Tags:
create new tag
view all tags
---+!! User Masquerading %TOC% ---++ Preface This topic describes how to configure your TWiki site for user masquerading. There are cases where it's handy to access TWiki on behalf of somebody else retaining a trace of your real identity rather than completely becoming a different user. We call it user masquerading. TWiki can provide user masquerading through a combination of a plug-in having a proper =initializeUserHandler()= and a proper user mapping manager. In an implementation, your login ID would be "REAL_ID/MASQUERADE_ID" while you are acting on behalf of MASQUERADE_ID. ---++ Benefits User masquerading discussed here provides the following benefits. ---+++ Minimizing exercise of privilege Usually, TWiki administrators are the members of !TWikiAdminGroup and can do anything on the TWiki site. This is like doing everything as root on Unix and doing everything as an administrator account on Windows, which is not regarded as a good practice now. TWiki Administrators are likely to be TWiki users and they shouldn't have privilege while they are *using* TWiki. They should exercise their privilege only when they administer. For that, instead of putting TWiki administrators into !TWikiAdminGroup, allowing them to act on behalf of "admin" is desirable assuming "admin" is a !TWikiAdminGroup member. ---+++ Auditability Assuming the TWiki access log records both the real and masqueraded identities for individual operations, auditing of TWiki administrators is easier. You can see admin operations of joeschmoe by picking up joeschmoe/admin's entries in the log file. joeschmoe's ordinary use is supposed to be conducted as joeschmoe rather than joeschmoe/admin, you don't need to exclude non admin activities manually. ---+++ Web autonomy On a large TWiki installation having thousands of webs, webs need to be as autonomous as possible. To that end, it's handy to have a set of users guaranteed to have access to a web regardless of access control settings -- it's like !TWikiAdminGroup members but for the web only. User masquerading can allow the web owners to act on behalf of "admin" on their web while not allowing that on the other webs. In case a web administrator kicks oneself out of the web due to access control mistake, the administrator can act on behalf of admin to fix it. The administrator can also fix a problem on a topic the administrator usually cannot see by acting on behalf of admin. ---+++ Testing access control Usually, it's cumbersome to confirm access control setting is working as expected. Because you need to ask somebody else try. User masquerading makes it possible to test access control on your own. ---++ How to set up masquerading Now that you understand the concept well, here's how to set up initialize user handler and user mapping handler for user masquerading. The requirements are: * While user masquerading is in effect, both the real identity and the masquerade identity need to be reflected in the user's identity. * Masquerading takes effect only on webs the user is entitled to. * Access checking is conducted taking user masquerading into account. * A topic may read/include other topics by %<nop>SEARCH{...}% and %<nop>INCLUDE{...}% and other TWiki variables. The masquerading needs to be observed with topics read/included from the current topic as well. ---+++ Initialize user handler Let's say while a user joeschmoe (login name) is masquerading as janedoe, the user is identified as joeschmoe/janedoe. This should happen in initializeUserHandler() of a plug-in. You may think a login handler can have this feature, it's not practical to determine a user is allowed to masquerade or not in the login handler. This is because the login handler is called very early in a topic processing and the apparatus you can use is quite limited. One way to specify a masquerade destination is by an HTTP cookie - e.g. TWIKI_ON_BEHALF_OF. Assuming that, initializeUserHandler() returns the login name handed as it is if the TWIKI_ON_BEHALF_OF cookie does not exist. If its value is janedoe, then the handler determines whether joeschmoe is entitled to masquerading. If so it returns joeschmoe/janedoe. Otherwise it returns joeschmoe. ---+++ User mapping handler Making the corresponding cUID for joeschmoe/janedoe login name shouldn't be an issue - the way !TWikiUserMapping employs for login to cUID mapping is fine (coding a non-alphanumeric character to '_' followed by the hexadecimal number of the character