[Zope-PAS] Id mangling.
zbir at urbanape.com
Thu Sep 9 12:02:35 EDT 2004
On Sep 9, 2004, at 11:54 AM, Lennart Regebro wrote:
> Willi Langenberger wrote:
>> However, the role assignment should (in my opinion) happen after
>> unmangling the ids, so that user enumeration and user authentication
>> can be done with different plugins.
> Unmangling means that you can't assign different user roles to the
> ldap__wlang and the fobbar__wlang. As I understand it, that is the
> whoel point of the prefixing (otherwise, the prefixing it pointless
> and can be removed completely).
> The problem you have is the same as mine. The user is not prefixed
> with the enumerationplgin, but with the authentication plugin, and
> that is still wrong. I fixed it, but that broke some unit tests,
> because those tests did not create an enumeration plugin. I don't
> understand the way the unit tests is made, so I can't change that,
> because I have failed to fix the unit tests accordingly.
Jim, Tres and I talked at length about this last night. I think the
prefixing is going to be undergoing significant surgery in the short
term. We'll probably move towards making the prefixing optional and
configurable, so that policy can be imposed to make multiple, disparate
plugins play nice.
As it currently stands, there can be perfectly valid arguments for the
plugin prefix to be based on either the authenticator or the enumerator
(I can see auth systems that have an authenticator but which cannot be
enumerated [our Shibboleth plugin currently works this way - it has to
be made to play nice with other plugins]).
But that's not a defense of the current situation, more an acceptance
that the prefixing isn't really the job of PAS in its current
incarnation. It's a policy choice that can be off by default (if you
only had one set of plugins that authenticated, enumerated, &c you
wouldn't need prefixing) but can be made more and more specific by
I think Jim's going to write up more on this in the Zope 3 thread.
More information about the Zope-PAS