User management API
User management API
Status
Author
Adam Groszer (adamg(at)fw.hu)
Problem/Proposal
Nowadays every site requires a kind of user management. Z3 already has to infrastructure for that by pluggableauth, principalfolder, groupfolder, principalannotation.
Goals
Piece of cake user management from code.
Proposed Solution
There may be a default configuration of PAU, principalfolder, groupfolder, principalannotation. These could be created like zope.app.appsetup.bootstrap.ensureUtility on request. If these are in place, the API could act on these. Extra user information (e-mail address, phone number, etc.) could be stored with principalannotation.
First we should start with a simple API:
- add user
- modify user
- change password
- remove user
- list of users
- get user data
Risks
Currently I don't see any.
nov. 20: I managed the README.txt (http://www.zope.org/Members/adamg/umAPI/README.txt)
Writeable vs. Read-Only authentication sources --bavarian, 2005/11/18 10:18 EST reply
We already have read-only authentication accessible from code and views, defined by zope.app.security.interfaces.IAuthentication? in the most basic form.
What we are missing is a similar Interface for authentication sources that are writeable. Making this distinction is very important, because in some scenarios I will only need read-only authentication, in others I will need the full user management story.
E.g., if the Zope3 app runs as part of a centrally managed IT infrastructure that has a global directory (e.g. LDAP, ActiveDirectory), managing the users is not the Zope3 app's job. But in a standalone application I might want to be able to manage users.
This is independent of the backend I am using (LDAP, SQL, ZODB, ...), although some backends may not support write access.
The reason why I think that this should be part of Pluggable Authentication and not just another separate component is that most of the authentication sources will only need to be configured once for reading AND writing. This is definitely true for LDAP, SQL, ZODB, and file-based auth.
There may be exceptions, where, to name an example, a different password is needed for an LDAP server to authenticate against it than to add a new user, but in general it will be more logical to have an authentication source set up just once than having to set it up as part of the Pluggable Authentication component AND as part of a user management component.
I think we have two separate things in mind --adamg, 2005/11/20 05:38 EST reply
My idea is about having a simple interface to the currently existing Z3 infrastructure of user management, that makes life easier. That way I do not have to write several lines of code to change a password.
You are writing about the authentication part, which job is just to check if the user can or cannot have access. That needs in fact read only access to the user registry whichever type it may be. For example if I want to have have LDAP authentication I would get (or write) an Authenticator plugin for LDAP. I don't think that adding users to an LDAP server is in the scope of Z3, but that should be decided by others.
Re: I think we have two separate things in mind --bavarian, 2005/11/23 08:39 EST reply
No, I am talking about exactly the same thing. I just wanted to point out that the interface for authentication is already there (and looks ok to me), but there is no corresponding interface for user management.
I think that managing users in general should indeed be in the focus of Zope3. And there should be an interface I can use with a default implementation that is shipped with Zope3. For all the plugins (like LDAP) it would be mandatory to support the read-only authentication interface, but the writeable parts would be optional.