[Yanel-dev] Re: Access Control User Interface

Thu Feb 1 18:07:57 CET 2007

> On Wed, 2007-01-31 at 11:04 +0100, Michael Wechner wrote:
>> Josias Thöny wrote:
>>
>> >On Wed, 2007-01-31 at 09:33 +0100, Michael Wechner wrote:
>> >
>> >
>> >>Paloma Gomez wrote:
>> >>
>> >>
>> >>
>> >>>>I think that the Identity is some kind of abstraction of the
>> following
>> >>>>items:
>> >>>>- user
>> >>>>- machine
>> >>>>- ip range
>> >>>>- world
>> >>>>So maybe we could keep Identity.java as a super-class or an
>> interface.
>> >>>>But I'm not sure which methods to put into Identity.java.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>Currently, Identity.java just holds a username and an array
>> containing
>> >>>groups and provides getter methods for retrieving them.
>> >>>
>> >>>
>> >>>
>> >>the identity is a container for
>> >>
>> >>user
>> >>machine/ip-range
>> >>world
>> >>group
>> >>
>> >>
>> >
>> >IIUC the identity is either a user, or a machine, or world, etc. But
>> >it's not everything at the same time, or is it?
>> >
>> >
>>
>> no. A user does also have an IP and can be part of a group or many
>> groups
>
> Yes, of course. But the question is how to model that in the code...
> For the user management we proposed to add classes like User, Group
> etc.,  and it's not clear to me how this would relate to the Identity.

It's not clear to me either, maybe because I'm used to the Lenya approach.
>
> Maybe we just keep the Identity as it is and implement the user
> management somehow separately. I don't know...

I thought about that too... But would be Identity used for then? When I
started thinking about this, my first idea was that the IdentityManager
was similar to the Authenticator in Lenya, and I had to implement users,
groups... I don't see where the Identity fits here.

I think I don't get the idea because it's a completely new approach
(having everything into Identity). Maybe with some examples we could
understand it better.

Regards,
Paloma
> josias
>
>>
>> >So it would seem to me more natural to have Identity as a super-type of
>> >all those "things", instead of a container.
>> >
>> >Or am I misunderstanding you?
>> >
>> >
>>
>> yes ;-) see above
>>
>> >What about the following situation:
>> >A page has a policy which allows access from a certain ip-number. Now a
>> >user at the workstation with that ip-number tries to access that page.
>> >The user will be authorized, without entering username/password. In
>> this
>> >case the identity is just the machine, and there is no username or
>> group
>> >available.
>> >
>> >
>>
>> the question is if we should introduce for IP Numbers also identities
>> within the identities repository?
>>
>> Is that what you are implying?
>>
>> Cheers
>>
>> Michi
>>
>> >
>> >Josias
>> >
>> >
>> >
>> >>resp. identifiying a session so to speak. Instead of passing around
>> all
>> >>the types mentioned above one
>> >>just has to pass around the identity which I think makes a lot of
>> sense ;-)
>> >>
>> >>
>> >>
>> >>>If we want it to
>> >>>represent any kind of item, we should change the current
>> implementation
>> >>>since it just considers users.
>> >>>
>> >>>
>> >>>
>> >>which implementation?
>> >>
>> >>Cheers
>> >>
>> >>Michi
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >_______________________________________________
>> >Yanel-development mailing list
>> >Yanel-development at wyona.com
>> >http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>> >
>> >
>> >
>>
>>
>
>
> _______________________________________________
> Yanel-development mailing list
> Yanel-development at wyona.com
> http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>
>