Re: [Firebird-devel] crypt plugins

[Geoff W. <ge...@te...>]

> But we don't have a design for a security plugin.  Collecting
> requirements and various security/authentications systems is
> one of the first steps.  So keep the ideas coming.

OK then :-)

One of the annoying things about the existing arrangements is
that users are identified by logon username rather than by some
surrogate identifier.  So if you use the USER variable to store
the current user anywhere, such as defining roles and other
permissions, then these definitions are tied to the literal.
This prevents you from changing a users logon username (for
example when people get married).  I implemented a convoluted
system of dual logons in one of my installations specifically
so I could work around this restriction - but it turned out not
to work all that well anyway :-(

I do not know enough about the various different types of
security systems that we may want to plug-in.  But Windows for
example does use a separate UUID to identify a user, allowing
the logon name to change if needed.

I dont expect we would be lucky enough for all possible
security plug-in systems to use exactly the same types of user
identifier.

My lack of experience with other systems means that I really
have no idea exactly how FB databases should implement support
for storing user identifiers, but I begin to suspect that some
sort of translation table may be required.  Something that
cross-references the plug-in defined user identifier to a
consistent FB format identifier.  There would then need to be
an API that took a give FB user-id, translated it to a plugin
user-id and then did an appropriate plugin call to discover
the actual user logon name.  This could make it interesting
getting the list of users.

Anyone else have any thoughts or experience on this?

-- 
Geoff Worboys
Telesis Computing