code; '/' is coded to '_2f'). And let's say the corresponding wiki name is !JoeSchmoeOnBeHalfOfJaneDoe. For that, the following methods of the user mapping handler need to be implemented accordingly. * getWikiName() (for cUID to wiki name mapping) * findUserByWikiName() (for wiki name to cUID mapping) The following methods of the user mapping handler need to take two extra arguments $topic and $web compared to those methods in !TWikiUserMapping. $ isAdmin(): it's similar to !TWikiUserMapping's but when it calls isInGroup(), $topic and $web need to be passed so that user masquerading is taken into account. $ isInGroup(): it's similar to !TWikiUserMapping's but it takes masquerading into account. In addition, the user mapping handler needs the following new object method - =isEquivalentCUIDs($cUID, $identCUID, $topic, $web)=, which is called from TWiki::Users::isEquivalendCUIDS(), which is called from TWiki::Users::isInList(). * $cUID is the current the current; may be masquerading. * $identCUID is a cUID of a wikiname in an access restriction setting; no masquerading. The isEquivalentCUIDs method determines the equivalency of $cUID and $identCUID taking user masquerading into consideration. As you've seen, =isInGroup()= and =isEquivalentCUIDs()= in the user mapping handler are the crux of user masquerading implmementation. ---++ Who can masquerade Masquerading is a meta feature in the sense that it's something above topic access permission. It's a mechanism to skew the access control mechanism. Putting the theoretical thought aside, the practical way is to allow the web admins (cf. AutonomousWebs) to masquerade in a web. MetadataRepository or some topics in the %SYSTEMWEB% web would be used to specify who can masquerade in a web. Along the same line as !TWikiAdminGroup, it's handy to have a set of users who can masquerade in any web. [[#Minimizing_exercise_of_privilege][To minimize exercise of privilege]], TWiki administrators need to be able to masquerade in any web. ---++ Logging while masquerading On the TWiki log, each entry has a user's login name. In the scenario described so far, while masquerading, the user's login name is in the joeschmoe/janedoe format. Consequently, login names for that format are put in the log file. ---++ Topic reading another topic Masquerading takes effect for a topic only if the user is entitled to. Let's take a closer look at how it works when a topic reads another topic. Here's the scenario: * !UserU1 is entitled to masquerading in the !WebEntitled but not in !WebNot. * !UserU1's TWIKI_ON_BEHALF_OF cookie has 'admin' - trying to masquerade as the TWiki Adminstrator user. * !WebEntitled.TopicIncluding doesn't allow !UserU1 to view and has: <verbatim>%INCLUDE{WebNot.TopicIncluded}%</verbatim> * !WebNot.TopicIncluded doesn't allow !UserU1 to view * !WebNot.TopicIncluding can be viewed by !UserU1 and has: <verbatim> %INCLUDE{WebEntitled.TopicIncluded}%</verbatim> * !WebEntitled.TopicIncluded doesn't allow !UserU1 to view Thanks to masquerading as admin, !UserU1 can view !WebEntitled.TopicIncluding. But the user cannot see the part included from !WebNot.TopicIncluded because the user cannot masquerade in !WebNot. !UserU1 can view !WebNot.TopicIncluding but masquerading doesn't take effect. Because of that, the user cannot see the part included from !WebEntitled.TopicIncluded even though the user can view !WebEntitled.TopicIncluded. A similar effect can be seen with %<nop>SEARCH{...}% and other mechanism reading other topics. __Related Topics:__ AdminDocumentationCategory, TWikiAccessControl, AutonomousWebs, MetadataRepository, LargeSite
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r1
|
B
acklinks
|
V
iew topic
|
Ra
w
edit
|
M
ore topic actions
Topic revision: r1 - 2013-03-22
-
TWikiContributor
Log In
or
Register
TWiki Web
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
User Reference
ATasteOfTWiki
TextFormattingRules
TWikiVariables
FormattedSearch
QuerySearch
TWikiDocGraphics
TWikiSkinBrowser
InstalledPlugins
Admin Maintenance
Reference Manual
AdminToolsCategory
InterWikis
ManagingWebs
TWikiSiteTools
TWikiPreferences
WebPreferences
Categories
Admin Documentation
Admin Tools
Developer Doc
User Documentation
User Tools
Prenotazioni esami
Laurea Triennale ...
Laurea Triennale
Algebra
Algoritmi
Introduzione agli algoritmi
Algoritmi 1
Algoritmi 2
Algoritmi per la
visualizzazione
Architetture
Prog. sist. digitali
Architetture 2
Basi di Dati
Basi di Dati 1 Inf.
Basi di Dati 1 T.I.
