[Twisted-Python] Fitting cred into my application

Itamar Turner-Trauring itamar at futurefoundries.com
Sat Sep 22 21:36:22 EDT 2012 

On Sat, Sep 22, 2012 at 4:37 PM, Matthew Pounsett <matt at conundrum.com>wrote:

> Hi.  I've been trying to wrap my head around the cred implementation for a
> while now, but either I'm missing something, or there's some piece of
> documentation that could be better.  Probably at least a bit of both.
>
> My application is an XMLRPC server, and an authenticated client should
> have rights to run some RPC methods, but not others.  Some methods will
> give access to limited data based on authentication.
>
> The documentation for cred is clear in the case where the server has its
> own protocol implementation, but in the case of XMLRPC, where the protocol
> isn't subclassed, how to link it in is far less clear.  Also, since the
> design suggests that it's the RPC methods that need to talk to the avatar,
> not the protocol, how to implement cred seems even less obvious.
>
> Are there some other examples of cred implementations floating around that
> I can look at, where lack of authentication does not block all access to
> the protocol?  In particular an example combining XMLRPC and cred would
> make my day.  Does any documentation or example code along those lines
> exist that I just haven't found yet?
>

There's three parts to doing this:

   1. When setting up the portal, in addition to the credential checker
   that knows about regular users, also register a
   twisted.cred.checkers.AllowAnonymousAccess.
   2. When you have no credentials, the xml-rpc layer should login to the
   portal using a twisted.cred.credentials.Anonymous credential. When you do
   have credentials, pass them in as you normally.
   3. Now as part of a login your realm gets either a username, or a
   twisted.cred.checkers.ANONYMOUS as the avatar id that is being requested.
   Based on what it gets your realm should return a different business logic
   implementation (aka "avatar"); the anonymous one can do less, say.

twisted.web.guard does #2; the way it is implemented, the business logic
object (avatar) that is returned is a web Resource, so the realm can return
a different Resource depending on whether there's HTTP credentials or not
(the latter case being avatar id of ANONYMOUS). It's possible you just want
to use guard, if you're relying on HTTP authentication - just return
different XMLRPC objects. Alternatively, the XMLRPC layer could log-in to
the portal, in which case it would get back different business logic
objects with different capabilities.

An example of a full setup is twisted.protocols.ftp combined with
twisted.tap.ftp, the ftp plugin for twistd, but the details are a bit
spread out. You should be able to find all three of those parts though.

-- 
Itamar Turner-Trauring, Future Foundries LLC
http://futurefoundries.com/ — Twisted consulting, training and support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20120922/9914f811/attachment.htm

More information about the Twisted-Python mailing list