idea - Class::Data::Separated

2004-11-07 Thread David R. Baird 

This is just an idea at the moment, and mainly I'm wondering if this 
kind of thing already exists? 

I'm debugging a mod_perl app just now, so I'm using Apache::Reload to 
allow me to edit modules and have them automatically reload without 
having to restart the server. Works very nicely, except when a module 
has associated class data. The data are all lost when the module 
reloads, so I end up having to restart the server after all. 

Partly I'm addressing this by refactoring some code out into modules 
that have no class data. The logical extension to this would be to 
provide a module that stores class data for other classes, so there's 
only ever one module that is really storing any class data. I'm 
thinking that a client module could set and retrieve its classdata 
into the helper class, which does a lookup based on the caller to 
locate the caller's class data, which it returns. Then I can safely 
mess with the code in the caller and not lose its class data. 

I generally use Class::Data::Inheritable to manage class data, and my 
first thought would be to base this thing on that, so it might be 
called Class::Data::Inheritable::Separated, or else just 
Class::Data::Separated. 

Is this wheel already spinning somewhere?

Cheers,

d.



-- 
Dr. David R. Baird
Riverside Content Management Systems
http://www.riverside-cms.co.uk

Re: [RFC] Apache::Session::Memcached - new module proposal

2004-09-13 Thread David R. Baird 

Looks good. Can I suggest that the 'servers' option takes a data 
structure, rather than a single formatted string? Something like 

tie %session, 'Apache::Session::Memcached', $sid, {
   Servers = { '10.0.0.1' = '2', 
'10.0.0.2' = '2',
}
};

d.


On 13 Sep 2004 at 19:37, Enrico Sorcinelli wrote:

 Hi all,
 
 I just realized Apache::Session::Memcached, a simple module that stores
 persistent data using memcached (and his Cache::Memcached Perl API) for
 Apache::Session storage.
 
 It's available for evaluating and testing at:
 
   http://modperl.it/Apache-Session-Memcached-0.01.tar.gz
 
 I've attached a temporary POD at the end of the message.
 
 I searched on CPAN and I've not found any similar module (the reason why I wrote
 it).
 
 Since I would put it on CPAN, any suggestions about the module and/or namespace
 are welcome.
 
 Thanks in advance
 
 by
 
 - Enrico
 
 ---
 
 =head1 NAME
 
 Apache::Session::Memcached - Stores persistent data using memcached (memory
 cache daemon) for Apache::Session storage
 
 =head1 SYNOPSIS
 
use Apache::Session::Memcached;
tie %session, 'Apache::Session::Memcached', $sid, {
   Servers = '10.0.0.1:2 10.0.0.2:2',
};
 
tie %size_aware_session, 'Apache::Session::Memcached', $sid, {
   Servers = '10.0.0.1:2 10.0.0.2:2',
};
 
 =head1 DESCRIPTION
 
 Apache::Session::Memcached is a bridge between Apache::Session and
 memcached, a distributed memory cache daemon.
 
 More informations about memcached are available at
 Lhttp://www.dunga.com/memcached.
 
 This module provides a way to use Cache::Memcached (memcached Perl API) as
 Apache::Session storage implementation.
 
 =head1 NOTE
 
 This is a alpha release. 
 Docs and some code checks must be improved.
 
 =head1 SEE ALSO
 
 LApache::Session|Apache::Session,
 LApache::Session::Flex|Apache::Session::Flex,
 LCache::Memcached|Cache::Memcached, Lmemcached.
 
 =head1 AUTHOR
 
 Enrico Sorcinelli Eltenrico at sorcinelliEgt
 
 =head1 COPYRIGHT AND LICENSE
 
 Copyright (C) 2004 by Enrico Sorcinelli
 
 This library is free software; you can redistribute it and/or modify
 it under the same terms as Perl itself, either Perl version 5.8.1 or,
 at your option, any later version of Perl 5 you may have available.
 
 =cut




-- 
Dr. David R. Baird
Riverside Content Management Systems
http://www.riverside-cms.co.uk

Re: namespace for users and groups

2004-08-26 Thread David R. Baird 

I've just uploaded the first version of Tree::Authz to the CPAN, I'd 
be very interested in any comments people might have. Does it seem 
useful, does it violate expectations, how does the API grab you? 

Cheers,

d.

-- 
Dr. David R. Baird
Riverside Content Management Systems
[EMAIL PROTECTED]
http://www.riverside-cms.co.uk

Re: Name space and module list

2004-08-26 Thread David R. Baird 

On 26 Aug 2004 at 15:21, [EMAIL PROTECTED] wrote:

[snippety snip]

 As I already hinted at, I don't like lengthy discussion so don't 
expect
 me arguing and (dis)agreeing too much over opinion expressions
 following
 this mail.

