Hi!
On Feb 20, 2009, at 8:00 AM, Jim Starkey wrote:
* Rights are generally granted to roles, not accounts (users)
* Each account is assigned a set of roles. Some are, by default,
active and other are latent
* A client can use the API to activate or deactivate roles
* Access rights are determined by the active roles of a connection.
I believe we are pretty much in agreement but I would expand this a
bit more for multi-tenancy issues (aka... resource control like set
sizes of memory for tenancy of things like pools, disk, etc..). Multi-
tenancy though frequently goes into issues around auditing for
monetizing usage.
For Drizzle access control means a plugin though, I do not believe we
want a security model which is not baked in with no encapsulation
(which is what the MySQL code model is). I believe in hooks for
Access, Authorization, and Authentication. I have seen arguments that
the first two can be provided as one layer, but I believe it is best
to keep them at a distance.
Now whether the infrastructure comes from LDAP or as a built in
component? This is immaterial to me. I believe this should be a
decision that the end user decides based on the needs of their
enterprise.
Cheers,
-Brian
--
_______________________________________________________
Brian "Krow" Aker, brian at tangent.org
Seattle, Washington
http://krow.net/ <-- Me
http://tangent.org/ <-- Software
_______________________________________________________
You can't grep a dead tree.
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp