[ZODB-Dev] RFC: Proposal for AuthZEO (was SecureZEO one day)
Jeremy Hylton
jeremy@zope.com (Jeremy Hylton)
Fri, 17 Jan 2003 16:28:05 -0500
Here are a few brief comments on the RFC. I'll be happy to flesh out
more next week.
We have a new configuration mechanism for ZODB and ZEO that is checked
into CVS. The authentication mechanism should be integrated with it.
In particular, that means its options should be added to the ZEO
schema. The easiest way to integrate is to add extra options to the
StorageServer constructor. No one really calls that from Python code
anyway, so it doesn't matter how many arguments it takes.
The addition of authentication probably affects the protocol
negotiation, although I'm not sure how.
I think the authentication belongs in testConnection(), because it has
to happen before register().
I wonder if the basic protocol should be extended with something like
HMAC to add some prevent the connection hijacking that you mention.
I'd have to think about this more to know.
I think the new authentication code should go in a separate module
(use a lowercase name like in zodb4). We should design it to be
pluggable via configuration.
Jeremy