Hi,
Is there any plan to implement group management in Trac ACL ?
The granularity of a single user is nice, but somewhat difficult to manage
from an administrator perpective. It would be nice if Trac were able to handle
group in addition to single user permissions.
As we use LDAP authentication on our web server, I've added group management
to Trac ACLs. Group permissions are defined in the SQLite permission table, as
it is for single user. I've used the usual character to denote groups among
users: @.
A 'group' is therefore prefixed with a '@' sign, like '@administrators'
In order not to change the current Trac implementation, I did not change the
way user permissions are stored and retrieved. However, this may not scale
well to large directories with many different groups.
trac-admin does support 'usernames' with @ sign.
The current implementation does the following (in perm.py)
if user 'anonymous': perform the same code than original trac code
if user not 'anonymous':
open a connection to the LDAP directory
retrieve the list of all available groups in the LDAP directory (*)
filter out all groups the user not belongs to (from LDAP group lists)
for each group (and) user
read and use permissions of the group as defined in SQLite permission
table
This way, if user belongs to group @agroup (in LDAP), user is assigned
permission from group @agroup (in SQLite).
(*): this may not fit well to directories using many different group in the
same base DN.
As ACL are tested for each cgi request, this may lead to poor performances.
I do not know how to improve this. Please let me know if there is a better way
to use group permissions.
Emmanuel.
--
Is there any plan to implement group management in Trac ACL ?
The granularity of a single user is nice, but somewhat difficult to manage
from an administrator perpective. It would be nice if Trac were able to handle
group in addition to single user permissions.
As we use LDAP authentication on our web server, I've added group management
to Trac ACLs. Group permissions are defined in the SQLite permission table, as
it is for single user. I've used the usual character to denote groups among
users: @.
A 'group' is therefore prefixed with a '@' sign, like '@administrators'
In order not to change the current Trac implementation, I did not change the
way user permissions are stored and retrieved. However, this may not scale
well to large directories with many different groups.
trac-admin does support 'usernames' with @ sign.
The current implementation does the following (in perm.py)
if user 'anonymous': perform the same code than original trac code
if user not 'anonymous':
open a connection to the LDAP directory
retrieve the list of all available groups in the LDAP directory (*)
filter out all groups the user not belongs to (from LDAP group lists)
for each group (and) user
read and use permissions of the group as defined in SQLite permission
table
This way, if user belongs to group @agroup (in LDAP), user is assigned
permission from group @agroup (in SQLite).
(*): this may not fit well to directories using many different group in the
same base DN.
As ACL are tested for each cgi request, this may lead to poor performances.
I do not know how to improve this. Please let me know if there is a better way
to use group permissions.
Emmanuel.
--