Re: [ZODB-Dev] Changing the pickle protocol?
Hi. Following up on my idea of using pickle protocol 2. I implemented this in a fully configurable fashion on a branch, mainly to ease benchmarking and testing of the different variants. My conclusions (maybe for future reference): - There's no significant win of just switching the pickle protocol - The code to make the protocol configurable on all levels (storage, index, persistent cache, ...) is large and ugly, if there's an improvement in the new protocol, I'd change the default without a config option - There's no significant reduction in size for typical content management like data - Protocol 2 is only more efficient at dealing with boolean values, small tuples and longs - all infrequent in my type of data Potential follow-up experiments: - Use protocol 2 in combination with the extension registry, use codes in the "128 to 191 - Reserved for Zope" range for ZODB internal types (BTrees, PersistentMapping and PersistentList) [1] Cheers, Hanno [1] http://www.python.org/dev/peps/pep-0307/ ___ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org https://mail.zope.org/mailman/listinfo/zodb-dev
Re: [ZODB-Dev] ZEO and access permissions
On Sat, May 22, 2010 at 2:17 PM, Nitro wrote: > ZEO already supports authenticated logins. Based on the login I'd like > people to be able to access some objects and deny access to others. > > First I thought I'd do the access restrictions on the application level. That's the only sane thing to do. You want to have higher level abstractions to manage security. Like giving permissions based on their class, based on their relationship to others. Usually you'll also want to go from just users to groups or maybe use external authentication services at some point. The database level is the wrong abstraction level to do this. In SQL terms, you are trying to store a full fledged security policy on each database row. This is going to be prohibitively slow and unmanageable very soon. I think you could extend database users and permissions, to manage access permissions on a full database / storage level. Potentially introduce read/write permissions on this level. But anything more fine-grained belongs to the application domain. Hanno ___ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org https://mail.zope.org/mailman/listinfo/zodb-dev
Re: [ZODB-Dev] ZEO and access permissions
Am 22.05.2010, 14:17 Uhr, schrieb Nitro : > Each object and each user would have > something like a permission_id attribute. Could also be a mapping oid -> permission id. -Matthias ___ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org https://mail.zope.org/mailman/listinfo/zodb-dev
[ZODB-Dev] ZEO and access permissions
Hello, ZEO already supports authenticated logins. Based on the login I'd like people to be able to access some objects and deny access to others. First I thought I'd do the access restrictions on the application level. This doesn't seem to be too easy though, because a user might have access to an object, but accessing one of its sub-objects might be disallowed. Checking this everywhere seems hard, error-prone and potentially slow. So I wondered whether it might be possible to integrate this directly into ZEO. E.g. by subclassing ZEOStorage and hooking methods like loadEx/loadBefore/deleteObject/store. Each object and each user would have something like a permission_id attribute. Then one could write something like class AccessRestrictedZEOStorage(ZEOStorage): def loadEx(self, oid): obj = ZEOStorage.load( self, oid ) # get user here somehow return self.checkAccess( obj, user, 'read' ) def checkAccess(self, obj, user, access): # this check can be more sophisticated, check for read/write/delete rights etc if user.permission_id < obj.permission_id: raise AccessDeniedError() Is something like this viable? Does it make sense at all or is it still better to restrict access on the application level? -Matthias ___ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org https://mail.zope.org/mailman/listinfo/zodb-dev