[ZODB-Dev] ZEO and Security
Jim Fulton
jim@digicool.com
Tue, 08 May 2001 05:46:52 -0400
Bill Anderson wrote:
>
(snip)
> It occurs to me that in the zrpc may be _one_ place to put at least a
> ZEO Client authentication. If it was done such that one could use a
> basic authentication token, rather like a license key, you could at
> least get basic auth, such that the client is authenticated to connect.
I think I've been too terse. I'll expand a little. A ZEO/ZODB security
model would need (at least) two things:
- A mechanism for authenticating connections. I agree that this
is something that ZEO should be involved with. This should use
some proven 3rd party crypto mechanism. This could, as a minimum
provide a very course-grained security, in that you could assure
that only trusted clients connected.
- An authorization model that controlled access to individal objects
(really object ids and records).This control would have to be pretty
course, maybe controlling read, write, and security-setting
operations. I suggest that this might be thought of as a storage plug
in of some kind. Maybe it's a special storage, or maybe it's something
that wraps a standard storage, sitting between the storage server
and some standard storage.
(snip)
> Anyway, it seems that if teh estimated timeframe for a "SecureZEO" is
> this fall, now would be a good time to start generating and discussing
> ideas. perhaps with that, some of us could start toying with various
> ideas.
I have no estimated time frame, as I (or DC) are not working on it. :)
While I think that this is a worthwhile project, DC has higher priorities
at this time. Fortunately, this *is* an open-source project, so we need
not be a bottle neck. :)
Jim
--
Jim Fulton mailto:jim@digicool.com Python Powered!
Technical Director (888) 344-4332 http://www.python.org
Digital Creations http://www.digicool.com http://www.zope.org