器室的原因是因为他们是工程师。"

Adding people

添加人

Han goes to Cloud City to pick up Lando and get some repairs. Lando's the Millennium Falcon's previous owner, so Han reckons he qualifies as Crew. Lando also offers the services of his top engineer, Hontook, for help with repairing the ship while they're in dock.

Han去云中城会见Lando并得到 了一些修理。因为Lando是千年隼号的前主人，所以Han认为他有资格做船员。在码头期间，Lando也提供了他的顶级工程师Hontook来帮助维修飞船。 缺省：全部拒绝

千年隼号乘客

├─船员 [允许：全部]

│├─Han

│├─Chewie [拒绝：发动机室]

│└─Lando[/u]

├─乘客 [允许：休息室 ]

│├─绝地战士 [允许：驾驶室]

││├─Obi-wan

││└─Luke [允许：武器室]

│├─R2D2 [允许：发动机室]

│└─C3PO

└─工程师 [允许：发动机室，武器室]

├─Han

├─R2D2

└─Hontook[/u]
This shows how easy it is to grant new people access. If we used the original matrix scheme, we'd have to set permissions for each room for both Lando and Hontook. Instead, we simply add them to their appropriate groups and their access is implicitly and easily defined.

上例显示出添加新人的权限是多么的容易。如果我们还使用原始的权限表的话，我们将不得不为Lando和Hontook设置到每个房间的权限。而现在，我们只需要简单将他们添加到合适的组中，他们的权限就被轻易的设定了。

Resolving conflicts

解决冲突

What happens if we add Chewie to the list of Engineers?

如果我们把Chewie加入到工程师组中会出现什么情况呢？ 缺省：全部拒绝

千年隼号乘客

├─船员 [允许：全部]

│├─Han

│├─Chewie [拒绝：发动机室]

│└─Lando[/u]

├─乘客 [允许：休息室 ]

│├─绝地战士 [允许：驾驶室]

││├─Obi-wan

││└─Luke [允许：武器室]

│├─R2D2 [允许：发动机室]

│└─C3PO

└─工程师 [允许：发动机室，武器室]

├─Han

├─R2D2

├─Hontook

└─Chewie[/u] This makes Chewie's access to the Engines ambiguous, because now there are two paths from the root of the tree to Chewie. If the ship's computer follows one path (along the "Crew" branch), the result is "DENY access to Engines." If it follows the other path (along the "Engineers" branch) then the result is "ALLOW access to Engines". So, is he allowed or denied?

这就使Chewie到发动机室的权限产生了歧义，因为从根沿树遍历到Chewie出现两条路径。如果飞船的计算机沿其中一条路径（船员路径），将得到"拒绝进入发动机室"的结论。而沿另一条路径（工程师路径）则会得到"允许进入发动机室"的结论，那么他到底有没权进入发动机室呢？ phpGACL will warn you if you add or edit an multiply-grouped ARO in such a way that the access to an arbitrary ACO would be ambiguous. But it isup to you[/u] to resolve the conflict.

当你添加或编辑分属多组的ARO对象使之对某个ACO对象的权限发生歧义时，phpGACL系统将警告你。但它会最近优先[/u]以便解决冲突。 If we now asked phpGACL the question "Does Chewie have access to Engines?" the result returned is the result given by the last ACL entry to be modified[/u] (this is phpGACL's policy). In this case the result is ALLOW, because the "ALLOW: Engines, Guns" directive assigned to the Engineers Group is more recent than the "DENY: Engines" directive assigned to Chewie's Group.

如果我们现在问phpGACL"Chewie有权进入发动机室吗？"那么返回的结果是最近[/u]ACL[/u]被修改的内容[/u]（这是phpGACL的策略）。在上面这个例子中，返回的结果是"允许"，因为被工程师组指定的"允许：发动机室，武器室"权限的时间要比被船员组指定的"拒绝：发动机室"权限时间要近。 When ambiguous access entries exist in the ACL, the ACL is said to be inconsistent. Inconsistent ACLs can be very dangerous, and you may unwittingly provide access to inappropriate people if you allow your ACL to remain in this state. When phpGACL warns you that the ACL is inconsistent, it is best to resolve the conflicts as soon as possible to regain consistency.

当有歧义的权限设定在ACL列表中存在时，该ACL列表被称为不一致[/u]。不一致的ACL列表是非常危险的，如果你允许你的ACL列表保持在这种状况下的话，你可能会在不经意之下把权限赋给不恰当的人。当phpGACL警告你ACL列表不一致时，最好还是去解决冲突以尽可能恢复其一致性。 To resolve the conflict in this case, we could either:

为解决上例的冲突，我们可以作以下任何一步：

Remove the "DENY: Engines" directive from Chewie's entry under the Crew Group.

删除在船员组中Chewie的"拒绝：发动机室"指令

Add a "DENY: Engines" directive to Chewie's entry under the Engineers Group.

添加在工程师组中Chewie的"拒绝：发动机室"指令

Remove Chewie from the Engineers Group, since Han doesn't think him a worthy Engineer anyway.

在工程师组中删除Chewie，因为Han无论如何不认为他作工程师是一件值得考虑的事

Han chooses option 3, and removes Chewie from the Engineers list.

Han选了第三种方案，将Chewie从工程师组中删除