[Yanel-dev] Re: Access Control User Interface

Michael Wechner michael.wechner at wyona.com
Fri Feb 2 10:59:20 CET 2007 

Paloma Gomez wrote:

>>On Wed, 2007-01-31 at 11:04 +0100, Michael Wechner wrote:
>>    
>>
>>>Josias Thöny wrote:
>>>
>>>      
>>>
>>>>On Wed, 2007-01-31 at 09:33 +0100, Michael Wechner wrote:
>>>>
>>>>
>>>>        
>>>>
>>>>>Paloma Gomez wrote:
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>>I think that the Identity is some kind of abstraction of the
>>>>>>>              
>>>>>>>
>>>following
>>>      
>>>
>>>>>>>items:
>>>>>>>- user
>>>>>>>- machine
>>>>>>>- ip range
>>>>>>>- world
>>>>>>>So maybe we could keep Identity.java as a super-class or an
>>>>>>>              
>>>>>>>
>>>interface.
>>>      
>>>
>>>>>>>But I'm not sure which methods to put into Identity.java.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>Currently, Identity.java just holds a username and an array
>>>>>>            
>>>>>>
>>>containing
>>>      
>>>
>>>>>>groups and provides getter methods for retrieving them.
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>the identity is a container for
>>>>>
>>>>>user
>>>>>machine/ip-range
>>>>>world
>>>>>group
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>IIUC the identity is either a user, or a machine, or world, etc. But
>>>>it's not everything at the same time, or is it?
>>>>
>>>>
>>>>        
>>>>
>>>no. A user does also have an IP and can be part of a group or many
>>>groups
>>>      
>>>
>>Yes, of course. But the question is how to model that in the code...
>>For the user management we proposed to add classes like User, Group
>>etc.,  and it's not clear to me how this would relate to the Identity.
>>    
>>
>
>It's not clear to me either, maybe because I'm used to the Lenya approach.
>  
>
>>Maybe we just keep the Identity as it is and implement the user
>>management somehow separately. I don't know...
>>    
>>
>
>I thought about that too... But would be Identity used for then? When I
>started thinking about this, my first idea was that the IdentityManager
>was similar to the Authenticator in Lenya, and I had to implement users,
>groups... I don't see where the Identity fits here.
>
>I think I don't get the idea because it's a completely new approach
>(having everything into Identity). Maybe with some examples we could
>understand it better.
>  
>

a machine doesn't have to be a user, but it is an identity, because one 
can identify it through the IP address.

So, identity is more general than User or Machine or Group.

If a human being is logging in successfully, then this human being is 
becoming an identity, which
contains the user, machine, groups, etc.

If a machine is accessing the system it also becomes an identity, the IP 
address.

HTH

Michi

>Regards,
>Paloma
>  
>
>>josias
>>
>>    
>>
>>>>So it would seem to me more natural to have Identity as a super-type of
>>>>all those "things", instead of a container.
>>>>
>>>>Or am I misunderstanding you?
>>>>
>>>>
>>>>        
>>>>
>>>yes ;-) see above
>>>
>>>      
>>>
>>>>What about the following situation:
>>>>A page has a policy which allows access from a certain ip-number. Now a
>>>>user at the workstation with that ip-number tries to access that page.
>>>>The user will be authorized, without entering username/password. In
>>>>        
>>>>
>>>this
>>>      
>>>
>>>>case the identity is just the machine, and there is no username or
>>>>        
>>>>
>>>group
>>>      
>>>
>>>>available.
>>>>
>>>>
>>>>        
>>>>
>>>the question is if we should introduce for IP Numbers also identities
>>>within the identities repository?
>>>
>>>Is that what you are implying?
>>>
>>>Cheers
>>>
>>>Michi
>>>
>>>      
>>>
>>>>Josias
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>resp. identifiying a session so to speak. Instead of passing around
>>>>>          
>>>>>
>>>all
>>>      
>>>
>>>>>the types mentioned above one
>>>>>just has to pass around the identity which I think makes a lot of
>>>>>          
>>>>>
>>>sense ;-)
>>>      
>>>
>>>>>
>>>>>          
>>>>>
>>>>>>If we want it to
>>>>>>represent any kind of item, we should change the current
>>>>>>            
>>>>>>
>>>implementation
>>>      
>>>
>>>>>>since it just considers users.
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>which implementation?
>>>>>
>>>>>Cheers
>>>>>
>>>>>Michi
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>_______________________________________________
>>>>Yanel-development mailing list
>>>>Yanel-development at wyona.com
>>>>http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>      
>>>
>>_______________________________________________
>>Yanel-development mailing list
>>Yanel-development at wyona.com
>>http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>>    
>>
>
>
>_______________________________________________
>Yanel-development mailing list
>Yanel-development at wyona.com
>http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>
>  
>


-- 
Michael Wechner
Wyona      -   Open Source Content Management   -    Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner at wyona.com                        michi at apache.org
+41 44 272 91 61

More information about the Yanel-development mailing list