From: Tim A. <tna...@sh...> - 2009-10-28 15:58:07
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> All the G3 internals use the identity helper. There is a unit test to insure that there are no direct calls to the database against the user and group tables.<br> <br> <div>What about user:: vs. identity::? The user module is the default IdentityProvider implementation. And some of the code you saw was a merge gone bad... the duplication has been removed from the user helper.<br> </div> <br> Andy Staudacher wrote: <blockquote cite="mid:d9c...@ma..." type="cite">On Tue, Oct 27, 2009 at 1:31 PM, Bharat Mediratta <span dir="ltr"><<a moz-do-not-send="true" href="mailto:bh...@me...">bh...@me...</a>></span> wrote:<br> <div class="gmail_quote"> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="im">Andy Staudacher wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Read-only meaning that no users can be created (=only existing LDAP users can use G3) and that no user / group attributes (=name, password, etc.) can be changed?<br> <br> At any given time, can more than 1 identity provider be enabled? I.e. does it try to look up a user name sequentially first in provider 1, then in provider 2, etc?<br> Use case: OpenID. Or would an OpenID module be implemented differently, i.e. by having an OpenID module interact with the one and only active identity provider module?<br> <br> If only one provider is active at any give time, does that mean that we automatically disable the "create user" UI in G3's admin area when the provider is read-only?<br> </blockquote> <br> </div> The impetus for this change was that folks internal at Google want to use Gallery 3 and have it authenticate against the Google internal LDAP. From that perspective, it doesn't make much sense to have multiple providers. If there's a strong use case for multiple providers, we should identify a use case and prioritize it based on the number of users who we expect to use it.<br> <br> For now, this is first implementation flushes out many of the issues we knew to be latent with our original authentication approach. <div class="im"><br> <br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> One of the advantages of this approach, is that a module that<br> interfaces directly to a WordPress or Drupal user administration<br> could be written and then Gallery3 would share that installation's<br> users and groups. No user/password synchronization issues as there<br> is only one user administration system.<br> <br> <br> Is there already some minimal documentation?<br> <br> E.g. I wonder what kind of user->id and group->id stability requirements we have. I.e. User ID must be stable. A provider returning a user object must guarantee that a user's ID never changes for the lifetime of the Gallery 3 installation. The (integer) user ID is the one stable identifier that is allowed to be used anywhere in the G3 database (e.g. in the notifications table).<br> What about the stability requirements for group->id? Do we have the same requirements there too?<br> </blockquote> <br> </div> Id stability is implicit here, as it is in almost all other systems. I can't think of a system offhand which allows you to change your underlying ids after creation. I'm not overly concerned with this issue.</blockquote> <div><br> </div> <div>Works for me.</div> <div><br> </div> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="im"> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Also, we need a proof of concept implementation of the identity provider interface with Drupal or WordPress to ensure that the API is a good fit for the applications most users will integrate with. And it should be a read/write implementation to show that this works fine as well.<br> </blockquote> <br> </div> I agree that we should provide Drupal and Wordpress integrations. I disagree that we need a read/write implementation-- I can't think of any scenarios where I'd want to use the Gallery 3 interfaces to do user administration for WP/Drupal. Can you tell me what scenarios you had in mind?<br> </blockquote> <div><br> </div> <div>A read-only (=in G3-lingo) interface is fine IMO. With G2 we got away with a read-only integration as well. If you want updates (e.g. changed user attributes) from Gallery to the other application, you could write a Gallery module and hook into user update events.</div> <div><br> </div> <div>What I'm concerned about is that we have an interface that offers a mode (read-write) that isn't actually used by anything, but G3 internals. To ensure that this mode actually makes sense, I'd like to see an external use for it.</div> <div>But maybe that's just it. Maybe it's not intended for external use, and we'll see if it makes any sense for external use in the rare event that someone ever tries to use read-write from another application.</div> <div><br> </div> <div>But as mentioned in my initial reply: Does that imply that we disable all identity-related write operations when the active identity provider is read-only? On the API-level and in the UI?</div> <div><br> </div> <div>Another API-related question:</div> <div><br> </div> <div>What about user:: vs. identity::?</div> <div>I see some redundancy, e.g. user::active() is a copy of identity::active_user().</div> <div>Other methods in IdentityProvider are mostly delegates to user_core. Why didn't we include active() in that list of delegates as well?</div> <div>Can we at least get rid of the code duplication?</div> <div>Should we have a code audit test to verify that user:: isn't called directly anywhere in module / theme code?</div> <div><br> </div> <div>Thanks,</div> <div> - Andy</div> <div><br> </div> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><font color="#888888"><br> -Bharat<br> </font></blockquote> </div> <br> <pre wrap=""> <hr size="4" width="90%"> No virus found in this incoming message. Checked by AVG - <a class="moz-txt-link-abbreviated" href="http://www.avg.com">www.avg.com</a> Version: 8.5.423 / Virus Database: 270.14.36/2465 - Release Date: 10/28/09 09:34:00 </pre> </blockquote> </body> </html> |