OK. 

d.

-- 
Dr. David R. Baird
Riverside Content Management Systems
http://www.riverside-cms.co.uk

Re: namespace for users and groups

2004-08-24 Thread David R. Baird 

On 24 Aug 2004 at 11:32, Sam Vilain wrote:

 Group, by itself, infers no such treeness.  You may have chosen to 
 model your groups and users by some close analogue of;
 
 
   +-+  +-+  ++
   | GrantableEntity |--|  Grant  |--| Entity |
   +++ 1  * +-+ *  1 ++
   /_\
|
  +---+   +-++
  |   | * |  |
  |* +-+ * * ++
  +--|  Group  |-|  User  |
 +-+ ++
 
 
 Unix Groups, for instance, do not bother with this, so Group doesn't 
 mean Heirarchy of Groups in this case.


Yes, I see that. So I'm building one particular model of an ACL, so 
the module name should refer to that, so Tree is more relevant than 
Group in the name. My model would be more like (UML neophyte diagram 
coming up): 

   +-+
   | GrantableEntity |
   +++
  * |
|
  +---+   +-+
  |   | * |  
  |* +-+ 1 * ++
  +--|  Group  |-|  User  |
 +-+ ++

What I mean is, groups contain subgroups to arbitrary depth, groups 
have things they can grant, these things can be strings, coderefs, or 
methods, and users always have to go through their (probably single) 
group to get at their GrantableEntities. I don't think my module says 
anything about the relationship between grants and the entities they 
protect. I think you create these yourself and store them on the 
nodes of the tree. 

Having heard a little about various ACL schemes here, and skimmed a 
few of the Authen:: modules on CPAN, I doubt if my module will be 
much use for, say, plugging into an existing ACL framework or 
service. They have their model, I have mine. But if you have a 
multiuser app and you need a straightforward means of splitting users 
up and assigning access permissions to different aspects of your app, 
then my module, hopefully, would be an option. 

[...] 
 UML is an excellent language with which to express the exact nature of 
 the ACL that your module implements.  _*The Art of Objects: 
 Object-Oriented Design and Architecture_, by *Yun-Tung Lau 
 http://www.amazon.com/exec/obidos/search-handle-url/index=booksfield-author=Yun-Tung%20Lau/102-5857950-6496945
  
 (isbn://0201711613/) uses ACL design as one of its worked examples.
 Highly recommended.

I had a lot of fun a few months back using UML for the first time to 
design things properly, it's a powerful tool, I'm still seeing the 
benefits today. I've been looking for the next textbook to read, 
looks like I've just found it! Examples in a domain you are actually 
working in are always great. 

I've applied to register the namespace Tree::Authz on PAUSE. A name 
can never communicate everything about a module, but I think that 
covers the essentials. A huge improvement over Admin::Group! 

Cheers, 

d.


-- 
Dr. David R. Baird
Riverside Content Management Systems
[EMAIL PROTECTED]
http://www.riverside-cms.co.uk

Re: namespace for users and groups

2004-08-23 Thread David R. Baird 

On 22 Aug 2004 at 22:31, david nicol wrote:

 On Sun, 2004-08-22 at 18:04, David R. Baird wrote:
  
  I'm not 100% sure of the Tree:: bit (although it is based on a tree 
  structure), but I can't see where else it could fit in. 
  
  d.
 
 Are the arboreal aspects important to the use of the tool or are they
 implementation details?  Could you change it to use a hash or a 
 SQL server without altering the interface?  Ifyou did, would it make
 said arbitrary back-end appear treelike?

I think the treeness is quite important, because groups inherit the 
capabilities/permissions of their subgroups. So whenever you check if 
your own group is permitted to do something, you know that the tree-
like hierarchy of groups contained within your group is also being 
checked. 

The treeness isn't apparent when you do an authorization lookup (you 
just query against your own group), but it is apparent when you set 
up the groups. 

I think I was just a bit doubtful of having Tree and Group in the 
name at the same time, since they both describe some aspect of data 
structure. But they're both relevant, so I guess that's OK. If there 
were an Authz:: namespace, I'd probably go for Authz::Tree, so maybe 
I should go for Tree::Authz. 

By the way, I'd argue that there probably _should_ be an Authz:: 
namespace, just as there is an Authen:: namespace. They're different 
things. Although some of the Authen:: modules support authorization, 
it also makes sense that authorization can be abstracted out from 
authentication. 

This is more difficult than writing the damn thing! 

d.


 
 
 -- 
 david nicol
   Someday, everything's going to be different
when I paint my masterpiece.



