maintaining consistent security settings across cloned sites
I'm looking for a tool that will help maintain security settings, having been burned a couple of times. What I need is: 1. A tool to traverse a site and build a database of security settings that must be set for each of the various roles. Ideally this would remove redundancies and, perhaps, raise warnings when settings look strange. 2. A tool to apply said database to a site which is similar but, perhaps, not identical in structure--that is, some extra folders(and enclosed material) might appear in one site and not in another. 3. It would be nice if the security settings database could be read and edited off-line so they could be reviewed and corrected as a unit. 4. It has to be able to handle proxies. 5. It has to be able to handle roles beyond the usual Anonymous, Authorized, Manager, and Owner. It's OK to demand that both sites have the same user defined roles. Anyone done anything like this?
On Tue, Aug 26, 2003 at 10:06:34AM -0700, Dennis Allison wrote:
I'm looking for a tool that will help maintain security settings, having been burned a couple of times. What I need is:
1. A tool to traverse a site and build a database of security settings that must be set for each of the various roles. Ideally this would remove redundancies and, perhaps, raise warnings when settings look strange.
2. A tool to apply said database to a site which is similar but, perhaps, not identical in structure--that is, some extra folders(and enclosed material) might appear in one site and not in another.
3. It would be nice if the security settings database could be read and edited off-line so they could be reviewed and corrected as a unit.
4. It has to be able to handle proxies.
5. It has to be able to handle roles beyond the usual Anonymous, Authorized, Manager, and Owner. It's OK to demand that both sites have the same user defined roles.
Anyone done anything like this?
Not me... #2 might be handled by an item on my TODO list for ZSyncer; I need to be able to independently sync and examine various features of objects: content, contained items, properties, security settings, DublinCore metadata. Also need to take all this stuff into account for comparing whether items are "in sync". Also need to provide features for viewing a comparison of each of these aspects (so you could see e.g. what security settings are different). However, your requirements 1, 3, and 4 would be out-of-scope for ZSyncer. Also, this is probably a big job and i have no idea when i'll have anything working. -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's THE RABID SATIRE! (random hero from isometric.spaceninja.com)
Paul, Thanks for the input. I hope it isn't too big a job... The problem we've seen is that the security settings don't transfer with the object. Usually that does not matter since most security settings are inherited and/or acquired. The problem lies with the few that have something special--and inevitably that breaks something. On Tue, 26 Aug 2003, Paul Winkler wrote:
On Tue, Aug 26, 2003 at 10:06:34AM -0700, Dennis Allison wrote:
I'm looking for a tool that will help maintain security settings, having been burned a couple of times. What I need is:
1. A tool to traverse a site and build a database of security settings that must be set for each of the various roles. Ideally this would remove redundancies and, perhaps, raise warnings when settings look strange.
2. A tool to apply said database to a site which is similar but, perhaps, not identical in structure--that is, some extra folders(and enclosed material) might appear in one site and not in another.
3. It would be nice if the security settings database could be read and edited off-line so they could be reviewed and corrected as a unit.
4. It has to be able to handle proxies.
5. It has to be able to handle roles beyond the usual Anonymous, Authorized, Manager, and Owner. It's OK to demand that both sites have the same user defined roles.
Anyone done anything like this?
Not me... #2 might be handled by an item on my TODO list for ZSyncer; I need to be able to independently sync and examine various features of objects: content, contained items, properties, security settings, DublinCore metadata. Also need to take all this stuff into account for comparing whether items are "in sync". Also need to provide features for viewing a comparison of each of these aspects (so you could see e.g. what security settings are different).
However, your requirements 1, 3, and 4 would be out-of-scope for ZSyncer. Also, this is probably a big job and i have no idea when i'll have anything working.
--
Paul Winkler http://www.slinkp.com Look! Up in the sky! It's THE RABID SATIRE! (random hero from isometric.spaceninja.com)
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Tue, Aug 26, 2003 at 10:43:45AM -0700, Dennis Allison wrote:
Paul,
Thanks for the input. I hope it isn't too big a job...
