On Fri, Mar 15, 2013 at 8:42 AM, Vincent Massol <[email protected]> wrote:
> +1 for the idea in general. I'm sure there'll be details to iron out (as > pointed out by Jerome and Ludovic). Maybe a first step (if you haven't > already done so) would be to enable it on your machine (or somewhere else) > and build the full codebase to see if all tests pass. I know quite a few > functional that I know will fail and will need to be updated but they're > easy to fix. > I will work on that now, since most seems now favorable to this move. > As part of this move I'd like that the old auth code be moved to legacy > modules too. But for that to happen we need that friendly xwiki-oriented > interface. Without that we won't be able to update our code to use the new > module. > We may move the old implementation right now (but not sure we need too be in hurry for that). The new module expose the bridge (that I would like to mark deprecated as soon as we have an xwiki-oriented interface), so only the API needs to be kept temporarily. Regarding the xwiki-oriented interface, the main work is to define it, and I would like to have others participating in that specs. Writing it should be quite easy. > Do you plan to move the security module to commons too? > It is not impossible on mid-terms. It depends what we intent to achieve. What really link the module to XWiki is the structure of MainWiki-SubWiki-Space-Document. And I have used some specialized EntityReference (SecurityReference, UserSecurityReference and GroupSecurityReference) to support that easily. However, it should not be too complex to abstract more these SecurityReference. That said, supporting global users in local groups goes to less abstractions, and imply the module to knows more about the first two level (MainWiki-SubWiki) than it does currently. > > Thanks > -Vincent > > On Mar 14, 2013, at 9:20 PM, Denis Gervalle <[email protected]> wrote: > > > Hi devs, > > > > We have a new (component based) authorization module since a while now, > and > > I think 5.0 is the perfect time to introduce it as the default right > > service. First, I simply propose to change the default in xwiki.cfg: > > > > > xwiki.authentication.rightsclass=org.xwiki.security.authorization.internal.XWikiCachingRightService > > > > (Later, I propose that we deprecate that bridge and that we create a > > friendly (xwiki oriented) interface over the more generic > > org.xwiki.security.authorization.AuthorizationManager. But leave this > for a > > later proposal.) > > > > So this vote is about changing the default in xwiki.cfg before 5.0M2. > > > > pros: > > - improved performance, since the new service is using caching techniques > > and a single page load required lots of calls to it. > > - ability for extension to add new rights > > - define right declaratively > > - separate method for checking and verifying right (throws opposed to > > boolean return) > > - fix some long waiting bugs like XWIKI-5174, XWIKI-6987, as well as > some > > unstated ones > > - possibility to easily solve issues like XWIKI-4491 > > - no more admin right per default > > - being in good position to improve it and release dependencies to > oldcore > > for security matters. > > - possibility for third party to adapt the right settler to their special > > needs (right decision is plugable) > > - a consistant right evaluation with very few exception that could be > > explained and documented > > > > cons: > > - no more admin right per default, but since we have DW, the initial > setup > > is no more a problem, and advanced users may use superadmin. > > - groups are only checked from the user wiki, not from the accessed > entity > > wiki. > > - may exhibit some other minor differences compare to existing > > implementation (but mostly consistency fixes) > > - test could be improved, critical part (right, settler, data structure, > > cache) are covered at almost 100%, api at 60%, this is probably better > than > > the old right service > > - documentation should be improved, but this is not worse than the old > one > > anyway > > > > Since I use the new module in all my production servers for several > months > > with success, and I really think that if we do not do it now we will > never > > go ahead, here is my big +1 > > > > WDYT ? > > > > -- > > Denis Gervalle > > SOFTEC sa - CEO > > eGuilde sarl - CTO > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
