[Twisted-Python] Must avatarId always be a string?

Marco Giusti marco.giusti at gmail.com
Thu Jan 10 05:00:06 EST 2013

On Thu, Jan 10, 2013 at 12:27:04AM +0200, Adi Roiban wrote:
> On 9 January 2013 20:02, Glyph <glyph at twistedmatrix.com> wrote:
> > On Jan 9, 2013, at 9:26 AM, Peter Westlake <peter.westlake at pobox.com> wrote:
> >
> > I am not an expert in Twisted, but from my understanding, the "string"
> > requirement is there to provide a plugable interface. So that you can
> > have generic credentials checkers, working with generic realms.
> > Having simple "strings" could also help with AvatarId serialization,
> > in case you have the CredentialsChecker on one computer and the you
> > will pass them over network/socket to a remote Realm.
> [snip]
> > I hope it's clear that just hard-coding your avatars and realms to work only
> > with each other is a sub-optimal solution :).
> It is very clear :)
> > The architecture of cred is supposed to be that you can plug realms and
> > checkers together so that a change to your authentication backend doesn't
> > completely change your application.  Of course, that architecture is flawed
> > in the sense that a string is a bit too narrow of a communication channel to
> > get information about the authenticated user from one to the other,
> > especially in cases where the application needs information from a directory
> > service to function.
> >
> > If you're interested in an improved, official way to deal with this
> > use-case, the best way to do that would be to get involved and actively try
> > to specify what you need.  I've got similar use-cases at work, as you can
> > see here:
> > <http://trac.calendarserver.org/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py>
> > so I'd be happy to talk to you about some ideas.
> >
> > The best way to predict the future is to invent it. :)
> My AvatarID Object is just for data.
> Let me describe one of my usage/requirement:
> I have a portal with credentialsChecker for both OS accounts and
> application specific accounts.
> One can have user "john" both as a local account and/or an application account.
> If my credentialsChecker returns only 'john', the Realm will not know
> from where to get user's home folder, so the returned AvatarID needs
> to signal the "source" of avatarID login so that it can use the same
> source for getting account configuration.

Can't you use `Portal.login` interfaces paramenter? I think you have two
different entry points for local and application accounts, so:

	# login as local account
	portal.login('john', None, ILocalHomeFolder)
	# login as application account
	portal.login('john', None, IApplicationLogic)

	class Realm:

		def requestAvatar(avatarId, mind, *interfaces):
			getAvatar = AFactory(interfaces)
			avatar = getAvatar(avatarId, mind)
			return avatar

> I know that a solution is to have unique ID across all system, but in
> my case, this is not possible, and I have a priority list.
> I can encode the source in the avatar id like: john at os or
> john at application, but I don't see why this is better than ('john',
> 'os') / ('john', 'application')

well actually tuples are not modifiable, so they are strings, then
('john', 'os') is an unique identifier across all system with no much
more information than 'john at os'. The advantage of using plain string is
that they don't break the interface.

> A formal description would be:
> There are N authentication services and for each authentication
> service, there is an associated account configuration service.
> When an account is allowed by authentication service X, the server
> will retrieve account configuration from the configuration service X.
> -----
> Another use case:
> I have user X with password Y. If user X is authenticated from local
> LAN it gets avatar Z, otherwise it gets avatar W.
> Here a simple AvatarID is not enough, since I also need to pass the
> remote peer from the transport.
> I keep a reference to remote peer in the Avatar. Doing this I don't
> need to always pass the transport, and just use the avatar. I do this
> to keep track of "sessions" in logs.

take a look at mind parameter and at twisted.words.service on how you
can use it.

> In some cases the credentialsChecker can do authentication and
> authorization in the same step.
> In my usage, the credentialsChecker only does autentication, and then
> an initial authorization is done in the realm.

just my 2c.

More information about the Twisted-Python mailing list