Username/userid separation
Hi, I've started the lra-userid_username_separation-branch (from Zope-2_8-branch to start from a stable point) in order to implement proper userid/username separation in Zope. I don't intend to change the default user folder implementation, just the ZMI interface for owner and local roles so that they keep using userid for storage like they currently do but use usernames for display (specifically acl_users.getUserById(id).getUserName()). The intent is to never leak the userid to the ZMI (except for url query strings and such), and to never store the username persistently. The motivating usecase is an LDAP (eDirectory) authenticated system where the username for a user can change, but not the internal ID (a string). This will also help ActiveDirectory integration, which also has an internal ID to reference users. I remember there being a discussion about this in the list archives, but a Google search didn't help much. Are there any other projects in this area that I should colaborate with instead of duplicating efforts? Are there any considerations I should be aware of? Is the "Proposals" wiki pages still used for this kind of change? Cheers, Leo -- Leonardo Rochael Almeida <leo@enfoldsystems.com> Enfold Systems
Am Mittwoch, den 03.08.2005, 21:01 -0300 schrieb Leonardo Rochael Almeida:
Hi,
I've started the lra-userid_username_separation-branch (from Zope-2_8-branch to start from a stable point) in order to implement proper userid/username separation in Zope.
I don't intend to change the default user folder implementation, just the ZMI interface for owner and local roles so that they keep using userid for storage like they currently do but use usernames for display (specifically acl_users.getUserById(id).getUserName()). The intent is to never leak the userid to the ZMI (except for url query strings and such), and to never store the username persistently.
The motivating usecase is an LDAP (eDirectory) authenticated system where the username for a user can change, but not the internal ID (a string).
This will also help ActiveDirectory integration, which also has an internal ID to reference users.
I remember there being a discussion about this in the list archives, but a Google search didn't help much.
Are there any other projects in this area that I should colaborate with instead of duplicating efforts?
Are there any considerations I should be aware of?
Are you aware of the PAS (Pluggable Auth Service) project? http://cvs.zope.org/Products/PluggableAuthService/ They already have a separation of uid and login. What this product could use is just some polishing and a lot of documentation for the users. All the other things you mention (including a LDAP plugin) are already done.
On 4 Aug 2005, at 01:01, Leonardo Rochael Almeida wrote:
Hi,
I've started the lra-userid_username_separation-branch (from Zope-2_8-branch to start from a stable point) in order to implement proper userid/username separation in Zope.
Chris McDonough did most of that for Zope 2.7 already a long long time ago. There might be cleanups needed here and there, but for all practical purposes the separation exists and works. The standard user folder implementation doesn't support it AFAIK. Where specifically do you see it not work? I've been using it for the LDAPUserFolder for ages where you can specify different attributes for the ID and the login, and change the login value at will. And, like Tino mentioned, PAS uses it as well. jens
Em Qui, 2005-08-04 às 08:39 +0100, Jens Vagelpohl escreveu:
On 4 Aug 2005, at 01:01, Leonardo Rochael Almeida wrote:
Hi,
I've started the lra-userid_username_separation-branch (from Zope-2_8-branch to start from a stable point) in order to implement proper userid/username separation in Zope.
Chris McDonough did most of that for Zope 2.7 already a long long time ago. There might be cleanups needed here and there, but for all practical purposes the separation exists and works. The standard user folder implementation doesn't support it AFAIK. Where specifically do you see it not work?
AFAICS, in AccessControl/dtml/owner.dtml, the owner string that is rendered to the browser comes from Owned.owner_info() in AccessControl/Owned.py, which comes, untranslated, from Owned.getOwnerTuple(), which retrieves that value that is set from Owned.changeOwnership(), which calls ownerInfo() which gets the path to the user folder and user.getId(), as it should since we are assuming that .getId() is the immutable and potentially not-displayable identifier for the user that comes from the user source. What I'm proposing is to change owner.dtml (with the eventual help of owner_info()) to get the username equivalent to that userid and display that instead. Also, in AccessControl/listLocalRoles.dtml and editLocalRoles.dtml, the usernames that are rendered from users that already have local roles are the keys from the RoleManager.__ac_local_roles__ attribute from AccessControl/Role.py. These keys eventually come from RoleManager.get_valid_userids(), which calls acl_users.user_names() for all acl_users in it's acquisition path. In the default Zope user folder implementation, .user_names() call getUserNames() which is supposed to list usernames, not userids, which means we've been storing usernames in __ac_local_roles__ all this time. This could break if the username for a certain acl_users implementation changes, specially since User.getRolesInContext() looks up __ac_local_roles__ with self.getId() and not self.getUserName() in AccesControl/User.py. (Actually, isn't it odd that the local roles management is not using the same approach of owner tuples like Owned.py does?) I propose that we look up the userid for the username in RoleManager.manage_{add,set,del}LocalRoles() and change the signature of these methods to mention username instead of userid. This might leave us with a slight window for mismatches if the username for a userid changes between selecting the user in the listLocalRoles screen and actually setting it after the editLocalRoles screen, but at least we avoid having to make sure binary userids are correctly quoted thru all the HTML and URL roundtrips. What do you guys think?
I've been using it for the LDAPUserFolder for ages where you can specify different attributes for the ID and the login, and change the login value at will. And, like Tino mentioned, PAS uses it as well.
Yes, Enfold is aware of PAS, we've been doing the Plone integration for it and we intend to use it for this particular project for which I need the changes I mentioned above. Cheers, Leo -- Leonardo Rochael Almeida <leo@enfoldsystems.com> Enfold Systems - http://www.enfoldsystems.com/
Em Qui, 2005-08-04 às 16:20 -0300, Leonardo Rochael Almeida escreveu:
I propose that we look up the userid for the username in RoleManager.manage_{add,set,del}LocalRoles() and change the signature of these methods to mention username instead of userid.
And we also need to change RoleManager.get_local_roles() to lookup usernames for the stored userids. But this leaves us with another interesting problem: in what user folder should we be looking up these ids? Theoretically, in all of them, like .list_valid_usernames() does, but this might bring some different interactions between local roles set for a username that exists in 2 or more user folders in the current acquisition path. The definitive fix for this would involve storing the (userid, acl_users path) tuple in the local roles information after all, and changing User.localRolesInContext() accordingly, but this brings a host of backward compatibility issues which my suggestions above make some effort to avoid, I believe. Cheers, -- Leonardo Rochael Almeida <leo@enfoldsystems.com> Enfold Systems - http://www.enfoldsystems.com/
participants (3)
-
Jens Vagelpohl -
Leonardo Rochael Almeida -
Tino Wildenhain