On Thu, Jan 10, 2013 at 12:27:04AM +0200, Adi Roiban wrote:
> On 9 January 2013 20:02, Glyph <gl...@twistedmatrix.com> wrote:
> > On Jan 9, 2013, at 9:26 AM, Peter Westlake <peter.westl...@pobox.com> wrote:
> >
> > I am not an expert in Twisted, but from my understanding, the "string"
> > requirement is there to provide a plugable interface. So that you can
> > have generic credentials checkers, working with generic realms.
> > Having simple "strings" could also help with AvatarId serialization,
> > in case you have the CredentialsChecker on one computer and the you
> > will pass them over network/socket to a remote Realm.
>
> [snip]
>
> > I hope it's clear that just hard-coding your avatars and realms to work only
> > with each other is a sub-optimal solution :).
>
> It is very clear :)
>
> > The architecture of cred is supposed to be that you can plug realms and
> > checkers together so that a change to your authentication backend doesn't
> > completely change your application. Of course, that architecture is flawed
> > in the sense that a string is a bit too narrow of a communication channel to
> > get information about the authenticated user from one to the other,
> > especially in cases where the application needs information from a directory
> > service to function.
> >
> > If you're interested in an improved, official way to deal with this
> > use-case, the best way to do that would be to get involved and actively try
> > to specify what you need. I've got similar use-cases at work, as you can
> > see here:
> > <http://trac.calendarserver.org/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py>
> > so I'd be happy to talk to you about some ideas.
> >
> > The best way to predict the future is to invent it. :)
>
> My AvatarID Object is just for data.
>
> Let me describe one of my usage/requirement:
>
> I have a portal with credentialsChecker for both OS accounts and
> application specific accounts.
> One can have user "john" both as a local account and/or an application
> account.
> If my credentialsChecker returns only 'john', the Realm will not know
> from where to get user's home folder, so the returned AvatarID needs
> to signal the "source" of avatarID login so that it can use the same
> source for getting account configuration.
Can't you use `Portal.login` interfaces paramenter? I think you have two
different entry points for local and application accounts, so:
# login as local account
portal.login('john', None, ILocalHomeFolder)
# login as application account
portal.login('john', None, IApplicationLogic)
class Realm:
def requestAvatar(avatarId, mind, *interfaces):
getAvatar = AFactory(interfaces)
avatar = getAvatar(avatarId, mind)
return avatar
> I know that a solution is to have unique ID across all system, but in
> my case, this is not possible, and I have a priority list.
>
> I can encode the source in the avatar id like: john@os or
> john@application, but I don't see why this is better than ('john',
> 'os') / ('john', 'application')
well actually tuples are not modifiable, so they are strings, then
('john', 'os') is an unique identifier across all system with no much
more information than 'john@os'. The advantage of using plain string is
that they don't break the interface.
> A formal description would be:
>
> There are N authentication services and for each authentication
> service, there is an associated account configuration service.
> When an account is allowed by authentication service X, the server
> will retrieve account configuration from the configuration service X.
>
> -----
>
> Another use case:
>
> I have user X with password Y. If user X is authenticated from local
> LAN it gets avatar Z, otherwise it gets avatar W.
>
> Here a simple AvatarID is not enough, since I also need to pass the
> remote peer from the transport.
>
>
> I keep a reference to remote peer in the Avatar. Doing this I don't
> need to always pass the transport, and just use the avatar. I do this
> to keep track of "sessions" in logs.
take a look at mind parameter and at twisted.words.service on how you
can use it.
> In some cases the credentialsChecker can do authentication and
> authorization in the same step.
> In my usage, the credentialsChecker only does autentication, and then
> an initial authorization is done in the realm.
just my 2c.
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
