While this discussion is mostly about the anonymous user, let me bring
forward another related issue: the public access itself.

Suppose that I upload certain resource, which I'd like to be public.
My client has to construct an appropriate policy and send it to the OT
service alongside the resource. The service then should translate it
into OpenSSO policy and register it with the policy service while
creating and publishing my resource.

The question is, however, what this "public" policy should be? Of
course, I, as creator, should be able to do anything (GET, POST, PUT,
DELETE), but what about the "public" part, really? It's about being
able to GET the resource (or POST to it for some types of resources),
but WHO exactly?

One user to be defined should be the anonymous one, OK, but what about
all the rest? It doesn't make sense to list all existing users in the
policy, yet, if we don't do it, it would happen so that while the
anonymous user has access to the public resource, no other registered
user does!

One solution, that I see, is to have a group "all users", which should
be automatically updated each time a new user is registered on the
opentox.org site. Or probably there is already a group in Plone which
encompasses all registered users (not quite the same, but I remember
phpBB3 having such group)?

Please let me know what do you think about this issue. Or am I missing
something?

Cheers,
Luchesar

P.S. The problem arises from the fact that OpenSSO uses "deny" as
default. So, if there's no policy regarding certain
resource/access-type/user combination, the request is denied.


On Thu, Jun 17, 2010 at 18:51, Tobias Girschick
<tobias.girschick at in.tum.de> wrote:
> Hi Luchesar, All,
>
> On Thu, 2010-06-17 at 18:34 +0300, Luchesar V. ILIEV wrote:
>> Folks,
>>
>> I'd like to gradually start discussion on several points that seems to
>> be needing specific attention. Let's start with the anonymous or guest
>> user.
> Good point.
>
>>
>> 1. Let's decide on the exact username: "anonymous" or "guest". I have
>> slight preference for the first one, because "guest" somehow implies
>> more restricted access -- however, that user is supposed to access ALL
>> public data, not, for instance, only some "demo" excerpts.
>
> I also prefer anonymous.
>
>>
>> 2. What about the password? Should it be just "blank" one? Or
>> something like "opentox". Or even user's e-mail address, FTP-style
>> (however, this one might be difficult to implement, as it is unlikely
>> to be supported by OpenSSO/Plone)?
>
> I think in the IT world anonymous + blank is pretty common.
>
> Cheers
> Tobias
>
>>
>> 3. Once the exact username and password are decided, it might make
>> sense to finally enter the user into Plone's database, so that we can
>> start testing.
>>
>> 4. Let's not forget that at some point of time we should create
>> policies for ALL existing public resources that grant "read" (GET, but
>> sometimes also POST) access for that user.
>>
>> 5. If any type of quotas are implemented, even if with the intention
>> to just protect a service from being overloaded, obviously the
>> "anonymous" or "guest" user would need special treatment.
>>
>> Cheers,
>> Luchesar
>> _______________________________________________
>> Development mailing list
>> Development at opentox.org
>> http://www.opentox.org/mailman/listinfo/development
>
> --
> Dipl.-Bioinf. Tobias Girschick
>
> Technische Universität München
> Institut für Informatik
> Lehrstuhl I12 - Bioinformatik
> Bolzmannstr. 3
> 85748 Garching b. München, Germany
>
> Room: MI 01.09.042
> Phone: +49 (89) 289-18002
> Email: tobias.girschick at in.tum.de
> Web: http://wwwkramer.in.tum.de/girschick
>
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>