[Zope-PAS] Re: new plugin for global group roles

Tres Seaver tseaver at zope.com
Wed Feb 9 13:28:17 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kapil Thangavelu wrote:
|
| On Feb 8, 2005, at 5:39 AM, Tres Seaver wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Kapil Thangavelu wrote:
|>
|> | afaics, the default group usage in pas only augments principal roles
|> | with local group roles. at the pas sprint this pas week we put together
|> | a role plugin which will assign global roles to a principal based on
|> | direct principal grants and group grants.
|>
|> I'm missing something here:  where are these grants made?  Here is what
|> I think is happening now:
|>
|> ~ -  The ZODBRoleManager in Zope2 PAS allows assignment of roles to
|> ~    either users or groups (both of which are "principals").
|>
|
| grants would be made in the same place.
|
|> ~ - The RecursiveGroupFolder plugin scribbles a "transitive closure" of
|> ~   the user's group memberships onto the user.
|>
|
| sure, for some definition of scribble ;-)
|
|> ~ - Roles (both global and local) assigned either to the user or to one
|> ~   of the user's groups are verfiied in the PropertiedUser method
|> ~  'allowed'.
|>
|
| this is where things aren't clear. the propertieduser impl of allowed
| checks object access against the assigned roles global roles which does
| not include group->role grants. afaics, groups are only being used when
| local roles are being searched.

Yep, you're right.  Originally we had planned to deprecate global roles
altogether, and therefore didn't work that out cleanly.

|> How does your proposed change work with this setup?
|>
|
| exactly the same except that the role manager will do lookup of a
| principal's groups in its principal to role mapping, when retrieving
| principal roles. currently its a straight mapping lookup of a principal
| id to roles.

The lowest impact thing I can think to do is to update the
ZODBRoleManager plugin to look for 'getGroups' on the principal passed
to 'getRolesForPrincipal', and return the union of the roles for the
principal and her groups.

Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCClZAGqWXf00rNCgRAjrhAJ0fC0gT8LjlVZxYEfJ8QikH9p2VEQCfY2qS
vIGmzrkgPomtD3kF1ns4XtE=
=6HWP
-----END PGP SIGNATURE-----

More information about the Zope-PAS mailing list