Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > | User MasqueradingOn this page:
PrefaceThis topic describes how to configure your TWiki site for user masquerading. There are cases where it's handy to access TWiki on behalf of somebody else retaining a trace of your real identity rather than completely becoming a different user. We call it user masquerading. TWiki can provide user masquerading through a combination of a plug-in having a properinitializeUserHandler() and a proper user mapping manager.
In an implementation, your login ID would be "REAL_ID/MASQUERADE_ID" while you are acting on behalf of MASQUERADE_ID.
BenefitsUser masquerading discussed here provides the following benefits.Minimizing exercise of privilegeUsually, TWiki administrators are the members of TWikiAdminGroup and can do anything on the TWiki site. This is like doing everything as root on Unix and doing everything as an administrator account on Windows, which is not regarded as a good practice now. TWiki Administrators are likely to be TWiki users and they shouldn't have privilege while they are using TWiki. They should exercise their privilege only when they administer. For that, instead of putting TWiki administrators into TWikiAdminGroup, allowing them to act on behalf of "admin" is desirable assuming "admin" is a TWikiAdminGroup member.AuditabilityAssuming the TWiki access log records both the real and masqueraded identities for individual operations, auditing of TWiki administrators is easier. You can see admin operations of joeschmoe by picking up joeschmoe/admin's entries in the log file. joeschmoe's ordinary use is supposed to be conducted as joeschmoe rather than joeschmoe/admin, you don't need to exclude non admin activities manually.Web autonomyOn a large TWiki installation having thousands of webs, webs need to be as autonomous as possible. To that end, it's handy to have a set of users guaranteed to have access to a web regardless of access control settings -- it's like TWikiAdminGroup members but for the web only. User masquerading can allow the web owners to act on behalf of "admin" on their web while not allowing that on the other webs. In case a web administrator kicks oneself out of the web due to access control mistake, the administrator can act on behalf of admin to fix it. The administrator can also fix a problem on a topic the administrator usually cannot see by acting on behalf of admin.Testing access controlUsually, it's cumbersome to confirm access control setting is working as expected. Because you need to ask somebody else try. User masquerading makes it possible to test access control on your own.How to set up masqueradingNow that you understand the concept well, here's how to set up initialize user handler and user mapping handler for user masquerading. The requirements are:
Initialize user handlerLet's say while a user joeschmoe (login name) is masquerading as janedoe, the user is identified as joeschmoe/janedoe. This should happen in initializeUserHandler() of a plug-in. You may think a login handler can have this feature, it's not practical to determine a user is allowed to masquerade or not in the login handler. This is because the login handler is called very early in a topic processing and the apparatus you can use is quite limited. One way to specify a masquerade destination is by an HTTP cookie - e.g. TWIKI_ON_BEHALF_OF. Assuming that, initializeUserHandler() returns the login name handed as it is if the TWIKI_ON_BEHALF_OF cookie does not exist. If its value is janedoe, then the handler determines whether joeschmoe is entitled to masquerading. If so it returns joeschmoe/janedoe. Otherwise it returns joeschmoe.User mapping handlerMaking the corresponding cUID for joeschmoe/janedoe login name shouldn't be an issue - the way TWikiUserMapping employs for login to cUID mapping is fine (coding a non-alphanumeric character to '_' followed by the hexadecimal number of the character code; '/' is coded to '_2f'). And let's say the corresponding wiki name is JoeSchmoeOnBeHalfOfJaneDoe. For that, the following methods of the user mapping handler need to be implemented accordingly.
isEquivalentCUIDs($cUID, $identCUID, $topic, $web) ,
which is called from TWiki::Users::isEquivalendCUIDS(), which is called from TWiki::Users::isInList().
isInGroup() and isEquivalentCUIDs() in the user mapping handler are the crux of user masquerading implmementation.
Who can masqueradeMasquerading is a meta feature in the sense that it's something above topic access permission. It's a mechanism to skew the access control mechanism. Putting the theoretical thought aside, the practical way is to allow the web admins (cf. AutonomousWebs) to masquerade in a web. MetadataRepository or some topics in the TWiki web would be used to specify who can masquerade in a web. Along the same line as TWikiAdminGroup, it's handy to have a set of users who can masquerade in any web. To minimize exercise of privilege, TWiki administrators need to be able to masquerade in any web.Logging while masqueradingOn the TWiki log, each entry has a user's login name. In the scenario described so far, while masquerading, the user's login name is in the joeschmoe/janedoe format. Consequently, login names for that format are put in the log file.Topic reading another topicMasquerading takes effect for a topic only if the user is entitled to. Let's take a closer look at how it works when a topic reads another topic. Here's the scenario:
|