The problem we've seen is that the security settings don't transfer with the object.
They don't??? Are you using zsyncer or just export / import or what? Either way I'd be disturbed to learn that security settings don't transfer. -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's THE SONIC FIGHTER! (random hero from isometric.spaceninja.com)
Me too! We've seen problems with the security settings after syncs. I suspect that the security settings transfer but the proxy settings don't--but that's a guess based on anecdotal evidence. When we've had a problem it's been too much of a crisis to sit back and figure out exactly what went wrong. Hence the need for a tool to allow us to audit the settings. For a site of any size, just checking the settings by hand is a prodigious job. On Tue, 26 Aug 2003, Paul Winkler wrote:
On Tue, Aug 26, 2003 at 10:43:45AM -0700, Dennis Allison wrote:
Paul,
Thanks for the input. I hope it isn't too big a job...
The problem we've seen is that the security settings don't transfer with the object.
They don't??? Are you using zsyncer or just export / import or what? Either way I'd be disturbed to learn that security settings don't transfer.
--
Paul Winkler http://www.slinkp.com Look! Up in the sky! It's THE SONIC FIGHTER! (random hero from isometric.spaceninja.com)
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Dennis Allison wrote at 2003-8-26 10:59 -0700:
Me too! We've seen problems with the security settings after syncs. I suspect that the security settings transfer but the proxy settings don't--but that's a guess based on anecdotal evidence.
It definitely is wrong. Import/Export uses the same serializing mechanism as the ZODB itself (pickling). In all these cases, all attributes with the exception of those prefixed with "_p_" or "_v_" are pickled. Security settings (on instances) are implemented as instance attributes starting with "_" but not "_p_" or "_v_". The problem you (probably) observed must have had a different cause. Dieter
Does this hold true for XMLRPC transfers as well? On Wed, 27 Aug 2003, Dieter Maurer wrote:
Dennis Allison wrote at 2003-8-26 10:59 -0700:
Me too! We've seen problems with the security settings after syncs. I suspect that the security settings transfer but the proxy settings don't--but that's a guess based on anecdotal evidence.
It definitely is wrong.
Import/Export uses the same serializing mechanism as the ZODB itself (pickling).
In all these cases, all attributes with the exception of those prefixed with "_p_" or "_v_" are pickled. Security settings (on instances) are implemented as instance attributes starting with "_" but not "_p_" or "_v_".
The problem you (probably) observed must have had a different cause.
Dieter
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Dennis Allison wrote at 2003-8-27 14:03 -0700:
Does this hold true for XMLRPC transfers as well?
That depends what the function does which is called by XMLRPC ;-) It would be a world wonder when XMLRPC were able to remove just the security related attributes from the data stream...
On Wed, 27 Aug 2003, Dieter Maurer wrote:
Dennis Allison wrote at 2003-8-26 10:59 -0700:
Me too! We've seen problems with the security settings after syncs. I suspect that the security settings transfer but the proxy settings don't--but that's a guess based on anecdotal evidence.
It definitely is wrong.
Import/Export uses the same serializing mechanism as the ZODB itself (pickling).
In all these cases, all attributes with the exception of those prefixed with "_p_" or "_v_" are pickled. Security settings (on instances) are implemented as instance attributes starting with "_" but not "_p_" or "_v_".
Dieter
I suspect this is too simple to mention, and pardon me if it is. But I assume we are not talking about the fact that the default behavior of Zope on importing a .zexp file is to "Take ownership of all objects"? You do have to select the option preserve the existing ownership of the files. Even if you are doing that, it does not seem inconceivable to me that there could be a bug in that mechanism. (???) Sorry if that was irrelevant, but you never know ... Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com
participants (4)
-
Dennis Allison -
Dieter Maurer -
Paul Winkler -
Terry Hancock