Remove Zend\Acl from 2.0, update and then add to 2.1?

+1

The Acl component has been already dropped from our project.

On Mon, Jul 23, 2012 at 2:38 PM, Rob Allen <[hidden email]> wrote:

Hi all,


I've seen some discussion about Zend\Acl and whether it's the best it could be for ZF2.0 [1]. To the best of my knowledge, there's at least 3 modules that do their own Acl, presumably because Zend\Acl isn't good enough?

Does anyone have an opinion on whether it's good to go or whether we should pull it from 2.0, do an RFC, re-work it and then introduce for 2.1?


Regards,

Rob...


[1]: https://github.com/ZF-Commons/RFC/issues/1#issuecomment-7164039 - the thread is mostly about which Acl module should integrate with ZfcUser, but the comments on Zend\Acl is relevant.

--

Taiwen Jiang (aka D.J.)

Build Xoops Engine

http://www.xoopsengine.org

web and mobile application platform

CTO for EEFOCUS.com

Leading social platform for electronics professionals

Hi all,


I've seen some discussion about Zend\Acl and whether it's the best it could be for ZF2.0 [1]. To the best of my knowledge, there's at least 3 modules that do their own Acl, presumably because Zend\Acl isn't good enough?

Does anyone have an opinion on whether it's good to go or whether we should pull it from 2.0, do an RFC, re-work it and then introduce for 2.1?


Regards,

Rob...


[1]: https://github.com/ZF-Commons/RFC/issues/1#issuecomment-7164039 - the thread is mostly about which Acl module should integrate with ZfcUser, but the comments on Zend\Acl is relevant.

-1.

Three modules exist in order to simplify its usage. Here is a rough timeline: ZfcAcl came first, but a lot of people found it difficult to extend. SpiffyJr started writing SpiffySecurity, then decided he wanted to go with an RBAC solution instead of ACL. As a response, I went ahead and wrote BjyAuthorize which is based ideas from both SpiffySecurity and ZfcAcl.

I don't believe there is anything inherently wrong with Zend\Acl. The various modules pretty much only provide two features:
 - simplified/unified loading of roles and resources through events or "providers"
 - identity integration (e.g. integration with ZfcUser, being able to query based on the currently authenticated user, etc.)

Neither of these are things you would necessarily want to do with an ACL, so I think it's entirely appropriate to have modules assist with these things. Any particular application might want to handle ACL loading its own way, and some applications might want to query an ACL based on a role outside the currently authenticated set of roles.

The concern has also been raised that loading roles/resources Zend\Acl can be a bottleneck in dynamic applications with large (and growing) numbers of roles and/or resources. I've addressed this concern in more detail in this comment: https://github.com/ZF-Commons/RFC/issues/1#issuecomment-7170924

The only potential problem I can see is telling Zend\Acl\Assertion\AssertionInterface which instance of a resource you want to query (i.e. you want to call isAllowed on blog post #27). Not only are there workarounds to this problem, but fixing it should only require a minor refactoring to AssertionInterface instead of an entire rewrite.

I feel I've worked with Zend\Acl fairly extensively, and I think the component is pretty solid. Anyone voting +1 to remove it needs to provide some strong reasoning as to what's wrong, why it's wrong, and (preferably) how it should be.

@bjyoungblood I know this solution, I've been doing that 5 years ago and it sucks. I ended removing Zend_Acl completely.

Zend\Acl\Assertion is a "last resort" type of thing. If I need a custom function to inject models every time for each query, then why would I need the whole Acl component? Why not just

Service\Permissions::hasAccess(UserModel $user, $what)

.... a custom service that does the same thing, but does not require instantiation and will do basically what theHasPermissionAssertion above does + one more if for the actual check.

Of course this totally ignores user groups, permissions, multiple resources etc. Again - if primitive Zend\Acl container is injected with real-time data each time there's an assertion, then why do I need the Acl? why all this overhead? If it's all JIT injection, then the container would (at any given time) only contain 1 role, 1 resource and a few rules ?

