Code Repositories xandikos / master notes / multi-user.rst
master

Tree @master (Download .tar.gz)

multi-user.rst @masterview markup · raw · history · blame

Multi-User Support

Multi-user support could arguably also include sharing of calendars/collections/etc. This is beyond the scope of this document, which just focuses on allowing multiple users to use their own silo in a single instance of Xandikos.

Siloed user support can be split up into three steps:

  • storage - mapping a user to a principal
  • authentication - letting a user log in
  • authorization - checking whether the user has access to a resource

Authentication

In the simplest form, a forwarding proxy provides the name of an authenticated user. E.g. Apache or uWSGI sets the REMOTE_USER environment variable. If REMOTE_USER is not present for an operation that requires authentication, a 401 error is returned.

Authorization

In the simplest form, users only have access to the resources under their own principal.

As a second step, we could let users configure ACLs; one way of doing this would be to allow adding authentication in the collection configuration. I.e. something like:

[acl]
read = jelmer, joe
write = jelmer

Storage

By default, the principal for a user is simply "/%(username)s".

Roadmap

  • Optional: Allow marking collections as principals [DONE]
  • Expose username (or None, if not logged in) everywhere [DONE]
  • Add function get_username_principal() for mapping username to principal path [DONE]
  • Support automatic creation of principal on first login of user
  • Add simple function check_path_access() for checking access ("is this user allowed to access this path?")
  • Use access checking function everywhere
  • Have current-user-principal setting depend on $REMOTE_USER and get_username_principal() [DONE]