<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Permissions Framework - Introduction — AppTools v3.3.0 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '3.3.0',
COLLAPSE_MODINDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="top" title="AppTools v3.3.0 documentation" href="../index.html" />
<link rel="next" title="Application API" href="ApplicationAPI.html" />
<link rel="prev" title="Application Scripting Framework" href="../appscripting/Introduction.html" />
</head>
<body>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="ApplicationAPI.html" title="Application API"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="../appscripting/Introduction.html" title="Application Scripting Framework"
accesskey="P">previous</a> |</li>
<li><a href="../index.html">AppTools v3.3.0 documentation</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="permissions-framework-introduction">
<h1>Permissions Framework - Introduction<a class="headerlink" href="#permissions-framework-introduction" title="Permalink to this headline">¶</a></h1>
<p>The Permissions Framework is a component of the Enthought Tool Suite that
provides developers with the facility to limit access to parts of an
application unless the user is appropriately authorised. In other words it
enables and disables different parts of the GUI according to the identity of
the user.</p>
<p>The framework includes an API to allow it to be integrated with an
organisation’s existing security infrastructure, for example to look users up
in a corporate LDAP directory.</p>
<p>The framework is completely configurable. Alternate implementations of all
major components can be provided if necessary. The default implementations
provide a simple local filesystem user database and allows roles to be defined
and assigned to users.</p>
<p>The framework <strong>does not</strong> provide any facility for protecting access to data.
It is not possible to implement such protection in Python and using the file
security provided by a typical operating system.</p>
<div class="section" id="framework-concepts">
<h2>Framework Concepts<a class="headerlink" href="#framework-concepts" title="Permalink to this headline">¶</a></h2>
<p>The following are the concepts supported by the framework.</p>
<ul>
<li><p class="first">Permission</p>
<p>A permission is the basic tool that a developer uses to specify that access
to a part of the application should be restricted. If the current user has
the permission then access is granted. A permission may be attached to a
PyFace action, to an item of a TraitsUI view, or to a GUI toolkit specific
widget. When the user is denied access, the corresponding GUI control is
disabled or completely hidden.</p>
</li>
<li><p class="first">User</p>
<p>Each application has a current user who is either <em>authorised</em> or
<em>unauthorised</em>. In order to become authorised a user must identify
themselves and authenticate that identity.</p>
<p>An arbitrary piece of data (called a blob) can be associated with an
authorised user which (with user manager support) can be stored securely.
This might be used, for example, to store sensitive user preferences, or to
implement a roaming profile.</p>
</li>
<li><p class="first">User Manager</p>
<p>The user manager is responsible for authorising the current user and,
therefore, defines how that is done. It also provides information about the
user population to the policy manager. It may also, optionally, provide the
ability to manage the user population (eg. add or delete users). The user
manager must either maintain a persistent record of the user population, or
interface with an external user database or directory service.</p>
<p>The default user manager uses password based authorisation.</p>
<p>The user manager persists its data in a user database. The default user
manager provides an API so that different implementations of the user
database can be used (for example to store the data in an RDBMS, or to
integrate with an existing directory service). A default user database is
provided that pickles the data in a local file.</p>
</li>
<li><p class="first">Policy Manager</p>
<p>The policy manager is responsible for assigning permissions to users and for
determining the permissions assigned to the current user. To do this it must
maintain a persistent record of those assignments.</p>
<p>The default policy manager supplied with the framework uses roles to make it
easier for an administrator to manage the relationships between permissions
and users. A role is defined as a named set of permissions, and a user may
have one or more roles assigned to them.</p>
<p>The policy manager persists its data in a policy database. The default
policy manager provides an API so that different implementations of the
policy database can be used (for example to store the data in an RDBMS). A
default policy database is provided that pickles the data in a local file.</p>
</li>
<li><p class="first">Permissions Manager</p>
<p>The permissions manager is a singleton object used to get and set the current
policy and user managers.</p>
</li>
</ul>
</div>
<div class="section" id="framework-apis">
<h2>Framework APIs<a class="headerlink" href="#framework-apis" title="Permalink to this headline">¶</a></h2>
<p>The APIs provided by the permissions framework can be split into the following
groups.</p>
<ul>
<li><p class="first"><a class="reference external" href="ApplicationAPI.html">Application API</a></p>
<p>This part of the API is used by application developers.</p>
</li>
<li><p class="first"><a class="reference external" href="https://svn.enthought.com/enthought/browser/AppTools/trunk/enthought/permissions/i_policy_manager.py">Policy Manager API</a></p>
<p>This is the interface that an alternative policy manager must implement. The
need to implement an alternative is expected to be very rare and so the API
isn’t covered further. See the definition of the IPolicyManager interface
for the details.</p>
</li>
<li><p class="first"><a class="reference external" href="DefaultPolicyManagerDataAPI.html">Default Policy Manager Data API</a></p>
<p>This part of the API is used by developers to store the policy’s persistent
data in a more secure location (eg. on a remote server) than that provided by
the default implementation.</p>
</li>
<li><p class="first"><a class="reference external" href="https://svn.enthought.com/enthought/browser/AppTools/trunk/enthought/permissions/i_user_manager.py">User Manager API</a></p>
<p>This is the interface that an alternative user manager must implement. The
need to implement an alternative is expected to be very rare and so the API
isn’t covered further. See the definition of the IUserManager interface for
the details.</p>
</li>