Basi di Dati (I modulo, A-L)
Basi di Dati (I modulo, M-Z)
Basi di Dati 2
Calcolo
Calcolo differenziale
Calcolo integrale
Calcolo delle Probabilitą
Metodi mat. per l'inf. (ex. Logica)
canale AD
canale PZ
Programmazione
Fond. di Programmazione
Metodologie di Programmazione
Prog. di sistemi multicore
Programmazione 2
AD
EO
PZ
Esercitazioni Prog. 2
Lab. Prog. AD
Lab. Prog. EO
Lab. Prog. 2
Prog. a Oggetti
Reti
Arch. di internet
Lab. di prog. di rete
Programmazione Web
Reti di elaboratori
Sistemi operativi
Sistemi Operativi (12 CFU)
Anni precedenti
Sistemi operativi 1
Sistemi operativi 2
Lab. SO 1
Lab. SO 2
Altri corsi
Automi, Calcolabilitą
e Complessitą
Apprendimento Automatico
Economia Aziendale
Elaborazione Immagini
Fisica 2
Grafica 3D
Informatica Giuridica
Laboratorio di Sistemi Interattivi
Linguaggi di Programmazione 3° anno Matematica
Linguaggi e Compilatori
Sistemi Informativi
Tecniche di Sicurezza dei Sistemi
ACSAI ...
ACSAI
Computer Architectures 1
Programming
Laurea Magistrale ...
Laurea Magistrale
Percorsi di studio
Corsi
Algoritmi Avanzati
Algoritmica
Algoritmi e Strutture Dati
Algoritmi per le reti
Architetture degli elaboratori 3
Architetture avanzate e parallele
Autonomous Networking
Big Data Computing
Business Intelligence
Calcolo Intensivo
Complessitą
Computer Systems and Programming
Concurrent Systems
Crittografia
Elaborazione del Linguaggio Naturale
Estrazione inf. dal web
Fisica 3
Gamification Lab
Information Systems
Ingegneria degli Algoritmi
Interazione Multi Modale
Metodi Formali per il Software
Methods in Computer Science Education: Analysis
Methods in Computer Science Education: Design
Prestazioni dei Sistemi di Rete
Prog. avanzata
Internet of Things
Sistemi Centrali
Reti Wireless
Sistemi Biometrici
Sistemi Distribuiti
Sistemi Informativi Geografici
Sistemi operativi 3
Tecniche di Sicurezza basate sui Linguaggi
Teoria della
Dimostrazione
Verifica del software
Visione artificiale
Attivitą complementari
Biologia Computazionale
Design and development of embedded systems for the Internet of Things
Lego Lab
Logic Programming
Pietre miliari della scienza
Prog. di processori multicore
Sistemi per l'interazione locale e remota
Laboratorio di Cyber-Security
Verifica e Validazione di Software Embedded
Altri Webs ...
Altri Webs
Dottorandi
Commissioni
Comm. Didattica
Comm. Didattica_r
Comm. Dottorato
Comm. Erasmus
Comm. Finanziamenti
Comm. Scientifica
Comm Scientifica_r
Corsi esterni
Sistemi Operativi (Matematica)
Perl e Bioperl
ECDL
Fondamenti 1
(NETTUNO)
Tecniche della Programmazione 1° modulo
(NETTUNO)
Seminars in Artificial Intelligence and Robotics: Natural Language Processing
Informatica generale
Primo canale
Secondo canale
II canale A.A. 10-11
Informatica
Informatica per Statistica
Laboratorio di Strumentazione Elettronica e Informatica
Progetti
Nemo
Quis
Remus
TWiki ...
TWiki
Tutto su TWiki
Users
Main
Sandbox
Home
Site map
AA web
AAP web
ACSAI web
AA2021 web
Programming web
AA2021 web
AN web
ASD web
Algebra web
AL web
AA1112 web
AA1213 web
AA1920 web
AA2021 web
MZ web
AA1112 web
AA1213 web
AA1112 web
AA1314 web
AA1415 web
AA1516 web
AA1617 web
AA1819 web
Old web
Algo_par_dis web
Algoreti web
More...
TWiki Web
User registration
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
User Reference
ATasteOfTWiki
TextFormattingRules
TWikiVariables
FormattedSearch
QuerySearch
TWikiDocGraphics
TWikiSkinBrowser
InstalledPlugins
Admin Maintenance
Reference Manual
InterWikis
ManagingUsers
ManagingWebs
TWikiSiteTools
TWikiPreferences
WebPreferences
Categories
Admin Documentation
Admin Tools
Developer Doc
User Documentation
User Tools
Account
Log In
Register User
Questo sito usa cookies, usandolo ne accettate la presenza. (
CookiePolicy
)
Torna al
Dipartimento di Informatica
E
dit
A
ttach
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback
Note:
Please contribute updates to this topic on TWiki.org at
TWiki:TWiki.UserMasquerading
.