Need Help for Zope5 extra roles from DB

Dear All

I am working with Zope v5 and I must integrate new dinamic roles (database defined) to the standard AccessControl library:

my_user = AccessControl.getSecurityManager().getUser()
roles = my_user.getRoles()

I have read lots of specification about the Delegating / Role and the function getUserDetails which read the following data in order to work properly and provide extra informations from database to framework via query: NAME, PASSWORD, ROLE.

What combination of plugin such as "ZODB User Manager" / "Scriptable Plugin" are needed to do this?
After numerous attempts I still can't get it working.

Thank you very much for taking the time to resolve this question

The the "Pluggable Authentication Service" you have the ability to define roles plugins. See Pluggable Authentication Service — Plone Documentation v4.3

Also, take a look at the plugins defined in the acl_users object, that's the starting place.

I think this can be a good starting point, add roles and groups dynamically based on http headers. It is a multiplugin plugin (implements different interfaces).

Pollicino via Plone Community wrote at 2022-11-7 11:00 +0000:

I am working with Zope v5 and I must integrate new dinamic roles (database defined) to the standard AccessControl library:

AccessControl already supports user defined roles
via the AccessControl.rolemanager.RoleManager
attribute __ac_roles__.

Usually, this is a static attribute (directly defining the roles
known by this RoleManager).
But in your own RoleManager class, you could make it
dynamic.

import AccessControl
my_user = AccessControl.getSecurityManager().getUser()
roles = my_user.getRoles()

The __ac_roles__ attribute mentioned above would make
the custom roles known to the ZMI access page (i.e. manage_access)
and allow you to use them in the permission to role mapping.
It would not give a user different roles.
For this, you would need a custom user/user folder implementation,
e.g. Products.PluggableAuthService -- as suggested by other
commenters.

Hi all
I tried creating a "Delegating" Object, and put in it the "User Folder".
The idea is to insert an SQL method into the "User Folder" but in the Delegating obj I cannot associate the Interface IUserEnumerationPlugin (because it does not appear in list of it).

Is this the right way or I am wrong with some step?

Thanks

Pollicino via Plone Community wrote at 2022-12-6 14:39 +0000:

...
I tried creating a "Delegating" Object, and put in it the "User Folder".
The idea is to insert an SQL method into the "User Folder" but in the Delegating obj I cannot associate the Interface IUserEnumerationPlugin (because it does not appear in list of it).

With Products.PluggableAuthService,
each plugin type supports only a small number of interfaces.

Formerly, you wrote about your need to get roles from a database.
Role related interfaces are IRolesPlugin, IRoleAssignerPlugin
and IRoleEnumerationPlugin.
You likely need your custom plugin implementation implementing
some of those interfaces to get roles from a database
(as the database schema is likely propriatary).

Now you speak about IUserEnumerationPlugin.
This indicates that you do not only have roles in the database
but other user information as well. In this case, your plugin
must support additional interfaces.

I looked for documentation and the idea was to :

making psql_scripts obj (with interface : Roles getRolesForPrincipal)
into acl_users(PAS) and putting in it a pyscript "getRolesForPrincipal" quering my DB
returning a list of roles, but the follow code cannot integrate extra roles:

myuser = AccessControl.getSecurityManager().getUser()
return myuser.getRoles()

Who could be kind to provide me assistance on how to do it?
What am I doing wrong? I spent lot of time on it.

The documentation isn't very good and answers like "you should use this or read that" really don't help me.
thank you for your patience

Pollicino via Plone Community wrote at 2022-12-9 09:09 +0000:

I looked for documentation and the idea was to :

making psql_scripts obj (with interface : Roles getRolesForPrincipal)
into acl_users(PAS) and putting in it a pyscript "getRolesForPrincipal" quering my DB
returning a list of roles, but the follow code cannot integrate extra roles:

myuser = AccessControl.getSecurityManager().getUser()
return myuser.getRoles()

In principle, it should work.

Have you activated your plugin for the roles interface?
It is not sufficient to have the plugin installed, it must also
be activated.

If things reamin strange, you might try debugging to clear things up.
A starting point could be to put a (code) breakpoint into your plugin.
If it is not hit, you made something wrong with your plugin integration.

Ok, thanks for the tip!