[Grok-dev] User/Group/Security Management Pain

whit morriss d.w.morriss at gmail.com
Tue May 13 12:57:52 EDT 2008


so... martijn asked calvin and I to stop whining in the channel about 
the state of user management and post our complaints here to attempt to 
end the suffering.  why the suffering? if all you need is basic user 
management, flexibility is just a confusing delay in getting to where 
you need to be(this is a huge selling point for django).

that said, I think this could be a real winner for grok, since a clear 
user management default would be easy to make a simple solution that 
could easily provide a flexible starting point.  As Martijn pointed out, 
it's the kind of complicated problem grok is good at helping simplify. 
And *most* other modern python web frameworks have the issue of no good 
ootb user management.


The current problem area: I hit these questions immediately when 
approaching this in grok (and found no clear answers)::

* how do I add users and groups?
* how do I do user/group - role - permission mappings ala zope2? are 
there any auditing tools?
* how do I add custom plugins to pau (credentials, user/group sources)?
* what do I need to do to be secure?

There are probably more rough edges out there.. those are just the ones 
I encountered.


One approach is the following: Martijn suggested doing this as an 
extension that provides reasonable defaults and was pointed to in the 
documentation. This would definitely strengthen the current holes in 
that area (see 
http://grok.zope.org/documentation/phc_topic_area?topic=Principals+and+Security), 
especially if we answer the question above.


A good start would be to gather what documentation and code is available 
out there and see what can be used and where the holes are. For my 
effort, I cobbled stuff together from philips book and zope's innards 
(w/ some help from the channel).

http://projects.opengeo.org/almanac/browser/siteapp/trunk/opengeo/almanac

Most of the effort is in account.py and auth.py (and it's a bit messy 
and the cookie auth is not signed yet), but it covers a basic 
signup/login case minus groups and role/permission mechanics (this part 
I'm trying to work out now and wish I had some good examples). feedback 
welcome of course...

I'm sure others have code too no?

-whit



More information about the Grok-dev mailing list