On Thu, 21 Oct 2010, JohnWShipman wrote: > As I read the repoze.who and repoze.what documentation, there is a > mountain of detail and how-to, but I just can't seem to get the big > picture of how repoze.who, repoze.what, and Pylons interact. I plan > an application that needs both authentication (through Kerberos) and > authorization. > > Can someone please enlighten me about a few basic questions? If these > answers are somewhere on the Web, I haven't been able to find them.
First, I went through and tried to understand everything and put together this one page doc for other devs in house to try to get their heads around the bits of things: http://paste.mitechie.com/show/157/ > 1. What is the relationship between repoze.who and repoze.what? The > documentation for each never mentions the other. If I'm doing both > authentication and authorization, do I use both, or does .what include > the functionality of .who? Do I want both in my WSGI pipeline or > just .what? You need to have both packages installed, but repoze.what will use repoze.who underneath. You pass your repoze.who config options to repoze.what and it makes sure they get tunnelled underneath. So, you'll use repoze.what (since you're doing both auth and authz), but know that you'll need to know settings/information for repoze.who since it's still a part of the picture. > 2. Can any WSGI layer present pages using the templates and forms in > the application layer? If the authentication layer needs to present a > login form, I would like it to have the same look and feel as the > other pages my application will present. Or does it just notify the > application to present the login form? Yea, basically repoze just does redirects. So, in my case I have the login form served by my pylons application. The only two urls that repoze handles itself are /login_handler, and /logout_handler if I recall correctly. > 3. What is the life cycle of a request through all the layers for > these three scenarios? The docs tell me a lot about what each layer > can do to the request and the response, but they're vague about what > kinds of requests should get passed through and which ones should be > modified by each layer. I tried to do an ascii chart to show the process of a request in that doc page linked above. Does that help with what you're asking for? Or are you looking for 'special' urls like the /login|/login_handler/etc? > 3a. A new user is challenged, enters correct values on the login > form, and then requests a page that is restricted to authenticated > users, and the application renders it. > > 3b. A user has already authenticated, and their browser has one of > our cookies, and they request a restricted page, and the application > renders it. > > 3c. A user fails login, and then requests an unrestricted page, > which unauthenticated users are allowed to see, and the application > renders it. > > 4. I like Blackboard's look and feel: all their pages look the same, > and each one has either a 'Login' link or a 'Logout' link in the top > right corner, depending on whether you are logged in at the time. How > does the template know which link to present? Since the repoze middleware does it's work before you get to your pylons app, you just check in the global setup code if the user is logged in or not. You can check this by looking for the user. In my case I have an auth wrapper. In my /lib/base.py I have this: # make available any detailed login information we want on all requests # if there's no user set, just setup a blank instance c.current_user = auth.get_user(User()) The get_user method just does: if 'repoze.who.identity' in request.environ: return request.environ['repoze.who.identity']['user'] else: return default Where default is that empty user I passed into there. > If there isn't currently anything online that discusses these big- > picture details, I'd be happy to write one, once I understand it well > enough. Is there a Repoze book in process? There is a book about > something called Repoze.bfg, of which I'd never heard until I searched > Amazon books for "repoze" three minutes ago. Is anyone using that? > Does it play nicely with Pylons? Heh, check out the mailing list thread on the pylons 2.0 work. :) I've not looked at the framework/book personally yet, though it is on my amazon wishlist. Hope this helps some. I'm not a master, but did get it working, so hope that counts. Rick -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
