Services/ServerCore/AuthRewrite
From MozillaWiki
< Services
Rewriting Server-core auth (especially LDAP)
The transfer from php to python has shown up a couple problems. None of these are blockers to getting python to launch, but they are substantial enough that hey'll need addressing as we move to a more generic application and auth framework.
- Some things need to work more generically for a post-sync world. For example, the current version of get_user_info returns the username and email address. Since that is all we store for sync, it'll work fine... until we store something else in ldap.
- The python code is very inefficient in LDAP interactions - given a userid, it'll get the username (an LDAP call), and pass that to a function that looks up the userid (an LDAP call), then gets the dn (an LDAP call), etc, etc. There's a lot of unnecessary LDAP traffic here.
- There's a fundamental difference between php and python. In php, the auth module was fired up, connected to the db and had commands issued to it with every request. This meant that the auth object itself could keep track of user state. Python only loads that module on startup, so it has to be stateless from a user perspective. This is probably for the best in the long run, but it makes for a lot of duplicated querying. We need a solution that circumvents this.
- Node assignment is being shifted to it's own api. That leaves getting the next userid as the only sql dependency remaining in the ldap library. PHP could not handle the call necessary to put this in ldap, but I _believe_ python can (I was in the process of testing this when everything else came up). If so, it would be good to have the pure ldap implementation.
I believe we need to rebuild the ldap auth library from scratch, and that this will also result in a few interface changes that will need to be accommodated by the remaining auth libraries. Here are my goals:
- definition of a user object. This can be put into the request object and accessed through request.user. Initially I would expect this to be a simple wrapper around a dictionary and not much else, but it will get us in the habit of passing the object into the auth class and not a random id or username. Inside the auth class, it can decide if the user class has what's needed and use that, or populate it with what it does need. This will cut way back on inefficient storage interaction
- Remove all vestiges of sync from the code. This is not a sync codebase any more. If it's doing sync-specific things, those need to come out.
- Bugfixes and polishing. This library, when traced, goes back to the very earliest days of weave, and there's a bunch of stuff that could probably be done better or isn't needed any more.
- Roll this out after node-assignment has been factored out into its own API, so that the code here doesn't need to know anything about nodes.
Random things
Stuff in process:
- CEF: remove the module now that's a lib: https://bugzilla.mozilla.org/show_bug.cgi?id=655967
- Removing the implicit load of plugins: https://bugzilla.mozilla.org/show_bug.cgi?id=655283
- create an exception module to push back exceptions there (they are in util now): https://bugzilla.mozilla.org/show_bug.cgi?id=655968
- add an HTTP_X_REAL_IP in the request environ, so applications don't have to call services.util.get_real_ip() explicitly: https://bugzilla.mozilla.org/show_bug.cgi?id=655969
- make sure an application does not depend on sqlalchemy juts because it uses server-core: https://bugzilla.mozilla.org/show_bug.cgi?id=655971
New Features ?
- graphite: have a tool to ping a graphite server
