[ogb-discuss] Community Simplification

Alan Burlison Alan.Burlison at sun.com
Sat May 17 15:40:55 PDT 2008 

John Plocher wrote:

> Is this along the lines you were thinking?

Some of that doesn't (to my eyes at least) mesh with Peter's proposal, 
but in terms of the type of content rather than the actual details or 
your proposal, yes, that's what I was thinking of.

At the moment the new auth database schema only allows an OpenSolaris 
user to have one relationship to any given collective, partly because 
that's the model we currently have - as you move 'up' the membership 
scale your rights are additive.  The new database is also populated in 
terms of the roles people have rather than their rights.  This contrasts 
with your proposal, which is rights-based - for example you suggest 
'editor' and 'gatekeeper'.

I'm personally not in favour of a rights-based system such as outlined 
in your current proposal.  The new user database has been designed to be 
unaware of the applications that use it.  That's a deliberate design 
decision, one that was taken so that we could easily provide a service 
to applications that don't yet exist, including ones that don't live 
within the opensolaris.org TLD.  This is only really possible if the 
database is couched in terms of the roles people hold rather than their 
rights.

It's easier to illustrate the difference between the right-based and the 
role-based approaches with an example - let's assume that Dan's code 
review service wasn't yet deployed, and he wanted to use the user 
database to control access.  Under a rights-based system we'd either 
have to add a new right - 'code reviewer', or say that one of the 
existing rights ('gatekeeper'?) was equivalent.  In the first case we'd 
have to add new data to the database for each and every user that needed 
to do code reviews. In the second case, the right we chose to alias 
'code reviewer' on to actually starts to describe a role rather than a 
right.

I know it seems like a subtle point, but the aim is to leave the 
definition of the rights associated with a role entirely up to each 
participating application.  That makes it significantly easier to add, 
modify and replace the component parts of the opensolaris borg without 
it impacting either the user database or the other applications which 
also use it.

-- 
Alan Burlison
--

More information about the ogb-discuss mailing list