[Zope-PAS] Re: User ID mangling question

Zachery Bir zbir at urbanape.com
Mon Oct 11 09:53:29 EDT 2004

On 2004-10-10 06:11:32 -0400, Jens Vagelpohl 
<jens at dataflake.org> said:

> On Sep 14, 2004, at 16:20, Lennart Regebro wrote:
>> Jens Vagelpohl wrote:
>>> It is crystal clear that some mangling or some assigning of unique IDs 
>>> has to happen because "jens from the LDAP plugin" isn't "jens from the 
>>> ZODB plugin".
>> I agree. And that returns us back to what I have been saying: It is the 
>> enumeration plugins id that should prefix it, not the authentication 
>> plugin.
>> I think this would be quite easy to implement. In fact, I already have, 
>> but it broke a number of tests, because an enumeration plugin was not 
>> created for these tests. Now that I understand how the tests work, I 
>> thik I can fix that as well. :)
> Lennart, is there any kind of working solution yet? I just sat down 
> again to try and get the LDAPMultiPlugin to work and saw that the 
> recent decisions wrt ID mangling haven't been implemented yet - at 
> least looking at the CVS HEAD from a couple days ago. There's still 
> automatc mangling all over the place.

I'm currently working on a branch that should be dealing away with id 
mangling. It's conceivable that it will cause pain for existing PASes 
in the wild, at least until some sort of migration is done to unify ids 
within plugins (since they will want to all map between some common id 
and whatever they deal with). For example:

  'users', a ZODBUserManager, has:

    .userid_to_login => { 'zbir' : 'zbir at urbanape.com' }

  'roles', a ZODBRoleManager, has:

    .principal_roles => { 'users__zbir' : ['Manager', 'Super Guy'] }

In a mangle-less PAS, we'll need some way for them to understand that 
that's the same user now, since PAS won't be doing the busywork around 

In addition, all the local roles assignments now made on objects will 
be using the mangled id.

There are several ways to go about a migration. The easiest case will 
be a ZODB-based user manager, where the ids can all be updated to be 
the (currently) PAS-mangled id. Then everything else that is keyed off 
that mangled id will continue to work.

User stores that are not manageable through PAS or are read-only 
(perhaps some SQL or LDAP based solution) will require updating the 
keys that other plugins rely on to extract their own values.


More information about the Zope-PAS mailing list