<li><p class="first"><a class="reference external" href="DefaultUserManagerDataAPI.html">Default User Manager Data API</a></p>
<p>This part of the API is used by developers to store the user database in a
more secure location (eg. on a remote server) than that provided by the
default implementation.</p>
</li>
</ul>
<p>The complete <a class="reference external" href="api/index.html">API</a> documentation is available as endo generated HTML.</p>
</div>
<div class="section" id="what-do-i-need-to-reimplement">
<h2>What Do I Need to Reimplement?<a class="headerlink" href="#what-do-i-need-to-reimplement" title="Permalink to this headline">¶</a></h2>
<p>The architecture of the permissions framework comprises several layers, each
of which can reimplemented to meet the requirements of a particular
environment. Hopefully the following questions and answers will clarify what
needs to be reimplemented depending on your environment.</p>
<p>Q: Do you want to use roles to group permissions and assign them to users?</p>
<dl class="docutils">
<dt>A: If yes then use the supplied PolicyManager, otherwise provide your own</dt>
<dd>IPolicyManager implementation.</dd>
</dl>
<p>Q: Do you want users to be authenticated using a password?</p>
<dl class="docutils">
<dt>A: If yes then use the supplied UserManager, otherwise provide your own</dt>
<dd>IUserManager implementation.</dd>
<dt>Q: Does the IUser interface allow you to store all the user specific</dt>
<dd>information you need?</dd>
<dt>A: If yes then use the supplied UserDatabase, otherwise provide your own</dt>
<dd>IUserDatabase implementation.</dd>
</dl>
<p>Q: Do you want to store your user accounts as pickled data in a local file?</p>
<dl class="docutils">
<dt>A: If yes then use the supplied default, otherwise provide UserDatabase with</dt>
<dd>your own IUserStorage implementation.</dd>
<dt>Q: Do you want to store your policy data (ie. roles and role assignments) as</dt>
<dd>pickled data in a local file?</dd>
<dt>A: If yes then use the supplied default, otherwise provide PolicyManager with</dt>
<dd>your own IPolicyStorage implementation.</dd>
</dl>
</div>
<div class="section" id="deploying-alternative-managers">
<h2>Deploying Alternative Managers<a class="headerlink" href="#deploying-alternative-managers" title="Permalink to this headline">¶</a></h2>
<p>The permissions framework will first try to import the different managers from
the <tt class="docutils literal"><span class="pre">enthought.permissions.external</span></tt> namespace. The default managers are
only used if no alternative was found. Therefore, alternative managers should
be deployed as an egg containing that namespace.</p>
<p>Specifically the framework looks for the following classes:</p>
<blockquote>
<p><tt class="docutils literal"><span class="pre">PolicyManager</span></tt> from <tt class="docutils literal"><span class="pre">enthought.permissions.external.policy_manager</span></tt></p>
<p><tt class="docutils literal"><span class="pre">PolicyStorage</span></tt> from <tt class="docutils literal"><span class="pre">enthought.permissions.external.policy_storage</span></tt></p>
<p><tt class="docutils literal"><span class="pre">UserDatabase</span></tt> from <tt class="docutils literal"><span class="pre">enthought.permissions.external.user_database</span></tt></p>
<p><tt class="docutils literal"><span class="pre">UserManager</span></tt> from <tt class="docutils literal"><span class="pre">enthought.permissions.external.user_manager</span></tt></p>
<p><tt class="docutils literal"><span class="pre">UserStorage</span></tt> from <tt class="docutils literal"><span class="pre">enthought.permissions.external.user_storage</span></tt></p>
</blockquote>
<p>The example server is such a package that provides PolicyStorage and
UserStorage implementations that use an XML-RPC based server to provide remote
(and consequently more secure) policy and user databases.</p>
</div>
<div class="section" id="using-the-default-storage-implementations">
<h2>Using the Default Storage Implementations<a class="headerlink" href="#using-the-default-storage-implementations" title="Permalink to this headline">¶</a></h2>
<p>The default policy and user managers both (again by default) persist their data
as pickles in local files called <tt class="docutils literal"><span class="pre">ets_perms_policydb</span></tt> and
<tt class="docutils literal"><span class="pre">ets_perms_userdb</span></tt> respectively. By default these are stored in the
application’s home directory (ie. that returned by
<tt class="docutils literal"><span class="pre">ETSConfig.application_home</span></tt>).</p>
<p>Note that this directory is normally in the user’s own directory structure
whereas it needs to be available to all users of the application.</p>
<p>If the <tt class="docutils literal"><span class="pre">ETS_PERMS_DATA_DIR</span></tt> environment variable is set then its value is
used instead.</p>
<p>The directory must be writeable by all users of the application.</p>
<p>It should be restated that the default implementations do <em>not</em> provide secure
access to the permissions and user data. They are useful in a cooperative
environment and as working examples.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference external" href="">Permissions Framework - Introduction</a><ul>
<li><a class="reference external" href="#framework-concepts">Framework Concepts</a></li>
<li><a class="reference external" href="#framework-apis">Framework APIs</a></li>
<li><a class="reference external" href="#what-do-i-need-to-reimplement">What Do I Need to Reimplement?</a></li>
<li><a class="reference external" href="#deploying-alternative-managers">Deploying Alternative Managers</a></li>
<li><a class="reference external" href="#using-the-default-storage-implementations">Using the Default Storage Implementations</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="../appscripting/Introduction.html"
title="previous chapter">Application Scripting Framework</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="ApplicationAPI.html"
title="next chapter">Application API</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/permissions/Introduction.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="ApplicationAPI.html" title="Application API"
>next</a> |</li>
<li class="right" >
<a href="../appscripting/Introduction.html" title="Application Scripting Framework"
>previous</a> |</li>
<li><a href="../index.html">AppTools v3.3.0 documentation</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2008, Enthought.
Last updated on Aug 21, 2009.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 0.6.2.
</div>
</body>
</html>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
c567edd4605b914c84d9dab4c41a8a5b
>
files
>
690
