[Zope3-Users] Security Roles and custom authenticators and scarcely-persistent apps (HELP!)

Bernd Dorn zope-mailinglist at mopa.at
Thu Apr 27 00:24:59 EDT 2006


On 27.04.2006, at 02:44, Jeff Shell wrote:

> So I spent the day writing an IAuthenticator utility that loads
> principals out of an RDBMS (via a SQLAlchemy mapper based model). I
> got that working. All I want right now is to have my site,
> 'presenters', have view access restricted to the role
> 'app.Presenters'.
>
> The site is persistent and the authenticator is a local utility. I set
> up the site on load to disallow the 'zope.View' and
> 'zope.app.dublincore.view' (not really needed, I guess, since I'm not
> using dublin core anywhere) for the 'zope.Anonymous' role, and allow
> it for 'app.Presenters' and 'zope.Manager'. It's just a simple /
> blanket security policy, I know. But something similar has been in
> place on the Zope 2 based version of this app for a number of years
> now and has worked fine for this use case.
>
> But.. I have no idea how to do this in Zope 3 land. It took me all day
> to write my authenticator, At the end of the day I saw it working in
> so far as it obviously retrieved a user record out of the database,
> validated the password, and returned a dirt simple principal object. I
> could tell this by the login form giving me a different message this
> time ("you're not allowed to do that operation"). I tried looking at
> the Principal-Role map and... I don't understand it.

just plug your own implementation in

  <adapter factory=".your.security.RoleMapImplementation"
            
provides="zope.app.securitypolicy.interfaces.IPrincipalRoleMap"
           for=".interfaces.IYourSiteOrSo"
           trusted="true"
           />

just for granting local roles on the site it's inough to implement


> def getRolesForPrincipal(principal_id):
>         """Get the roles granted to a principal.
>
>         Return the list of (role id, setting) assigned or removed from
>         this principal.
>
>         If no roles have been assigned to
>         this principal, then the empty list is returned.
>         """

but you have to set your authenticator somewhere, so that you can see  
if the principal is from your authenticator by comparing ids

an  example from an appllication which i wrote, it assigns roles to  
homefolders

_marker = object()

class HomeFolderPrincipalRoleMap(object):
     """Mappings between principals and roles."""

     implements(IPrincipalRoleMap)

     def __init__(self,context):
         self.context=context
         authName = self.context.__parent__.__parent__.authenticator
         if authName:
             auth = getUtility(IAuthenticatorPlugin,authName)
             authPrefix = auth.principalIdPrefix
             self._prefix = auth.__parent__.prefix+authPrefix
         else:
             self._prefix = _marker

     def getPrincipalsForRole(self,role_id):
         raise NotImplementedError

     def getSetting(self,role_id, principal_id):
         raise NotImplementedError

     def getPrincipalsAndRoles(self):
         raise NotImplementedError

     def getRolesForPrincipal(self,principal_id):
         """Get the roles granted to a principal.

         Return the list of (role id, setting) assigned or removed from
         this principal.

         If no roles have been assigned to
         this principal, then the empty list is returned.
         """
         if self._prefix == _marker:
             return []
         if not principal_id.startswith(self._prefix):
             return []
         name = principal_id[len(self._prefix):]
         if name == self.context.__name__:
             return [('fhvao.HomeFolderOwner',Allow)]
         return []





> It's very
> annotations oriented (the default implementation storing data in some
> internal table-like structure). I, obviously, don't have annotations
> going on right now. The hard thing is that I can't even figure out at
> first glance what the different security manager adapters
> (PrincipalRole, RolePermission, etc) are meant to adapt - a principal?
> an object? a site? I'm not sure how much of the interface I have to
> provide, what I should have it adapt (my Site object, I'm guessing?),
> and so on.
>
> All I want to say is "every user returned from this authenticator has
> the view access for this site".
>
> I'm not sure which of these I have to fill in. I'm not wanting to
> assign every principal coming out of the RDBMS a role mapped in the
> ZODB - so do I have to straddle both ZODB and RDBMS worlds here?
> "Mappings between principals and roles" - where? A local object?
> Globally? Do the answers have to include all answers from higher up
> the tree if there's anything? Global settings? Am I looking at the
> wrong thing?
>
> class IPrincipalRoleMap(Interface):
>     """Mappings between principals and roles."""
>
>     def getPrincipalsForRole(role_id):
>         """Get the principals that have been granted a role.
>
>         Return the list of (principal id, setting) who have been  
> assigned or
>         removed from a role.
>
>         If no principals have been assigned this role,
>         then the empty list is returned.
>         """
>
>     def getRolesForPrincipal(principal_id):
>         """Get the roles granted to a principal.
>
>         Return the list of (role id, setting) assigned or removed from
>         this principal.
>
>         If no roles have been assigned to
>         this principal, then the empty list is returned.
>         """
>
>     def getSetting(role_id, principal_id):
>         """Return the setting for this principal, role combination
>         """
>
>     def getPrincipalsAndRoles():
>         """Get all settings.
>
>         Return all the principal/role combinations along with the
>         setting for each combination as a sequence of tuples with the
>         role id, principal id, and setting, in that order.
>         """
>
>
> --
> Jeff Shell
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users



More information about the Zope3-users mailing list