Am 25.01.2006 um 00:11 schrieb Jesse Kempf:
I've been talking with cmlenz a bit about redoing Trac's permission
system after I decided that the scope of my next project would be too
grand to leave as a TracHack.
Trac is catching on enough in hierarchically-organized environments
(read: Enterprises) that an increasing number of discussions are
occuring about the ability to restrict access to tickets and wiki
pages,
and so forth. Trac doesn't provide anything more than a minimal
authorization model that gives all-or-nothing authorization.
I propose to work on the next-generation permissions and authorization
system for trac that will sit between the B1 and B2 levels set
forth by
the DOD Orange Book. This will encompass all levels of Trac. Some
features I'm looking to implement are:
Mandatory Access Control (per-entity ACLs, enforced at the data access
layer)
Role-Based Access Control (RBAC)
Label-Based access control (LBAC) (confidential, critical, secret, top
secret, etc)
SecureComponents (trac.core.Components that can not be trivially
subverted by Python's lack of serious access control)
SecurityAdministrator role
Event auditing and notification
In general I think you need to provide more info here. I'm pretty
sure we don't want a huge complicated access control system that has
all kinds of different options for limiting access.
A combination of RBAC and LBAC actually sounds pretty nice. I'm not
sure about the others...
It's essential to keep in mind that Trac is lightweight, and by all
means intended to remain lightweight. While in the long-term we'll
need some way to allow people to have some wiki pages / tickets only
readable/modifiable/etc by some groups of people, an acceptable
solution needs to be reasonably flexible but simple. Per-entity ACLs
are something that I personally think is overkill, for example.
Consider this a request for more detail. And some pseudo-code
snippets showing *how* you actually intend to implement this would
also be nice.
Thanks,
Chris
--
Christopher Lenz
cmlenz at gmx.de
http://www.cmlenz.net/
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev
