[Twisted-Python] Experiences with twisted.spread: representing an ACL

Cory Dodt corydodt at yahoo.com
Tue Jan 15 00:13:19 EST 2002 

I am working on a networked backup server which is so new it doesn't even
have a project page up on SF yet, although it might by the end of the
week.  To build this I am using spread and passport instead of building my
own protocol.    I'm having trouble with some of the concepts in spread,
and at this point I'm still too naive to know whether I'm missing the
point of something or whether passport is actually missing something I
need.

I want to implement access control lists.  For each Identity, I want to
assign a simple list of strings which more or less represent the ability
to access a Perspective.  For example:

useracl=[ "store_files",
        "read_files",
        "encrypt",
        "create_lbu" ]

There is a StoreFilesService, a ReadFilesService, and a CreateLBUService,
and a Perspective for each.  The "encrypt" permission is a modifier to
Store and Read files, so I'm not sure how to implement that yet but I'll
cross that bridge when I come to it.

I have subclassed the Authorizer thus:

class Authorizer(passport.Authorizer):
    def addIdentity(self, identity):
        if self.identities.has_key(identity.name):
            raise passport.KeyError("Already have an identity by that
name.")
        self.identities[identity.name] = identity
        if identity.permissions == None:
            raise MissingPermissionsException(identity)
        # create all perspectives the user should have
        for permission in identity.acl:
            svc=servicelist.services[permission](permission, tap.the_app)
            svc.createPerspective(identity.name).setIdentity(identity)
           
identity.addKeyForPerspective(svc.getPerspectiveNamed(identity.name))

Does passport already has something like the ACL mechanism which allows
you to easily bind an ACL to a user?  Is my solution the most parsimonious
or do I really have to subclass the Authorizer to achieve this?  It seems
like I should be able to throw in a callback somewhere that creates the
eligible service/perspective pairs when a user is added to the system.

Second, if I modify a user's ACL, for example to grant a permission,
where's the callback to create a new s/p pair for that permission?  I have
a suspicion that this is already taken care of somewhere in passport and
I'm just missing the point.

That's all for now, thanks.  

C

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

More information about the Twisted-Python mailing list