++ On Tue, Mar 23, 2010 at 11:03:57PM -0700, Monty Taylor wrote: > On 03/23/2010 10:27 PM, Stewart Smith wrote: > >On Thu, 18 Mar 2010 15:28:48 -0700, Brian Aker<[email protected]> wrote: > >>I'd like to start tracking user ownership on objects, aka who made > >>what. > > I think that's a terrific idea. > > >>This is a little more complex for us since we don't have an > >>internal concept of a "user" since we delegate authority to other > >>systems. What I am thinking at the moment though is that we set up a > >>domain:user combination similar to what we see with HTTP. The other > >>option, and hold onto your socks, would be to use openID identifiers. > >> > >>I believe we could easily map OpenID to the more traditional systems > >>like LDAP/etc. > > I think that, while this may be a wonderful choice that an admin > might make, this is actually all not explicitly needed for us to > decide. We _do_ actually have an internal idea of a user - it's just > a declared string. There are no requirements on it. So I can declare > my name to be http://inaugust.com/~mordred as easily as I could > declare my name to be mordred or [email protected]. This works > today, right now. The only reason I'd choose one over the other is > what authentication system the admin might want to use to > authenticate that I am who I say I am. This is the Identity portion > of the equation and we have it. > > With no authentication system loaded, I can declare anything when I > connect, and I will be met with joyful cheer. (Other than a > randomly undersized username column in the data dictionary.) Check > it out: > > mord...@orisndriz03:~/src/drizzle/bug546676/client$ ./drizzle -u > http://inaugust.com/~mordred > Welcome to the Drizzle client.. Commands end with ; or \g. > Your Drizzle connection id is 3 > Server version: 7 Source distribution (bug546676) > > Type 'help;' or '\h' for help. Type '\c' to clear the buffer. > > drizzle> select * from data_dictionary.PROCESSLIST; > +----+------------------+-----------+----+---------+------+--------------+-------------------------------------------+ > | ID | USER | HOST | DB | COMMAND | TIME | STATE | > INFO | > +----+------------------+-----------+----+---------+------+--------------+-------------------------------------------+ > | 2 | http://inaugust. | 127.0.0.1 | | Query | 0 | Sending > data | select * from data_dictionary.PROCESSLIST | > +----+------------------+-----------+----+---------+------+--------------+-------------------------------------------+ > 1 row in set (0 sec) > > If I had an auth system loaded, it would want me to then provide > proof that I am, in fact, http;//inaugust.com/~mordred > > > I'm not saying that domain\user or u...@domain or an OpenID URL are > bad choices - simply that we do not need to make them. > > >What about a simple "plugin_name:foo" where plugin_name is the plugin > >that was active at the time and foo is whatever that plugin understands > >(but must be text). > > The problem with this is that it's conjoining the Identity and the > Authentication in a very dangerous and unhealthy way. The user's > identity is not htpasswd:fred - it's fred. Or it's INAUGUST\fred. > Who we ask for authentication is entirely up to the administrator of > the system. > > The fantastic thing about the way that Drizzle works right now is > that all of us can set up whatever our idea of how this should work > on the admin side (perhaps at the moment needing a few helper > plugins to be written) > > So as for tracking ownership - go with the Identity that's in the > system right now. > > _______________________________________________ > Mailing list: https://launchpad.net/~drizzle-discuss > Post to : [email protected] > Unsubscribe : https://launchpad.net/~drizzle-discuss > More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
