It seems like the security model fits very small projects, but that it is probably not feasible to write all possible registered users' hashed passwords in security.py. Do you know any examples of scaling up Pyramid's authentication, or are there any benefits to calling through Pyramid's security scheme into my own database of security information?
Asked
Active
Viewed 3,397 times
5
-
who's advocating storing passwords in security.py? – Tom Willis Aug 18 '11 at 12:28
-
https://docs.pylonsproject.org/projects/pyramid/1.1/tutorials/wiki2/authorization.html has a very simple demo with a {key, raw_password} dict in security.py – nnythm Aug 22 '11 at 00:59
-
Ah ok I see your point. But it's not too much of a stretch for someone familiar with python to to imagine groupfinder querying a database or something else is it? – Tom Willis Aug 23 '11 at 15:33
-
I was hoping that there would be some built in pyramid magic to handle username/password pairs in a local datastore. – nnythm Aug 23 '11 at 19:13
3 Answers
8
I dont think the size of the project is related to the security model. Either you want a simple or a complex security model. Both can be applied to projects of any size. One of Pyramid's strong points is its extensibility.
Why would you store hashed passwords in security.py? (cmiiw here, I probably misunderstood) If you read this on someone's code, that's probably just an example. In real apps, you save them in a storage/persistence system of your choice.
Again, I don't understand what you mean by "scaling up authentication". My guess is you want some working examples:
- tutorial from the docs
- shootout application: small and good example with forms
- pyramid auth demo: complex/granular/row-level permission
- pyramid apex: 3rd party auth (google, twitter, etc) with velruse, forms etc
- pyramid registration: unfinished library; you can steal some ideas from it
4
No idea what your needs are or what you mean by "scaling up security", but pyramids authentication policy is very flexible. You need to understand though that it doesn't maintain users and passwords it merely provides a mechanism for obtaining a user identifier from the incoming request. For example, the AuthTktAuthenticationPolicy keeps track of the user id by cookie that you set using the remember method.
What meaningful information you derive from that user id is totally up to you and is application specific.
So really the question you may want to ask is can your application "scale up security".
I can't show you code because it's proprietary but I've needed to support openid, http auth and your typical db backed user store on the same application, with the extra added complication that users are stored in different database shards and the shard can't be immediately determined. It takes very little code to support this.
Tom Willis
- 5,250
- 23
- 34
3
I ended up building something for myself that makes authentication a little easier if you happen to be using MongoDB.
https://github.com/mosesn/mongauth
It isn't built into pyramid, but hooks in easily enough. Everything is pretty transparent.
nnythm
- 3,280
- 4
- 26
- 36