-- 
Dr. David R. Baird
Riverside Content Management Systems
[EMAIL PROTECTED]
http://www.riverside-cms.co.uk

Re: namespace for users and groups

2004-08-22 Thread David R. Baird 

On 21 Aug 2004 at 18:18, david nicol wrote:

 On Sat, 2004-08-21 at 16:00, Kurt Starsinic wrote:
  Also, when you're talking about groups of groups as above, the
  more common term of art is accounts and subaccounts.
  
  - Kurt
 
 While we're pitching terms, *nix, which unashamedly uses groups
 for these things, talks about permissions or perms while
 the access control list school of thought talks about the ACL.

Yes, I'm a bit stuck in the Unix terminology, I need to do a bit more 
research around ACL in particular. At first glance, a lot of the ACL 
modules are implementing protocols to communicate with various 
authentication services. But something like Data::ACL covers a lot of 
the ground I'm thinking about. Mine adds the ability to associate 
code with the groups in the ACL, and uses a different mechanism for 
setting up the groups hierarchy. Maybe I should call it something 
like Tree::ACL::MethodMaker. 


 Permissions, privileges, capabilities are generally handled by
 the environment in which a program is operating, which leads me
 to the suspicion that you're operating in a CGI context.  Assuming
 you're using something else for the authentication phase, and
 since accounting was not mentioned in your query, I'll propose
 
CGI::Perms::Baird
 
 as something to work from. Boldly brand!

Hmm. Much as I like the suggestion, I don't think it communicates 
much about what the module is doing! 

Sure, many programs operate in an environment that already 
provides/enforces a particular authentication mechanism. If so, my 
module isn't for you, it's not an interface to an authentication or 
authorization service. It provides an authorization service. Yes, I'm 
building web apps, but I don't see that the permissions management 
subsystem has anything to do with that environment. I happen to 
receive usernames and passwords from form submissions, but that's 
irrelevant to this module.  

At the moment, I'm favouring something with Tree and ACL in it, plus 
something like MethodMaker to indicate the code-managing aspect. 
Maybe Perms instead of ACL, but ACL seems to be the standard 
terminology. 

The API would look something like 

my $groups = ... get a tree structure ...

# just like Data::ACL
my $acl = Tree::ACL::MethodMaker-new( $groups ); 

# add some capabilities

# this one is just like Data::ACL -
$acl-group( 'groupname' )-add_permission( 'admin' ); 

# these are new stuff - 
$acl-group( 'groupname' )-add_abilities( edit = $coderef );
$acl-group( 'groupname' )-add_abilities( 'Some::Package' );

# not part of my module: 
my $user = authenticate_and_return_user( $username, $password );

# this one is just like Data::ACL -
if ( $user-get_group-is_allowed( 'admin' ) {
# do admin stuff
} 

# these are new stuff - 
if ( $user-get_group-can_do( 'edit' ) ) {
$user-get_group-edit( @args );
}

if ( $user-get_group-can_do( 'create_user' ) { 
# Some::Package::create_user
$user-get_group-create_user( @other_args );
}

You could easily define pass-through methods in your user class so 
you can call these methods directly on the user. 

Cheers,

d.



-- 
Dr. David R. Baird
Riverside Content Management Systems
[EMAIL PROTECTED]
http://www.riverside-cms.co.uk

Re: namespace for users and groups

2004-08-22 Thread David R. Baird 

On 22 Aug 2004 at 17:26, david nicol wrote:

 On Sun, 2004-08-22 at 08:22, David R. Baird wrote:
 
  At the moment, I'm favouring something with Tree and ACL in it, plus 
  something like MethodMaker to indicate the code-managing aspect. 
  Maybe Perms instead of ACL, but ACL seems to be the standard 
  terminology. 
 
 ACL and groups are different competing way of skinning the same cat.
 
 in groups, you associate the capability with the group and list
 the users with the capability in the group.
 
 with access control lists, every protected resource keeps a list
 of users and privelege levels.

OK, that's very useful, so I'm building groups rather than ACLs. 

 Systems such as TACACS and RADIUS have whole languages for
 creating processes that can answer authorization questions.  For
 that matter, so are firewall rules, .htaccess files, and
 any section of any configuration file containing the words
 allow or deny.


I'll have a look at these and bring my terminology into line. 

Moving towards something like Tree::Authz::Group. 

I'm not 100% sure of the Tree:: bit (although it is based on a tree 
structure), but I can't see where else it could fit in. 

d.



-- 
Dr. David R. Baird
Riverside Content Management Systems
[EMAIL PROTECTED]
http://www.riverside-cms.co.uk