[Zope3-dev] Re: role (contextual) services?l
Jim Fulton
jim at zope.com
Mon Apr 5 14:02:19 EDT 2004
Tres Seaver wrote:
> Jim Fulton wrote:
>
...
>> There was a convincing argument made on this list a while back that
>> it is better *not* to think of groups as principals. I suggest that
>> we adopt this point of view. (I just updated the glossary entry. :)
>> Then groups would be an artifact only of a particular security policy,
>> independent of authentication service implementations.
>
>
> I remember the assertion, but I don't remember being convinced.
> Certainly groups don't authenticate; if that is all that a "principal"
> means, then why did we abandon "user"?
Groups were one of the reasons we abandoned "user".
Some other reasons we abandoned users:
- We wanted to make it possible for a single user to authenticate
in different ways.
- We wanted to allow certificate authentiaction, where there isn't necessarily
a "user" behind the certificate.
> For authorization purposes, groups *are* (compound) principals;
Or they represent multiple principals.
> they
> can be bound (via whatever mechanism the policy supports) to
> permissions. The composite pattern is particularly appropriate because
> groups may contain both users ("leaf" principals) and other groups
> ("composite" principals). A security policy which honors groups grants
> permissions to principals, perhaps directly, or perhaps via an
> indirection like roles.
I'm not suggesting we don't want groups. We just don't need to make them
principals. By making them *not* be principals, we get the significant benefit
of not involving authentication services. This, IMO, is a big advantage.
The Zope 3 security model has 4 parts:
- Authentication
- Permission declarations (saying what permissions are required
to access or modify names)
- Protection, enforcing the permission declarations
- Authorization (aka security policy)
I'd like to keep these as indpendent as possible, which is why
I strongly prefer to make groups soley part of the authorization
system.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list