[ZODB-Dev] ZEO and Security
Andrew Kuchling
akuchlin@mems-exchange.org
Mon, 7 May 2001 11:52:16 -0400
On Sun, May 06, 2001 at 10:38:23PM -0600, Bill Anderson wrote:
>So far, the only thoughts (well, those that didn't die upon birth
>anyway) I have involve doing someting like putting much of the code into
>the ZODB, as in "Script (Python)"- type objects, and have the clients
>call them, almost like an rpc-ish server. But that just feels
>restricting, too restricting.
I don't see how this would help. The ZODB provides a very close match
to Python's object model, and Python's model provides no such
security. Additional controls could be added for connecting to a ZEO
server (a password; host-based access control; using SSL) but once
connected it's hard to see how ZODB/ZEO could control what you do to
objects. If clients really aren't trusted, you should provide a
restricted interface for their use, probably through some RPC-ish
mechanism as you suggest.
--amk