On 03/23/2010 10:27 PM, Stewart Smith wrote:
On Thu, 18 Mar 2010 15:28:48 -0700, Brian Aker<[email protected]> wrote:
I'd like to start tracking user ownership on objects, aka who made
what.
I think that's a terrific idea.
This is a little more complex for us since we don't have an
internal concept of a "user" since we delegate authority to other
systems. What I am thinking at the moment though is that we set up a
domain:user combination similar to what we see with HTTP. The other
option, and hold onto your socks, would be to use openID identifiers.
I believe we could easily map OpenID to the more traditional systems
like LDAP/etc.
I think that, while this may be a wonderful choice that an admin might
make, this is actually all not explicitly needed for us to decide. We
_do_ actually have an internal idea of a user - it's just a declared
string. There are no requirements on it. So I can declare my name to be
http://inaugust.com/~mordred as easily as I could declare my name to be
mordred or [email protected]. This works today, right now. The only
reason I'd choose one over the other is what authentication system the
admin might want to use to authenticate that I am who I say I am. This
is the Identity portion of the equation and we have it.
With no authentication system loaded, I can declare anything when I
connect, and I will be met with joyful cheer. (Other than a randomly
undersized username column in the data dictionary.) Check it out:
mord...@orisndriz03:~/src/drizzle/bug546676/client$ ./drizzle -u
http://inaugust.com/~mordred
Welcome to the Drizzle client.. Commands end with ; or \g.
Your Drizzle connection id is 3
Server version: 7 Source distribution (bug546676)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
drizzle> select * from data_dictionary.PROCESSLIST;
+----+------------------+-----------+----+---------+------+--------------+-------------------------------------------+
| ID | USER | HOST | DB | COMMAND | TIME | STATE
| INFO |
+----+------------------+-----------+----+---------+------+--------------+-------------------------------------------+
| 2 | http://inaugust. | 127.0.0.1 | | Query | 0 | Sending data
| select * from data_dictionary.PROCESSLIST |
+----+------------------+-----------+----+---------+------+--------------+-------------------------------------------+
1 row in set (0 sec)
If I had an auth system loaded, it would want me to then provide proof
that I am, in fact, http;//inaugust.com/~mordred
I'm not saying that domain\user or u...@domain or an OpenID URL are bad
choices - simply that we do not need to make them.
What about a simple "plugin_name:foo" where plugin_name is the plugin
that was active at the time and foo is whatever that plugin understands
(but must be text).
The problem with this is that it's conjoining the Identity and the
Authentication in a very dangerous and unhealthy way. The user's
identity is not htpasswd:fred - it's fred. Or it's INAUGUST\fred. Who we
ask for authentication is entirely up to the administrator of the system.
The fantastic thing about the way that Drizzle works right now is that
all of us can set up whatever our idea of how this should work on the
admin side (perhaps at the moment needing a few helper plugins to be
written)
So as for tracking ownership - go with the Identity that's in the system
right now.
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
