[Zope] SimpleUserFolder and sha-crypted passwd

Jan-Frode Myklebust janfrode@parallab.no
Wed, 15 Jan 2003 12:05:06 +0100 

On Wed, Jan 08, 2003 at 09:03:00AM +0000, Chris Withers wrote:
> >
> >I solved it. It seems to go wrong if I try to have addUser, deleteUser, 
> >editUser and getUserNames as SQL methods and getUserDetails as a Python 
> >Script, so after ripping my hair off I changed them all to python scripts. 
> >And suddenly everything worked fine:-) I have no idea if this was due to 
> >an error on my behaf or if it is a limitation in SUF(if it is, you should 
> >try to get rid of it!).
> 

> I'm afraid it's likely to be an error on your part. There's no such 
> limitation in SUF to my knowledge, but if you can demonstrate one I'd be 
> happy to fix it.

Bjørge, would be nice to know if you can demonstrate it and report it
back to Chris Withers..

> 
> >Just for the record; I did not change my encryption lines, and yes they 
> >are in a python scripts(some external).
> 
> My question was relating to importing some of the stuff you're using from 
> within Script (Python)'s. Things like sha are unlikely to have Zope 
> security assertions and so would have failed with an UnauthorizedError when 
> you tried to use them. If that happens as part of the user authorization 
> process, you might experience it as your username/passwords from SUF 'not 
> working'.

We've allowed sha into Zope with ""allow_module('sha')"".

> 
> >You might think of caching the username and roles in some way, is it 
> >really neccesary to query the db every single GET command?
> 
> True, I'd prefer not to throw mroe responsibility onto SUF. If this is an 
> issue, I'd suggest looking into using Zope's standard cache managers on 
> your getUserDetails method. If you do this and can work it into a How-To, 
> that'd be very very cool :-)
> 

I must say I'm _very_ impressed with how well it's performing without
any caching. I was concerned that either the password hashing or sql
queries on our 1500 user postgresdatabase would create too high load on the 
server, but it really isn't noticeable. 

Unauthenticated:

%  timex wget -q --output-document=/dev/null http://realfag.uib.no/uptime
real 0.02
user 0.00
sys  0.00

Authenticated:

%  timex wget -q --output-document=/dev/null --http-user=janfrode@ii.uib.no --http-passwd=IllNeverTell  http://realfag.uib.no/uptime
real 0.05
user 0.00
sys  0.00

Actually the authenticated timings are a bit less stabel than
unauthenticated. Goes from 0.05 seconds to ~0.10. 

Maybe we'll try to add sql caching later, but with this speed it
doesn't seem worth the effort.

BTW: I was a bit concerned when Bjørge picked SUF over exUserfolder.
SUF sounded too much like a small simple hack to demonstrate that
somebody knows how to hack zope. But it's really very powerfull! I
think something like SUF should be the default userfolder in Zope
(with some default addUser, deleteUser, getUserDetails, etc.) that
gives exactly the same behaviour as the current User Folder. It's
annoying that there are too many different UFs too choose from, and
not all end up being actively maintained.. 

So, thank you for SUF! 


  -jf