[Cubicweb] Pyro and ZMQ deprecated?

Florent Cayré florent.cayre at logilab.fr
Thu Mar 13 16:39:58 CET 2014


Hi,

some comments below.

Be aware that as expected, we just released signedrequest + 
rqlcontroller (for now in http://download.logilab.org/acceptance/).

Your feedback is very welcome if you find any time to test them.

Cheers,
Florent.

Le 13/03/2014 11:24, Jinpeng Li a écrit :
> Hi,
>
> I don't know how cubicweb.dbapi is going be in the future; now 
> apparently cubicweb chooses api key authorization according to the 
> development of signedrequest/rqlcontroller.
>
> In fact, I would like to mention that both api key authorization 
> and username/password authorization exist in the webservice industry.
>
> https://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization
> ```
> API keys originated with the first public web services, like Yahoo and 
> Google APIs.
> Twitter simplifies things for their users by using usernames and 
> passwords for API authentication.
> ```
> In my opinion, the most difficult point is how to securely store login 
> and password in client problem using python, or each time human user 
> type login and password for the program.
>

The login/ password way is natively supported by cubicweb (pass 
__login=XXX and __password=YYY in the url or as url-encoded post 
arguments will automatically log you before processing the request further).

> In addition, considering the 
> compatibility, signedrequest/rqlcontroller could provide 
> two authorization ways; they are not conflict.
>

signedrequest also signs the request, which aims at being immune to a 
man in the middle. The password approach requires https.

> It would be better to leave cubicweb team to answer the future 
> development problem.
>
> Best,
> Jinpeng
>
> On Thu, Mar 13, 2014 at 10:20 AM, Yann Cointepas <yann at cointepas.net 
> <mailto:yann at cointepas.net>> wrote:
>
>     Hi,
>
>     I probably made things confusing by talking about a link between
>     password and signedrequest/rqlcontroller. Let's get back to a
>     simple user question.
>
>     When cubicweb.dbapi is obsolete, how CubicWeb will make it
>     possible for a user to use its own collection of Python scripts
>     using RQL to access a CubicWeb instance (not a single application,
>     possibly used on several devices located on several sites) ? Today
>     using cubicweb.dbapi with login/password is very simple and
>     flexible. How it is going to be in the future ?
>
>           Yann
>
>
>
>
> _______________________________________________
> Cubicweb mailing list
> Cubicweb at lists.cubicweb.org
> http://lists.cubicweb.org/mailman/listinfo/cubicweb


-- 

Florent Cayré

LOGILAB S.A.                      104, bd Auguste Blanqui 75013 PARIS
                                   tél +33 (0)1.45.32.03.12
                                   tél +33 (0)1.83.64.25.26
Formations Python, Debian, XP     http://www.logilab.fr/formations
Développement logiciel sur mesure http://www.logilab.fr/services
Python et calcul scientifique     http://www.logilab.fr/science
Gestion des connaissances         http://www.logilab.fr/gestion-connaissances
CubicWeb, semantic web framework  http://www.cubicweb.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20140313/6d18928f/attachment-0165.html>


More information about the Cubicweb mailing list