Rob Miller’s introduction on remember and membrane

Tags: sorrentosprint2007, plone

Rob Miller's introduction on remember

At the start of the plone Sorrento sprint, Rob Miller gave an introduction on membrane/remember.

http://farm1.static.flickr.com/162/436298038_92e0ddbf8d_m.jpg

Intro

PAS, pluggable authentication services, is the basis. Before that, we had so-called "User Folders". Both PAS and user folders end up as an object called acl_users in your ZMI. The API of user folders was pretty small, so if you need more functionality, you need an entirely other type of user folder. GRUF, LDAPUF, PUF, etc. Especially GRUF, group user folder, was used by plone.

If you wanted to change user folder, you had to replace your existing one. A mess. Now we have PAS which replaces everything that user folder did with plugins. You have plugins for everyting: roles, authentication, identification, properties, everything.

Under the hood, you have both users and members, which has historical reasons. The distinction isn't really needed anymore, but it'll be a few releases before it can be lifted.

Membrane and remember

Membrane uses a lot of zope3 technology, in the form of plugins, to grab data for members from the underlying information sources. You can add plugins to grab info from custom sources.

On the other hand, Remember sort-of collects all the member data collected by membrane in one nice member object, usable for plone. B-org, an alternative implementation, also uses Membrane. It is on the same level as Remember, but uses another way of looking at the problem. Remember tries to present plone with a member as plone is used to get, B-org aims more at representing organisational structures.

Membrane is in really good shape. There aren't many problems being reported lately. Both Remember and B-org depend on it. The 1.0 release is virtually ready. Nice thing: the main membrane tool is a catalog, so it is good for searching. The catalog also includes an index for the interfaces that are implemented. This will change later on, as this isn't terribly effective. It will not index what something can be adapted to, it will only index what the object implements directly.

If you know for sure that all your members are inside remember, you can use the remember catalog to search them instead of going through pas. Could help with performance.

Remember is also in good shape. There is also a migration strategy from CMFMember (until plone 2.1) to Remember (2.5 and up). Remember doesn't have the ability yet, though, to take a bunch of exisiting users and turn them into Remember members. That's the only reason that the current Remember release is marked "alpha".

I asked about the distinction between PAS plugins and Membrane plugins. Ah: Membrane plugins are PAS plugins, only they extract information out of objects inside the plone site.

You have a PAS class that implements some interfaces (like IUserAuthentication, IUserProperties and so). Membrane provides some plugins that provide this. There's a plugin that provides IUserProperties to PAS which works by adapting plone objects to IMembraneUserProperties, for instance, to extract user properties. You have to register the adapter before it works, btw.

The way in which I think how it works now: PAS provides login, authentication, user properties, etc. to plone. Membrane adds some functionality to extract some or all of this information for PAS out of plone objects. Remember packages all this up as one nice member object for plone and it helps with building memberdata-providing objects.

Currently, the portal_memberdata tool wraps users in member objects. If you request data from the member, the memberdata tool first looks in the member. If it gets an AttributeError, it tries to grab that attribute from the user. Remember/Membrane makes sure the user object has all the data, so the member-wrapping is essentially empty.

Things to fix

  • Remember bugs.
  • Remember migration for plone (local utility, migrating existing users, as mentioned earlier).
  • Membrane object_implements index (as mentioned earlier).
  • test coverage (currently all tests are old-style unit tests, doc tests would be great).
  • One of the things Rob likes to be fixed is Teamspace. A Team has a common work area, called a TeamSpace. The Team has a TeamMembership object that references a number of Members (CMFMember at that time) that are a member of that team. If you are part of the team, you get more rights. The difference with regular plone groups is that a group is pretty binary: you are part of the group or you are not. You can't be a pending member. Also you can't be an admin of a team or so. That's where Teamspace helps. There's a lot of opportunity for TeamSpace refactoring now that we've got PAS. Also, the connection between TeamMembership and members is currently via an AT references. This should be factored out into an adapter to allow for other implementations.
  • PlonePAS is a bit messy. PlonePAS adds to and changes the core PAS. Some stuff should be fed back into PAS (if we're allowed), some should be better documented. That's a big task, mostly reading existing code. The result would most probably be a proposal to the PAS list instead of actual code.
  • Another thing to work on: replace LDAPMultiPlugins with a set of small PAS plugins that only have LDAP stuff in there and no more old LDAP user folder. (This is not Membrane/Remember specific, though).
  • Using Membrane/Remember with other authentication systems (like openid). Remember might make too many assumptions. It "should work", but it probably won't directly.

Closing remark

You don't always need Remember. You need to understand when to use it and when not to use it. You can do a lot of stuff without it. PAS plugins can do a lot. Perhaps just adding a field to memberdata and modifying some templates is enough.

(Old imported comments)
"Remember with attributes in LDAP" by Sig on 2007-09-01 14:50:41
I need a member type with some attributes that must be stored in LDAP. But some other attributes are references to other archetypes items of my own. Authentication should occur from LDAP too. Do you think it's reasonable to use Remember? If so, how to let some of my attributes be stored in LDAP instead of the ZODB?
It seems that there is no LDAP storage for Archetypes. And I can't manage tweaking my acl_users/plugins via ZMI so that some user properties are read from LDAP instead of from membrane.
Any advice?
"Thanks, Reinout" by Tom Lazar on 2007-03-27 17:06:00
Every little bit that helps clearing up the "PAS/Membrane/Remember"-Mystery is a Good Thing[tm] ;-)
 
vanrees.org logo

About me

My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):