[Zope3-dev] Re: a note on groups and roles

Jim Fulton jim at zope.com
Fri Nov 21 16:11:42 EST 2003 

Martijn Faassen wrote:
> Hey,
> 

..

> I'll bring up some specific conclusions from my present thinking that
> challenge what's in the wiki. Jim, if you're in a hurry, read 
> at least the 'headlines' and the first paragraphs below them.
> 
> There can be only one
> ----------------------
> 
> I think saying a user can be multiple principals to Zope at the same
> time is opening a can of worms.

Did we say that anywhere?

Only one principal is authenticated for a particular request.



 > Auditing becomes harder, keeping
> track of multiple principals all the time per request is a nightmare,
> etc. Doesn't seem necessary to me.

Principals aren't really for auditing, but about about authorization.
Nevertheless, there is only *one* authenticated principal (unless there
is none) for a request, so auditing shouln't not be a problem.

> A user gets identified/authenticated as much as possible (which may lead to
> no id at all) and then the user's requests will be associated
> with that principal.

Yes, same for non users.

> Of course there may still be groups of users that share the same
> login username/password or certificate or whatnot beyond Zope's 
> knowledge or control. But since that's outside knowledge we can't 
> deal with it. This is an entirely different concept from real Zope
> controlled groups.

yes

> It's possible for a user to be two different principals if that
> user connects to Zope in a way that Zope interprets as two different
> principals.

In two separate requests.

 > A simple case is a user being Anonymous first, then
> logging in. Again this information is outside of Zope and thus
> cannot be managed by Zope, as Zope has no idea.

or a user may be weakly authenticated by name, perhaps via a cookie,
and, later, strongly authenticated via some other means.

> Saying at any time there's just *one* principal doing requests simplifies 
> mattersa like traceability -- you can always track whodunnit easily. It has
> a range of consequences, though. I think performance will also be
> helped.
> 
> So:
> 
> The principal is the proxy in Zope through which an agent (user or
> program) sends requests into the application. Each request only
> has a single such proxy associated with it.

Yup, exactly.

> Groups are not principals
> -------------------------
> 
> Since a user can't be represented by multiple principals at the same
> time in my view, I have become unconvinced that groups are a kind of
> principal. Groups are a grouping of principals. Some minimal
> questions that are useful to be able to ask are:

You are confusing authentication and authorization.
Principals are primarily objects to attach authorization to.

There is only *one* authenticated principal for a request, This authenticated
principal could be used for auditing.  This principal can be contained in other
principals and, thus acquires their authorizations.


> 
>   principal.getGroups()
> 
>   principal.isInGroup(group)
> 
>   group.isMember(principal)
> 
> Some of these can be implemented in terms of others.
> 
> group.getPrincipals() 
 >
> is *not* a good question to always ask, as groups may be really large
> sets or group membership may be determined by other properties of
> principals (ip address or user settings or even first letter of the
> username :). This question is therefore not always answerable.
> 
> Thus, groups may be composed of other groups, etc, whatever you like,
> all hidden behind this abstraction. 

I agree with all of that.

> Groups not being principals has in my mind an important benefit in
> auditing. Instead of only being able to say "someone in group X did the evil
> thing"  you'll be able to always trace it back to the actual principal.

You don't need to make groups non-principals to do that. You just need
to distinguish the authenticated principal.

> This also means that not every entity which can be granted a permission
> is a principal. A group is a non-principal which can cause principals
> to be granted permissions.

Are you suggesting that granting a permission to a group should have the effect
of granting it to the individual principals in the group? If so, I think that
that is a really bad idea. Certainly, when removing someone from a group, I
would expect them to lose any authorizations given to the group members.

 > A role is similarly a non-principal

Right

 > which can
> cause principals to be granted permissions.

Only indirectly.

 > A workgroup is
> yet another such entity. These entities are all ways to grant permissions
> to principals indirectly.

Whew.

> groups are not workgroups
> -------------------------
> 
> I'm not going to talk about workgroups anymore in this mail, except this 
> statement that they're really not the same as a group.

Good, we don't need another term.

> Anonymous is a principal
> ------------------------
> 
> There has to be an anonymous principal. This is important for
> traceability -- "Who did the evil thing deleting all the objects?"
> "Anonymous did it!"

Agreed.

> This would indicate that there's a security hole in your application
> somewhere.
> 
> Anonymous is the best guess we may have as to who is sending
> out requests.
> 
> There's a group called 'Everybody'
> ----------------------------------
> 
> In Zope 2, everybody can typically do at least what 'Anonymous' can do. 
> In Zope 3 since anonymous is a principal this doesn't make sense. In order to
> get to the category of everybody, let's just define the group of all
> principals.

Yup.

> The document mentions an 'Authenticated' group, which is fine in my
> mind. :)
> 
> All principals are in the 'Authenticated' group except Anonymous.

Right.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list