On Thu, Jan 10, 2013 at 12:27:04AM +0200, Adi Roiban wrote: > On 9 January 2013 20:02, Glyph <gl...@twistedmatrix.com> wrote: > > On Jan 9, 2013, at 9:26 AM, Peter Westlake <peter.westl...@pobox.com> wrote: > > > > I am not an expert in Twisted, but from my understanding, the "string" > > requirement is there to provide a plugable interface. So that you can > > have generic credentials checkers, working with generic realms. > > Having simple "strings" could also help with AvatarId serialization, > > in case you have the CredentialsChecker on one computer and the you > > will pass them over network/socket to a remote Realm. > > [snip] > > > I hope it's clear that just hard-coding your avatars and realms to work only > > with each other is a sub-optimal solution :). > > It is very clear :) > > > The architecture of cred is supposed to be that you can plug realms and > > checkers together so that a change to your authentication backend doesn't > > completely change your application. Of course, that architecture is flawed > > in the sense that a string is a bit too narrow of a communication channel to > > get information about the authenticated user from one to the other, > > especially in cases where the application needs information from a directory > > service to function. > > > > If you're interested in an improved, official way to deal with this > > use-case, the best way to do that would be to get involved and actively try > > to specify what you need. I've got similar use-cases at work, as you can > > see here: > > <http://trac.calendarserver.org/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py> > > so I'd be happy to talk to you about some ideas. > > > > The best way to predict the future is to invent it. :) > > My AvatarID Object is just for data. > > Let me describe one of my usage/requirement: > > I have a portal with credentialsChecker for both OS accounts and > application specific accounts. > One can have user "john" both as a local account and/or an application > account. > If my credentialsChecker returns only 'john', the Realm will not know > from where to get user's home folder, so the returned AvatarID needs > to signal the "source" of avatarID login so that it can use the same > source for getting account configuration.
Can't you use `Portal.login` interfaces paramenter? I think you have two different entry points for local and application accounts, so: # login as local account portal.login('john', None, ILocalHomeFolder) # login as application account portal.login('john', None, IApplicationLogic) class Realm: def requestAvatar(avatarId, mind, *interfaces): getAvatar = AFactory(interfaces) avatar = getAvatar(avatarId, mind) return avatar > I know that a solution is to have unique ID across all system, but in > my case, this is not possible, and I have a priority list. > > I can encode the source in the avatar id like: john@os or > john@application, but I don't see why this is better than ('john', > 'os') / ('john', 'application') well actually tuples are not modifiable, so they are strings, then ('john', 'os') is an unique identifier across all system with no much more information than 'john@os'. The advantage of using plain string is that they don't break the interface. > A formal description would be: > > There are N authentication services and for each authentication > service, there is an associated account configuration service. > When an account is allowed by authentication service X, the server > will retrieve account configuration from the configuration service X. > > ----- > > Another use case: > > I have user X with password Y. If user X is authenticated from local > LAN it gets avatar Z, otherwise it gets avatar W. > > Here a simple AvatarID is not enough, since I also need to pass the > remote peer from the transport. > > > I keep a reference to remote peer in the Avatar. Doing this I don't > need to always pass the transport, and just use the avatar. I do this > to keep track of "sessions" in logs. take a look at mind parameter and at twisted.words.service on how you can use it. > In some cases the credentialsChecker can do authentication and > authorization in the same step. > In my usage, the credentialsChecker only does autentication, and then > an initial authorization is done in the realm. just my 2c. _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python