[Zope-PAS] Id mangling.

[Zachery Bir]

On Sep 9, 2004, at 11:54 AM, Lennart Regebro wrote:

> Willi Langenberger wrote:
>> However, the role assignment should (in my opinion) happen after
>> unmangling the ids, so that user enumeration and user authentication
>> can be done with different plugins.
>
> Unmangling means that you can't assign different user roles to the 
> ldap__wlang and the fobbar__wlang. As I understand it, that is the 
> whoel point of the prefixing (otherwise, the prefixing it pointless 
> and can be removed completely).
>
> The problem you have is the same as mine. The user is not prefixed 
> with the enumerationplgin, but with the authentication plugin, and 
> that is still wrong. I fixed it, but that broke some unit tests, 
> because those tests did not create an enumeration plugin. I don't 
> understand the way the unit tests is made, so I can't change that, 
> because I have failed to fix the unit tests accordingly.

Jim, Tres and I talked at length about this last night. I think the 
prefixing is going to be undergoing significant surgery in the short 
term. We'll probably move towards making the prefixing optional and 
configurable, so that policy can be imposed to make multiple, disparate 
plugins play nice.

As it currently stands, there can be perfectly valid arguments for the 
plugin prefix to be based on either the authenticator or the enumerator 
(I can see auth systems that have an authenticator but which cannot be 
enumerated [our Shibboleth plugin currently works this way - it has to 
be made to play nice with other plugins]).

But that's not a defense of the current situation, more an acceptance 
that the prefixing isn't really the job of PAS in its current 
incarnation. It's a policy choice that can be off by default (if you 
only had one set of plugins that authenticated, enumerated, &c you 
wouldn't need prefixing) but can be made more and more specific by 
configuration.

I think Jim's going to write up more on this in the Zope 3 thread.

Zac