Re: [Zope-DB] Automatic capture of user ids for auditing

[Charlie Clark]

Am 07.11.2007, 21:11 Uhr, schrieb Ken Winter [EMAIL PROTECTED]:


Charlie, thanks for the encouraging response!


Encouraging? Not sure if that's quite the right word! ;-)

Just assuming you did have connections per user, how would you go about  
this?



What you suggest (below) is definitely the way I'd like to do this.
However, ZPsycopgDA and its communications with PostgreSQL are currently
black boxes for me, so I think I need some help taking the next steps.
A few hours of poking around have led me to the following fragmentary  
ideas.



* I have found what may be a likely candidate for the code that could be
customized: the method DB.query(self, query_string, max_rows=None,
query_data=None) defined (on my Windows system) in C:\Program Files\Plone
2\Data\Products\ZPsycopgDA\db.py.


Yep, that's the place.

* One idea is to parse the query_string in DB.query and, if it contains  
an

INSERT or UPDATE command, splice a clause to record the current user's id
into it (e.g. put last_updated_by = request.AUTHENTICATED_USER into the
SET clause of an UPDATE).  Doing it this way should require nothing  
special
on the PostgreSQL side, since the user identifier would come through as  
part

of the INSERT or UPDATE statement.


This is going to be your quickest way assuming you can write a good enough  
parser so you don't catch statements with INSERT or UPDATE as part of  
the parameters! Using the underlying .execute(SQLStatement, (paras,))  
method on the cursor might be preferable and would be available from our  
mxODBC Zope DA but this is unfortunately not compatible with ZSQL methods  
which predate the Python DB-API. You might, however, be able to use a  
stored procedure on the database to execute the query as rendered by the  
ZSQL method with the user passed as a parameter to the stored procedure.  
Again the mxODBC Zope DA would give you access to the .callproc(). No idea  
whether you could write such a stored procedure but I don't see why not.


* The idea of extending the DA pass the current ZOPE user seems  
cleaner.
However, I don't know how to get the DA to pass an additional parameter,  
and
I don't know how to get PostgreSQL to pick up the parameter so it can  
store

it as required.  In other words, I don't understand this API, and I don't
know where it is documented.


Zope doesn't support it and unfortunately relational databases aren't  
getting the attention they deserve in the Zope world at the moment.


Charlie

--
Charlie Clark
eGenix.com

Professional Python Services directly from the Source

Python/Zope Consulting and Support ...http://www.egenix.com/
mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/



 Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! 

eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db

Re: [Zope-DB] Automatic capture of user ids for auditing

[Maciej Wisniowski]

* The idea of extending the DA pass the current ZOPE user seems 
cleaner.

For me, changing DA seems to add 'audit' fields seems nasty. What if you
will have one specific table that doesn't need audit fields (this may
happen when you're using authentication sources that rely on DB and in 
many other cases).


I think that much cleaner might be to create something like
AuditEnabledZSQLMethods that will render to sql that contains necessary
statements and use it instead of ZSQLMethods when necessary.

Above assumes that you'll create a Zope Product that (possibly) inherits
from ZSQLMethods. You may take a look at CCZSQLMethods as they are
example of extending ZSQLMethods.

--
Maciej Wisniowski
___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db

Re: [Zope-DB] Automatic capture of user ids for auditing

[Charlie Clark]

Am 06.11.2007, 20:12 Uhr, schrieb Ken Winter [EMAIL PROTECTED]:

Hi Ken,

an interesting problem although probably not unique!


It seems like the components that might be able to pass this info to the
database are the ZSQL methods and/or the database adapter (PsycopgDA, in
this case).  So, questions:
1. Is there any way to get the info across with either of these  
components

as they currently exist?  If so, how?


Not currently as far as I know.

2. Would it be possible to modify or add on to either of the to do what  
is

needed?  If so, how?


Yes, you could quite easily extend the DA to pass the current Zope user  
and possibly extend any statements as required. Not sure if that is how  
you would want to do it that way. Have you an idea how you want to do this  
on the PostgreSQL side? Any chance of accepting an additional parameter?


3. Is having one Dhatabase user per Zope-level end user an alternative  
worth

considering?


I would think not as it is very much against the connection pool principle.


4. Any other ideas about how to solve this problem?


You might want to authenticate users for PostrgreSQL and Zope against the  
same system say using mod_auth? for apache and either XUF or PAS for Zope,  
as both allow you to hold your users outside of Zope. I'm not sure whether  
you wouldn't still be stuck with the problem of having the connection tied  
to a one user while wanting to log another.


Charlie
--
Charlie Clark
eGenix.com

Professional Python Services directly from the Source

Python/Zope Consulting and Support ...http://www.egenix.com/
mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/



 Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! 

eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db