Oh no, now I'm confusing myself and everyone else. :-) Your terminology was correct the first time. Let me try once more, and this time I'm going to pay close attention to what I type:
You write the pages for Authentication to cover auth_pam, and whatever other auth plugins you want, and I'll write auth_schema page. I write the section on Authorization: simple_user_policy and regex_policy. -Daniel Le 3 oct. 2011 à 10:43, Henrik Ingo a écrit : > :-) > > Confusion of terminology: To me Authentication = the thing that uses > username+password and auth_pam and auth_ldap are part of that. > > Authorization = GRANT and REVOKE = authenticated user is allowed / not > allowed to do X. > > But I'm happy to cover auth_pam and auth_ldap, if you cover the basic > auth_schema use case. > > Yeah, I don't think lot of people will use ldap (or even auth_pam, > given the need to use plaintext passwords), but I selected it as > "marketing feature" due to Oracle/MySQL recently announcing similar > proprietary feature. I think it can get some publicity, and it's a > "enterprise feature", even if most users wouldn't use it. > > henrik > > On Mon, Oct 3, 2011 at 7:05 PM, Daniel Nichter <dan...@percona.com> wrote: >> The reverse: you write Authorization so you can cover whichever auth_* >> plugins you want (auth_pam, etc.), and I'll write Authentication since I >> have a little insight into that. Does that work? >> >> Also, I agree about auth_ldap: it's pretty complex and I don't think LDAP is >> very common in the Unix world. Afaik, LDAP is what Windows uses (or did--I >> don't keep up with Windows). >> >> Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit : >> >>> I agree with scoping of Administration. So will you also cover auth_ldap? >>> >>> FYI: I've spent today trying to get >>> libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to >>> drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh >>> (renamed to drizzle_create_ldap_user) included in make install, so >>> that also end users could benefit from them. I think while LDAP is a >>> bit complex (and people complain about SQL!!) one good thing with >>> auth_ldap is the fact you can actually use hashed passwords, and I'd >>> like to make it easy for users to actually do that. >>> >>> I'll have to look at authorization/policy plugins, I have absolutely >>> zero insight into that so far. >>> >>> henrik >>> >>> On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter <dan...@percona.com> wrote: >>>> Henrik, >>>> I was thinking that Administration entails Authentication and >>>> Authorization. >>>> The section on Authentication could cover (eventually) all of Drizzle's >>>> auth plugins and other authentication-related information like how to make >>>> the drizzle client work with those auth plugins by using --protocol >>>> mysql-plugin-auth. And Authorization could talk about the various policy >>>> plugins. >>>> So maybe you could write Authorization for the auth plugins you want to >>>> feature, and I can write Authentication? >>>> As for auth_schema, I'm glad you like it. :-) I will have it ready to go >>>> by the end of this week and then I'll propose it for merging, It's not >>>> perfect yet, but I think it's useful enough. >>>> -Daniel >>>> Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : >>>> >>>> I picked ldap_auth and pam_auth for our focus areas: >>>> https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I >>>> now realize auth_schema should be included too, unless of course we >>>> think it is implied by Administration. >>>> >>>> Basically I want to make sure that docs/index.rst in those 3 plugins >>>> is usable for the average user. It seems it is mostly a question of >>>> supplying a good example section in addition to the file you've >>>> generated. When you say you want to document administration, do you >>>> want to claim all of auth_pam/docs/index.rst for yourself? Feel free >>>> to do so. I assume auth_schema is part of administration. >>>> >>>> I started today trying to understand ldap_auth. (And it seems to be a >>>> rule that no matter how innocent things I do I end up changing >>>> Makefile.am. In this case plugin/ldap_auth/ has material that is only >>>> there if you work from bzr repository, so to document how to create >>>> LDAP users, I first have to move a utility from noinst_PROGRAMS to >>>> bin_PROGRAMS... >>>> >>>> From what I've learned today, auth_pam is a good authentication >>>> method, except for the drawback that you end up using plaintext >>>> passwords. auth_ldap actually has an advantage it is designed to store >>>> the MySQL hashed passwords in a custom LDAP field, however it is way >>>> too complex for the average user to setup. (It mostly just makes sense >>>> if you already use LDAP.) >>>> >>>> A conclusion of the above is that I really appreciate you creating >>>> auth_schema, and hope it is included in the beta because it is the >>>> only alternative that is both secure and user friendly and should be >>>> the default and recommended auth plugin. >>>> >>>> henrik >>>> >>>> >>>> On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter <dan...@percona.com> wrote: >>>> >>>> Hi Henrik, >>>> >>>> Correct: I did not update the docs. When I update the Administration docs >>>> for 7.1, I will mention it. What docs are you updating where it's >>>> relevant? >>>> >>>> -Daniel >>>> >>>> Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : >>>> >>>> Hi Daniel >>>> >>>> Related to your work in figuring out PAM authentication and knowing >>>> >>>> that you worked a little on documentation, am I correct that you >>>> >>>> didn't update any docs for this? I was thinking to select this as a >>>> >>>> focus area where we should update the docs for 7.1 release. I'm >>>> >>>> volunteering to do it, and the info in your blog post is already >>>> >>>> sufficient, just wanted to check you are not sitting on some >>>> >>>> documentation that I don't see yet in trunk? >>>> >>>> henrik >>>> >>>> On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter <dan...@percona.com> wrote: >>>> >>>> This has been resolved: >>>> http://hackdrizzle.com/authenticating-with-authentication-plugins/ >>>> >>>> Le 9 août 2011 à 18:12, Daniel Nichter a écrit : >>>> >>>> I'd like to draw attention to >>>> https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and auth_http do >>>> not work". I think the reason is that the authentication system does not >>>> pass authentication plugins a plaintext password, only a MySQL-scrambled >>>> hash of the original plaintext password. I've verified that this is >>>> problem >>>> with auth_http by manually inserting a plaintext password. >>>> >>>> If this is the root problem, then I don't see how the authentication system >>>> will work because a MySQL password hash is only useful for MySQL, i.e. pam >>>> and curl can't use it. Can the plaintext password still be accessed? >>>> >>>> -Daniel >>>> >>>> _______________________________________________ >>>> >>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>> >>>> Post to : drizzle-discuss@lists.launchpad.net >>>> >>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>> >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>> >>>> _______________________________________________ >>>> >>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>> >>>> Post to : drizzle-discuss@lists.launchpad.net >>>> >>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>> >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> henrik.i...@avoinelama.fi >>>> >>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>> >>>> www.openlife.cc >>>> >>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> henrik.i...@avoinelama.fi >>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>> www.openlife.cc >>>> >>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>> >>>> >>> >>> >>> >>> -- >>> henrik.i...@avoinelama.fi >>> +358-40-8211286 skype: henrik.ingo irc: hingo >>> www.openlife.cc >>> >>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >> >> > > > > -- > henrik.i...@avoinelama.fi > +358-40-8211286 skype: henrik.ingo irc: hingo > www.openlife.cc > > My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : drizzle-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
