[Yanel-dev] User and Group Management

Josias Thöny josias.thoeny at wyona.com
Thu Feb 15 16:24:19 CET 2007


Michael Wechner wrote:
> Josias Thöny wrote:
> 
>> Michael Wechner wrote:
>>
>>> Josias Thöny wrote:
>>>
>>>> Hi all,
>>>>
>>>> I've added interfaces and a yarep-based implementation for user and 
>>>> group management to the security package. It allows to 
>>>> add/modify/delete users and groups, and to manage the membership of 
>>>> users to groups.
>>>>
>>>> Paloma, do you think it would be a lot of work to modify your 
>>>> UserResource to use this API?
>>>>
>>>> I made the UserManager and the GroupManager accessible via the 
>>>> IdentityManager:
>>>>     identityManager.getUserManager()
>>>> and
>>>>     identityManager.getGroupManager()
>>>> I'm not completely happy with that, any suggestions on how to 
>>>> improve this are welcome. Should those two managers be instantiated 
>>>> via spring instead?
>>>
>>>
>>>
>>>
>>> how do we instantiate different implementions with this, e.g. LDAP, 
>>> OpenID, ...?
>>>
>>> I think I remember now how I intended to do it in the first place:
>>>
>>> -  Having a generic API (independent of the implementation)
>>> -  Using different Yarep implementations for the various usecases 
>>> (Default, LDAP, OpenID, ...)
>>
>>
>> That's not implemented yet, but I guess it shouldn't be too hard. The 
>> API allows to have different implementations, the question is just how 
>> to configure which implementation to use.
>> We could use some kind of spring config mechanism, or add an attribute 
>> class="my.cool.UserImpl" to e.g. the user xml files, as it is done in 
>> Lenya. The user xml could also contain something like:
>>
>> <authenticator class="foo.bar.LDAPAuthenticator">
>>     <ldap:id xmlns:ldap="http://foo.bar/ldap/1.0">lenya1</ldap:id>
>> </authenticator>
> 
> 
> right, but I think it's actually not such a good idea, because we don't 
> just want to get the password from LDAP or whatever ....
> 
> I think it's better to do it via Yarep. We already pass a yarep 
> repository to the IdentityManager.
> 
> I think it's important that we start a basic LDAP implementation to make 
> sure that our API is generic enough.

Ah, now I understand what you mean.
In this case the yarep API is probably the limiting factor. I'm not sure 
how e.g. setting or verifying the password would work via the yarep 
interfaces if there's an LDAP behind yarep.
But if it turns out that this doesn't work, one could still write an 
LDAP implementation of the AC interfaces (User, UserManager, Group, 
GroupManager etc.), without using yarep.

josias


> 
> WDYT?
> 
> Cheers
> 
> Michi
> 
>>
>> IIUC that was your idea. This would require that the user 
>> implementation understands this element and then uses the specific 
>> Authenticator class. Basically it should be possible to implement that 
>> without having to change the API (well, we might have to define an 
>> Authenticator interface).
>>
>> josias
>>
>>
>>>
>>> Cheers
>>>
>>> Michi
>>>
>>>>
>>>>
>>>> If the new api is approved, I will make a few minor modifications to 
>>>> YanelServlet, to correctly get the User and its Groups after logging 
>>>> in. This should then allow to set policies based on groups.
>>>>
>>>> Any feedback is welcome.
>>>>
>>>> josias
>>>>
>>>> _______________________________________________
>>>> Yanel-development mailing list
>>>> Yanel-development at wyona.com
>>>> http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Yanel-development mailing list
>> Yanel-development at wyona.com
>> http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>>
> 
> 




More information about the Yanel-development mailing list