When I did the initial design for the pluggable-authentication utility (PAU), I came up with a strategy for managing principal ids, in retrospect, is overly complicated. This suspicion is supported by the fact that I originally got the implementation of this wrong.

An authenticator plugin, among other things, manages principal ids. Principal ids need to be unique system wide. In a misguided attempt to make life easier for plugin authors, I decided that that the PAU should have a prefix that it adds to principal ids. This means that plugins that manage principal ids can't get at principal ids without accessing their PAU, which further means that a plugin can only be used with a single PAU.

I'd like to get rid of the PAU prefix and simply require that authenticator plugins provide system-wide unique ids. This can be done by providing suitable prefixes on each plugin.

I suggest that, for 3.4, we get rid of the PAU prefix option and provide a generation evolution script that, for PAUs with non-empty prefixes, just prepends their prefixes to their plugin prefixes and clears their prefixes. I'm sorely tempted to do this for 3.3.



Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to