[Zope3-dev] proposal: allow contained PAU plugins

Jim Fulton jim at zope.com
Sat Jan 14 09:17:02 EST 2006 

Gary Poster wrote:
> 
> On Jan 13, 2006, at 6:34 PM, Roger Ineichen wrote:
> 
>> Hi Gary
> 
> 
> Hey Roger
> 
>>
>> [...]
>>
>> All arguments are Ok for me.
> 
> 
> Cool.
> 
>> But I think the PAU at all is to complex
>> and this whoul not change.
>>
>> Do we really need such a complex authentication module in z3?
> 
> 
> Well, I know it has come in handy for us.  Also, though YMMV, I find  it 
> actually much simpler to understand than the Zope 2 PAS--which was  also 
> developed because ZC needed the flexibility.  Jim, and then  Garrett, I 
> understand, have tried to make the Z3 PAU as streamlined  as possible.

Note that there were earlier similar architectures.

I do think there is a place for a simpler authentication utility,
either as a separate implementation or as a canned configuration of PA.

>> What does this mean to the queriable sources and their API?
> 
> 
> I assume you mean, what does my proposed change mean there.  Not  much, 
> as far as I can tell.  The getQueriables method on the  authentication 
> utility would use the new approach to get the  authenticator plugins, 
> but nothing much would change for the  queriables (unless a queriable 
> *wanted* to act differently when it  got a plugin found via containment, 
> I suppose).
> 
>> A long time ago I was improving the grant form in z3 and implemented
>> a grant vocabulary based on queriable sources. All I can say
>> about that part is, it's too complex and hard to develope with.
> 
> 
> Yes, we didn't bother with the PAU queriable source pattern but did a  
> much simpler, less flexible, but more practical one still using the  PAU 
> data.  There might not be a good one-size-fits-all approach to  the 
> problem.

This is a tough area.  IMO, most applications are well served by either:

- selections of principals from a small list, or,

- when the number of principals is large, a simple string search.

The initial IAuthentication interface reflected this reality.

Rare applications need much more.  We've had large enterprise customers
that wanted sophisticated structured principal searches based on their
custom LDAP schemas.  The search complexity introduced into the PA was
to satisfy this need.  I think this was a mistake.  I think that these
IMO rare applications would be better served by custom application code
that meats their needs, typically directly accessing a specialized plugin.
This *was* the pattern used in our applications that needed this and used
Zope 2's PAS.

IMO, the default "standard" principal search API should use simple string
search.  I expect that we'll be releaseding our sinmple string search
framework soon as part of our "Sharing" authentication system, which provides
a much simpler UI for managing security. (I'm gonna try to get this released
before the end of the month.)

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list