[Zope-PAS] Re: PluggableAuthService question about roles
tseaver at palladion.com
Mon Apr 2 22:21:21 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Thomas Bennett wrote:
> I have installed the following:
> Zope Version (Zope 2.9.7-final, python 2.4.4, linux2)
> Python Version 2.4.4 (#1, Oct 23 2006, 13:58:00)
> [GCC 4.1.1 20061011 (Red Hat 4.1.1-30)]
> System Platform linux2
> SOFTWARE_HOME /var/zope/lib/python
> ZOPE_HOME /var/zope
> INSTANCE_HOME /var/zope
> CLIENT_HOME /var/zope/var
> Network Services ZServer.HTTPServer.zhttp_server (Port: 8086)
> ZServer.HTTPServer.zwebdav_server (Port: 9800)
> I'm using Zeo storage with this.
> The main problem is my understanding roles with my new set up.
> I am moving from a Zope 2.6.1 setup to the setup shown above. I've already
> added some Products to my INSTANCE_HOME/Products directory including Plone
> which includes the PluggableAuthService folder. I installed a Plone site for
> testing and deleted it.
> It appears that PAS has taken over my root acl_users folder or is this now a
> default in 2.9.
The installer for a 'Plone Site' replaces the root acl_users with a PAS:
I've argued that this is poor practice (inexcusably rude, actually),
but they seem determined to continue it.
> Now I can only add users from the ZODB User Manager under /acl_users/users,
> there is nowhere to add a user from an Add buttion as in the older version of
Correct. In PAS, there are actually potentially muttiple user sources
(e.g,, SQL, LDAP, NTLM, etc.). Adding them to the 'ZODB users' plugin
is the "cognate" of the od "Add" button.
> I can add roles from ZODB Role Manager in /acl_users/roles but these roles
> don't show up under the Security tab on any page. I can add local roles
> under the Security tab and they don't show up in /acl_users/roles.
Correct. The roles in the PAS plugin are used to control "global"
grants to the users; the roles you set on a folder (even the root), are
about "local" grants.
> I have searched and can find little to no documentation on use or difference
> in the two authentication methods. Where can I find more information on
> roles in 2.9.7 and use in this situation?
In general, I would avoid defining any new "global" roles in PAS, or
even granting the existing ones as "global" roles. Rather, I advise
treating *all* grants as "local", even if that means setting them on the
> Is this normal behavior and if so how can I synchronize roles between the
> Security tab and /acl_users/roles or is it not possible?
I would just avoid the role plugin altogether.
> Am still searching the WEB and archives in the meantime.
The better list for this would be zope-pas at lists.zope.org (CC'ed), which
deals with PAS specifics.
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v126.96.36.199 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Zope-PAS