[Zope3-dev] proposal: allow contained PAU plugins
Jim Fulton
jim at zope.com
Sat Jan 14 09:17:02 EST 2006
Gary Poster wrote:
>
> On Jan 13, 2006, at 6:34 PM, Roger Ineichen wrote:
>
>> Hi Gary
>
>
> Hey Roger
>
>>
>> [...]
>>
>> All arguments are Ok for me.
>
>
> Cool.
>
>> But I think the PAU at all is to complex
>> and this whoul not change.
>>
>> Do we really need such a complex authentication module in z3?
>
>
> Well, I know it has come in handy for us. Also, though YMMV, I find it
> actually much simpler to understand than the Zope 2 PAS--which was also
> developed because ZC needed the flexibility. Jim, and then Garrett, I
> understand, have tried to make the Z3 PAU as streamlined as possible.
Note that there were earlier similar architectures.
I do think there is a place for a simpler authentication utility,
either as a separate implementation or as a canned configuration of PA.
>> What does this mean to the queriable sources and their API?
>
>
> I assume you mean, what does my proposed change mean there. Not much,
> as far as I can tell. The getQueriables method on the authentication
> utility would use the new approach to get the authenticator plugins,
> but nothing much would change for the queriables (unless a queriable
> *wanted* to act differently when it got a plugin found via containment,
> I suppose).
>
>> A long time ago I was improving the grant form in z3 and implemented
>> a grant vocabulary based on queriable sources. All I can say
>> about that part is, it's too complex and hard to develope with.
>
>
> Yes, we didn't bother with the PAU queriable source pattern but did a
> much simpler, less flexible, but more practical one still using the PAU
> data. There might not be a good one-size-fits-all approach to the
> problem.
This is a tough area. IMO, most applications are well served by either:
- selections of principals from a small list, or,
- when the number of principals is large, a simple string search.
The initial IAuthentication interface reflected this reality.
Rare applications need much more. We've had large enterprise customers
that wanted sophisticated structured principal searches based on their
custom LDAP schemas. The search complexity introduced into the PA was
to satisfy this need. I think this was a mistake. I think that these
IMO rare applications would be better served by custom application code
that meats their needs, typically directly accessing a specialized plugin.
This *was* the pattern used in our applications that needed this and used
Zope 2's PAS.
IMO, the default "standard" principal search API should use simple string
search. I expect that we'll be releaseding our sinmple string search
framework soon as part of our "Sharing" authentication system, which provides
a much simpler UI for managing security. (I'm gonna try to get this released
before the end of the month.)
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list