I certainly hope this isn't where TurboGears is going - when it does
that why not just call itself Zope3 2? If this is the eventual plan,
I would say make it entirely optional - and certainly don't make it
xml. If people wanted to play with config files they'd do java web
development :)
> Like I said earlier, I haven't delved into the inner workings of the
> identity system, but it seems that, at least for the user (TG app developer)
> this would allow the use of a config file for authorization data without
> having to relearn a whole new system.
It seems like a useful use case at first glance - but do you really
want someone who doesn't understand how the system works setting the
security on it?
I think that the security should really be done by the developer. The
idea that an admin can sit down in front of a foreign system and start
reassigning permissions is not realistic.
--
cheers
elvelind grandin
More on the web based Identity manager. If it is created then that
tool can then be integrated into other Turbogears based projects that
need a users/groups/permissions system and want a web interface to it.
Things like photo galleries, forums, CMS packages all need a good web
based system for this. It would be valuable if each developer would
not have to reinvent this wheel.
> I've seen mentioned several times on this list that an eventual goal of the
> identity system in TurboGears is to be able to specify the required groups,
> permissions, etc. for access to a resource in a config file. This would
> allow an administrator, rather than a developer, to set security policy. I
> have not seen any ideas on how this would actually work, though. Is anyone
> actively working on this? In case the answer is no, here are some ideas
> that I just had...
I believe that the configuration file for parts of the code will be there only
when FirstClass arrive (WSGI version of TG)...
--
Jorge Godoy <jgo...@gmail.com>
> I certainly hope this isn't where TurboGears is going - when it does
> that why not just call itself Zope3 2? If this is the eventual plan,
> I would say make it entirely optional - and certainly don't make it
> xml. If people wanted to play with config files they'd do java web
> development :)
Unfortunately, as of today, if you want to let your clients free to define
permissions and access restrictions you have to edit the code (or let them do
it).
I prefer users editing config files (for which I can easily make a web
interface...) rather than code.
> It seems like a useful use case at first glance - but do you really
> want someone who doesn't understand how the system works setting the
> security on it?
Sometimes yes. Specially when you group functionalities and they are your
client's business, not yours. Imagine that you deployed your application and
two years later your client says: "Now we have a new management function on
the company that needs full access to finance data, no access to technical
data, etc.". Why wasn't he able to define that by saying something like:
[finance]
read = ..., new_group
write = ..., new_group
delete = ..., new_group
update = ..., new_group
? Easier than you having to go there (where is "there"? in the other office?
another city? another country?) to do that. After all, after two years you'll
want to take a look at your client and see how the system is solving their
problems, what else you can sell them, etc.
> I think that the security should really be done by the developer. The
> idea that an admin can sit down in front of a foreign system and start
> reassigning permissions is not realistic.
It happens on several CMSs and several ERPs. I believe it works.
--
Jorge Godoy <jgo...@gmail.com>
> I have to somewhat agree with Paul. Setting the permissions for the
> system is the developers jobb not the admins. The admins handles the
> users and adds them to the correct groups depending on what their
> permissions should be.
And what about commercial systems? You'll tell your client that he's tied to
you to a simple task as that of saying who can and who can't access what? I
mean, he'll have to pay your hourly costs for this task all the time something
changes? And he'll have to "rethink" if the existing permissions apply always
when he hires a new employee? (Remember: he'll want to avoid costs with that,
so security *will be* sub-optimum...)
--
Jorge Godoy <jgo...@gmail.com>
> Would it not be easier to have the information to be stored in the
> database and create and some kind of "Users and Groups" tool for the
> toolbox? The text based config file would work on some level, but with
> the database you would keep the permissions with the data they are
> protecting/controlling. So that any back up of the database will also
> take the proper permissions with it.
I've been thinking about that as well... But the best thing with that is that
you could define some kind of grouping for your classes and methods and
protect them as a whole. Or you could simply classify all of your methods
with a description (from the docstring? updated automatically?) on the
database so that people have 100% granularity there.
> More on the web based Identity manager. If it is created then that
> tool can then be integrated into other Turbogears based projects that
> need a users/groups/permissions system and want a web interface to it.
> Things like photo galleries, forums, CMS packages all need a good web
> based system for this. It would be valuable if each developer would
> not have to reinvent this wheel.
Maybe, as mentioned before, some callables to get those information are
enough. Then you'd just have to apply your decorators with such callables.
No more work than you do today and your callables code is 100% reusable (and
could become a product by itself, a kind of "plugin").
--
Jorge Godoy <jgo...@gmail.com>
I agree with Jorge here. The security policy should be the
administrator's responsibility, not the developers. For example, in
unix (be it plain ol' PAM or a fancy ACL system like SELinux) no line
of code needs to be written to change the permissions or capabilities
of a given user, just use the system tools for the job which any
sysadmin can do.
My 2c, Alberto
--
cheers
elvelind grandin
> Perhaps this depends some on how you set up the groups and permissions
> to start with. I never give any specific user access to anything.
> Every permission is bound to a group. So that the users permission
> just depends on which groups they are part of.
I do the same. But even so, you are hardcoding groups. And if you need an
extra group for a new situation you didn't have while you developed the
application, you're again needing to edit code.
--
Jorge Godoy <jgo...@gmail.com>
You can simply set 'permissions' on each method/resource (in the code).
Then if the client has a 'new' role to fill, they can (through a
catwalk like facility) simply create a new group with the needed
permissions.
This is how Zope 2's security model works and it has been used to make
countless CMS systems :) (and a few ERPs as well).
What do you think?
Configuration will certainly be a little different in FirstClass
(focusing more on application-oriented config, rather than
path-oriented config).
Identity, as it is today, is very simple to use, and that's a good
place to start. What I'd be interested in seeing later is an
incorporation of RuleDispatch, which will allow much more arbitrary
collections of rules to determine what people can access -- going well
beyond just users and groups. ("Group A can access this resource
Monday-Friday only")
I don't have an immediate use case for this myself, but if someone
does we can certainly talk about it.
Kevin
And if you need an
extra group for a new situation you didn't have while you developed the
application, you're again needing to edit code.