Commit ee9a9f86 authored by Jeremy Hylton's avatar Jeremy Hylton

Update for authentication and for a few tools.

parent 84bbbd01
...@@ -164,6 +164,30 @@ http://www.zope.com/Products/ZopeProducts/ZRS. In general, it could ...@@ -164,6 +164,30 @@ http://www.zope.com/Products/ZopeProducts/ZRS. In general, it could
be used to with a system that arranges to provide hot backups of be used to with a system that arranges to provide hot backups of
servers in the case of failure. servers in the case of failure.
Authentication
~~~~~~~~~~~~~~
ZEO supports optional authentication of client and server using a
password scheme similar to HTTP digest authentication (RFC 2069). It
is a simple challenge-response protocol that does not send passwords
in the clear, but does not offer strong security. The RFC discusses
many of the limitations of this kind of protocol. Note that this
feature provides authentication only. It does not provide encryption
or confidentiality.
The challenge-response also produces a session key that is used to
generate message authentication codes for each ZEO message. This
should prevent session hijacking.
Guard the password database as if it contained plaintext passwords.
It stores the hash of a username and password. This does not expose
the plaintext password, but it is sensitive nonetheless. An attacker
with the hash can impersonate the real user. This is a limitation of
the simple digest scheme.
The authentication framework allows third-party developers to provide
new authentication modules.
Installing software Installing software
------------------- -------------------
...@@ -282,6 +306,19 @@ transaction-timeout ...@@ -282,6 +306,19 @@ transaction-timeout
transaction takes too long, the client connection will be closed transaction takes too long, the client connection will be closed
and the transaction aborted. and the transaction aborted.
authentication-protocol
The name of the protocol used for authentication. The
only protocol provided with ZEO is "digest," but extensions
may provide other protocols.
authentication-database
The path of the database containing authentication credentials.
authentication-realm
The authentication realm of the server. Some authentication
schemes use a realm to identify the logic set of usernames
that are accepted by this server.
Configuring client Configuring client
------------------ ------------------
...@@ -354,6 +391,10 @@ read-only-fallback ...@@ -354,6 +391,10 @@ read-only-fallback
acceptable as a fallback when no writable storages are acceptable as a fallback when no writable storages are
available. Defaults to false. At most one of read_only and available. Defaults to false. At most one of read_only and
read_only_fallback should be true. read_only_fallback should be true.
realm
The authentication realm of the server. Some authentication
schemes use a realm to identify the logic set of usernames
that are accepted by this server.
A ZEO client can also be created by calling the ClientStorage A ZEO client can also be created by calling the ClientStorage
constructor explicitly. For example:: constructor explicitly. For example::
...@@ -384,6 +425,15 @@ server. The server will continue writing to the renamed log file ...@@ -384,6 +425,15 @@ server. The server will continue writing to the renamed log file
until it receives the signal. After it receives the signal, the until it receives the signal. After it receives the signal, the
server will create a new file with the old name and write to it. server will create a new file with the old name and write to it.
Tools
-----
There are a few scripts that may help running a ZEO server. The
zeopack.py script connects to a server and packs the storage. It can
be run as a cron job. The zeoup.py script attempts to connect to a
ZEO server and verify that is is functioning. The zeopasswd.py script
manages a ZEO servers password database.
Diagnosing problems Diagnosing problems
------------------- -------------------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment