[Zope3-dev] Re: principals vs. users

[Guido van Rossum]

>   GvR> [jim]
>   >> Given that several principals can be associated with a single
>   >> human, it might be confusing to talk about them as separate
>   >> users.
> 
>   GvR> Unix says username to disambiguate these, when that's
>   GvR> necessary.

[jeremy]
> What does "these" refer to?

"these" refers to different principals belonging to the same human.

> I've lost the context of Jim's message but I agree that it would be
> confusing to talk about a set of principals as separate users.  One of
> the points of talking about a principal is to avoid all the confusion
> that occurs when you talk about users.

Really?  Can you give an example of this confusion that wouldn't be
solved by using "username" instead of "user"?

> Jim and I talked a few days ago about compound principals which may be
> what motivates his comment.  A compound principal is one of the form
> "SSL connection as Guido" where the SSL connection is the principal on
> the local machine that speaks for Guido.  It is typical to check that
> the SSL connection actually speaks for Guido and then just reason
> about Guido.  
> 
> But there may be circumstances where you want to associated
> permissions with the compound principal itself.  For example, to
> distinguish between Guido logged in using http and Guido logged in
> using https.  (Amazon.com does something like this.)

Are we calling these two different principals?  Or are they the same
principal with different strengths of authentication?  I think the
point is that they are the same principal, but that our level of trust
differs depending on how they authenticated themselves (and on how
much we trust the security of the connection).

>   >> - In the future, principals will be able to control what roles
>   >> they can have at a point in time. They will be able to enable and
>   >> disable roles much as they would put on and take off hats.
> 
>   GvR> Cool.  Like Unix 'newgrp' but better. :-)
> 
> I think this is the way in which "role" is more typically used.

You mean outside zope, right?  I agree.

>   GvR> Unix has one primary group but any number of extra groups.  I
>   GvR> don't know if this translates to Zope thoug.
> 
> Now you're mixing role and group again :-).
> 
> I think groups are an abstraction that helps manage assignment of
> roles.

Yes.  Zope2 lets the sysadmin assign roles directly to users in the
user management form, which suggests that (originally) the Zope2
designers thought of roles as subsuming the functionality of groups.
But I think we've learned that it's better to have both.

> You and I are in the PythonLabs group and everyone in the
> PythonLabs group has the administrator role for Python CVS.

Good example.

>   >> o Risks of client-side trojan attacks will be partly mitigated.
> 
>   GvR> How?
> 
> If you log in using your "sys admin" role, you may not have permission
> to edit documents that requires your "editor" role.  And vice versa.
> It limits your vulnerability to a single role's permissions rather
> than all of them.

Hm, but if log in with an editor role, I still have view permissions
on other pages that might contain a client-side trojan.  I don't see
how it solves the problem, although it may reduce it somewhat.

--Guido van Rossum (home page: http://www.python.org/~guido/)