Hi!

On Feb 20, 2009, at 8:00 AM, Jim Starkey wrote:

  * Rights are generally granted to roles, not accounts (users)
  * Each account is assigned a set of roles.  Some are, by default,
    active and other are latent
  * A client can use the API to activate or deactivate roles
  * Access rights are determined by the active roles of a connection.

I believe we are pretty much in agreement but I would expand this a bit more for multi-tenancy issues (aka... resource control like set sizes of memory for tenancy of things like pools, disk, etc..). Multi- tenancy though frequently goes into issues around auditing for monetizing usage.

For Drizzle access control means a plugin though, I do not believe we want a security model which is not baked in with no encapsulation (which is what the MySQL code model is). I believe in hooks for Access, Authorization, and Authentication. I have seen arguments that the first two can be provided as one layer, but I believe it is best to keep them at a distance.

Now whether the infrastructure comes from LDAP or as a built in component? This is immaterial to me. I believe this should be a decision that the end user decides based on the needs of their enterprise.

Cheers,
        -Brian

--
_______________________________________________________
Brian "Krow" Aker, brian at tangent.org
Seattle, Washington
http://krow.net/                     <-- Me
http://tangent.org/                <-- Software
_______________________________________________________
You can't grep a dead tree.




_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to