On Sun, Mar 21, 2010 at 04:48:35PM -0700, Brian Aker wrote:
> On Mar 21, 2010, at 4:38 PM, Eric Day wrote:
> >I don't think we need to enforce any format for the serialized user
> >identifiers, I think simply using the 'user' in the SecurityContext
> 
> User is far from being sufficient. You need to know the domain and
> possibly the provider as well.

If I'm using Drizzle for my personal blog, a simple user is
sufficient. If I am in a multi-tenant environment, my 'user'
identifiers in SecurityContext will be an account ID, usern...@domain,
or something to uniquely identify the tenant (whatever my provider
tells me to log in with), and in that case, I think that would be
sufficient as well. Perhaps 'user' is a poor name choice in the
SecurityContext since it could be any auth identifier. :)

I'm all for packing as much information as is needed into the object
owner field, I just don't think we need to enforce any format besides
an opaque string. The Auth* plugins should be free to use whatever
format they need depending on what the login verification source is.

> If "catalog" is scoped to domain, then the problem mostly goes away,
> but even then in any sort of Security related object you need to
> know this information.

I don't think we should enforce catalog context either, keep this an
opaque string and let the Auth plugins define default catalog to use
depending on auth context. If a user is logged and wants to switch
catalog, the auth plugins will verify using security context and
desired catalog name.

For example, some multi-tenant providers may create one catalog per
account number (where an account can have multiple domains), where
others may do one catalog per domain. In either case, the auth plugins
could determine the default catalog to set based on the user given
(ie, account auth token, u...@domain, ...).

-Eric

_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to