[Zope] Re: PluggableAuthService question about roles

Tres Seaver tseaver at palladion.com
Mon Apr 2 22:21:21 EDT 2007

Hash: SHA1

Thomas Bennett wrote:
> I have installed the following:
> Zope Version 	(Zope 2.9.7-final, python 2.4.4, linux2) 
> Python Version 	2.4.4 (#1, Oct 23 2006, 13:58:00) 
>                        [GCC 4.1.1 20061011 (Red Hat 4.1.1-30)] 
> System Platform 	linux2 
> SOFTWARE_HOME 	/var/zope/lib/python 
> ZOPE_HOME 	/var/zope 
> INSTANCE_HOME 	/var/zope 
> CLIENT_HOME 	/var/zope/var 
> Network Services 	ZServer.HTTPServer.zhttp_server (Port: 8086)
> ZServer.HTTPServer.zwebdav_server (Port: 9800)
> I'm using Zeo storage with this.
> The main problem is my understanding roles with  my new set up.
> I am moving from a Zope 2.6.1 setup to the setup shown above.  I've already 
> added some Products to my INSTANCE_HOME/Products directory including Plone 
> which includes the PluggableAuthService folder.  I installed a Plone site for 
> testing and deleted it.
>   It appears that PAS has taken over my root acl_users folder or is this now a 
> default in 2.9.

The installer for a 'Plone Site' replaces the root acl_users with a PAS:
 I've argued that this is poor practice (inexcusably rude, actually),
but they seem determined to continue it.

>   Now I can only add users from the ZODB User Manager under /acl_users/users, 
> there is nowhere to add a user from an Add buttion as in the older version of 
> Zope.

Correct.  In PAS, there are actually potentially muttiple user sources
(e.g,, SQL, LDAP, NTLM, etc.).  Adding them to the 'ZODB users' plugin
is the "cognate" of the od "Add" button.

>   I can add roles from ZODB Role Manager in /acl_users/roles but these roles 
> don't show up under the Security tab on any page.  I can add local roles 
> under the Security tab and they don't show up in /acl_users/roles. 

Correct.  The roles in the PAS plugin are used to control "global"
grants to the users;  the roles you set on a folder (even the root), are
about "local" grants.

> I have searched and can find little to no documentation on use or difference 
> in the two authentication methods.  Where can I find more information on 
> roles in 2.9.7 and use in this situation?

In general, I would avoid defining any new "global" roles in PAS, or
even granting the existing ones as "global" roles.  Rather, I advise
treating *all* grants as "local", even if that means setting them on the
root object.

> Is this normal behavior and if so how can I synchronize roles between the 
> Security tab and /acl_users/roles or is it not possible?

I would just avoid the role plugin altogether.

> Am still searching the WEB and archives in the meantime.

The better list for this would be zope-pas at lists.zope.org (CC'ed), which
deals with PAS specifics.

- --
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Zope mailing list