[ANN] TurboPeakSecurity. An authorization layer for TurboGears based on PEAK Security
Alberto Valverde
I've recently began to factor out an implementation of PEAK security
I had made for an application that required something more powerful
than the Identity system TG currently provides (at the expense of
Identity's simplicity & ease of use). I had planned to polish it a
bit more before officialy announcing it, but I've decided to the
"release rapidly, release often" principle.
I've ported the basic functionality I use in the app it came from.
This is:
* A CP filter that checks permissions along the object trail.
* A base AuthService to provide authentication (can be easily
adapted to delegate to Identity). Needs to be extended to do the real
work...
* A literal rip-off of PEAKs binding API to assign metadata
(permissions, roles, context...) to classes and attributtes.
* Another rip-off of PEAK's security rules enhanced with
Simon''s genericfuntions (allows override of autogenerated rules)
* A permission factory to generate permission classes.
* Misc utils and helper functions.
I've decided to copy what's needed from PEAK's core to avoid
depending on the whole package, I hope it's been a wise decision...
Right now there are no docs apart from unittests and docstrings.
There is also a sample app that implements a very basic AuthService
and some rule auto-generation. Reading
http://peak.telecommunity.com/DevCenter/SecurityRules is a must,
http://peak.telecommunity.com/DevCenter/ShortIntroPeakSecurity can
help clarify some points.
It's a normal egg with entry_points defined for
"turbogears.extensions" and has no extra dependencies that TG doesn't
have already. A minumum of TG 0.9a4 is required as it depends on
MultiOrderFunction.
You need to define some config parameters to enable and initialize
it. The sample project shows how.
I plan to write a compatibility layer to delegate authetication to
identity, though I'll greatly appreciate some work in this area if
there's a genuine interest in integrating this more closely with TG,
mainly because I'm not using it myself so I haven't got a real use
case to motivate me.
There is a (out-of-the-box, bare-bones) Trac at:
http://trac.toscat.net/TurboPeakSecurity/
The subversion repository is at:
http://svn.toscat.net/TurboPeakSecurity/trunk
And a sample application at:
http://svn.toscat.net/TurboPeakSecurity/tptest
Comments, criticisms, suggestions, etc... are greatly appreciated.
Contributors even more, specially the generic function and Identity
gurus around here (you know who you are ;)
Hope someone finds this useful.
Alberto
Simon Belak
Only thing I don't like is you are copying PEAK instead of linking it.
You really should reconsider it.
Cheers,
Simon
Alberto Valverde
On Apr 6, 2006, at 8:42 PM, Simon Belak wrote:
>
> Super cool!
>
> Only thing I don't like is you are copying PEAK instead of linking it.
> You really should reconsider it.
Yep, it's something I'm really feeling uneasy about... The orignal
implementaion linked to it, I decided to copy it for the opensourced
version to avoid extra dependencies for current TG users.
The problem is that the only components of PEAK that are currently
needed (besides RuleDispatch which is already packaged separately)
are 'binding' and 'security' wich I estimate to be a 5% of the whole
package.
TPS's version of 'security' already overrides 'hasPermission' with
your MultiOrderFunction so this is not much of a problem (though
that's what inheritance is all about). bindind is a literal
"copy&paste" and could really link to the original.
I'd probably retract from this and live with the extra dep. (which I
have already in my machines).. probably whoever needs this also needs
other parts of PEAK so I realize it wasn't that wise of a decision :/
I'll be changing this soon...
Regards,
Alberto
Simon Belak
Maybe ask PJE if he would be willing to repackage PEAK a bit.
Cheers,
Simon
Alberto
> Maybe ask PJE if he would be willing to repackage PEAK a bit.
This would be great, however, I'd rather wait unitil TPS matures a bit
more before wasting his time. For the moment I'll repackage it as soon
as I can spare some time to depend on PEAK again. I might take some
other features it has (interfaces) so better wait until I/we can see
what is not needed (peak.web sure we don't ;)
Reagards,
Alberto