[Zope-PAS] First cut at PAS for Zope 3

Jim Fulton jim at zope.com
Tue Oct 5 08:08:35 EDT 2004 

Mark Hammond wrote:
>>See in particular:
>>
>>
>>http://svn.zope.org/Zope3/trunk/src/zope/app/pas/interfaces.py
>>?view=markup
>>
>>http://svn.zope.org/Zope3/trunk/src/zope/app/pas/README.txt?vi
>>ew=markup
> 
> 
> That's very interesting.  I've some general queries:
> 
> """
> PAS prefixes
> ============
> 
> Principal ids are required to be unique system wide.
> """
> 
> Consider a plugin which uses an external user store - eg, LDAP, and a site
> with multiple PAS folders where each folder contains a mythical LDAP plugin.

Hopefully, this won't be mythical after the sprint next week. :)

> Each of these PAS plugins is configured to use the same underlying LDAP
> store.

Why would you use multiple PAS instances in this case?

> If the LDAP plugin knew a globally unique ID for the user (as provided by
> the external LDAP store), would it be able to use that ID as a principal ID?

Yes, but you would have to use empty prefixes for each of the PAS instances.

> Can we re-use this ID for better integration with the underlying store?

Not sure what that means. IDs are required to be unicode strings.  Beyond
that, it's up to the plugin to decide what the ids are.

> Regarding usernames and IDs in general:

I don't know what a user name is. (See below)

> Is it possible to tighten up the semantics of the "username?"  The way I see
> it, we have 3 distinct id/name attributes for a user:
> * The principal_id - should be considered a 'handle'

Yup

 > and never directly seen
> by the user.

That's a policy decision, but usually this should be the case.

> * The login_name - the name they type into a login box along with their
> password.

Yup. Of course, that's up to the plugin.  There might be
systems that don't use login names, or that use more than one.
(I use a system that uses two login names, one a company name, and
the other a company-specific user name.)

The login name is just a form of credentials, and credentials are
details of plugins.

> * Their name, as it should be displayed (display name)

Yup, though, again, it's up to the plugin or the application to keep this
or other information about principals.

> However, the semantics are not at all clear to me.  principal IDs must be
> unique system wide. 

Perhaps that's because the Zope 3 framework *only* defines principal ids.
Anything else is up to plugins (and the application).

 > Presumably 'login_names' need only be unique "PAS wide"
> (ie, unique to a PAS instance).

PAS doesn't give a hoot about login names.  Presumably, credentials should be
unique system wide, but login names (if used) are only one component of credentials.

> Currently we have "getId()" and "getUserName()", but its not at all clear if
> "UserName" is intended to be the "login" name, or the user "display" name.

Not in Zope 3. ;)

Sigh, this was spelled out in an interface wiki a long time ago, but
that information was lost (for Zope 2). Zope 3, of course, spells this
sort of thing out using interfaces.

> Can anyone tell me the intent of these?  Should they be formalized?

I think your guess is probably right, and *yes* this should be formalized
for Zope 2.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list