I won't even go into permission queries - for example: show me all users that have write access to resources belonging to group resource_group_a. With current implementation, impossible unless you instantiate each and every model from db, then go with each and every resource, all rules and assertions, and loop through the whole thing. Good luck :)

You've just confirmed what I said earlier, by stating it's a workaround. My proposal is to forget workarounds and build a proper 2012 php acl solution, make it scallable to make both small developers happy, and put MS ActiveDirectory ACL to shame ;) We can also easily make the new component BC with old one, give it the same in-memory containers (adapters), rules, resources and roles.

2. There is no need for a big overhaul imho. I also agree with Ben Youngblood here [2] where a few optimizations might already result in a "zf2-ready" component. But I much better prefer a little waiting time above a complete 2.x series where everybody use their own Acl mitigating the Zend\Acl problems. Zend\Acl should address a generic framework-style problem where the Acl modules should address the userland problem.

On Mon, Jul 23, 2012 at 9:06 AM, Jurian Sluiman <[hidden email]> wrote:

2. There is no need for a big overhaul imho. I also agree with Ben Youngblood here [2] where a few optimizations might already result in a "zf2-ready" component. But I much better prefer a little waiting time above a complete 2.x series where everybody use their own Acl mitigating the Zend\Acl problems. Zend\Acl should address a generic framework-style problem where the Acl modules should address the userland problem.

I disagree. ZF2 is our only chance for big BC breaks. 

Zend\Acl is just Zend_Acl in namespaces. It's old and in my personal opinion - useless. Forget me. The thing is, there are people with real ideas we can work on. There is real criticism here and real ideas for enhancements and new features we could implement. 

Remember that ACL is just a single security model - there are many more that'd be suitable for web apps in different shapes and sizes - http://en.wikipedia.org/wiki/Computer_security_model. 

Maybe instead of Zend\Acl we should talk more Zend\Security ? ps: marketing-wise, that ns would look awesome if included in the zf2 core ;) It could also group other security-related components.

Right now, I believe it's easier to reboot and start fresh with an RFC and use the "ZF2 opportunity" to remove old stuff. If we can't make it before 2.0.0 we should remove old component to avoid confusion and re-introduce it in 2.1 or whenever we're ready.

-- 
      __
     /.)\   <a href="tel:%2B48%20695%20600%20936" value="+48695600936" target="_blank">+48 695 600 936

     \(./   [hidden email]

 

@Arthur: on the other side, Zend\Acl can still be useful, especially now that it is available as a composer package. It does its job for simpler apps after all.

It could be deprecated or just not be enhanced, and since the idea seems to build a Zend\Rbac|Zend\Security instead (didn't follow closely the discussion on Zfc :( ), I don't see any problems in keeping something that is still very stable and well known without bringing some real innovation to it. As already pointed out, we won't really get anywhere without a rewrite, and having that major rewrite within a Zend\Security namespace seems to be a good idea!

Marco Pivetta

http://twitter.com/Ocramius     

http://marco-pivetta.com    

On 23 July 2012 10:56, Artur Bodera <[hidden email]> wrote:

On Mon, Jul 23, 2012 at 9:06 AM, Jurian Sluiman <[hidden email]> wrote:

2. There is no need for a big overhaul imho. I also agree with Ben Youngblood here [2] where a few optimizations might already result in a "zf2-ready" component. But I much better prefer a little waiting time above a complete 2.x series where everybody use their own Acl mitigating the Zend\Acl problems. Zend\Acl should address a generic framework-style problem where the Acl modules should address the userland problem.

I disagree. ZF2 is our only chance for big BC breaks. 

Zend\Acl is just Zend_Acl in namespaces. It's old and in my personal opinion - useless. Forget me. The thing is, there are people with real ideas we can work on. There is real criticism here and real ideas for enhancements and new features we could implement. 

Remember that ACL is just a single security model - there are many more that'd be suitable for web apps in different shapes and sizes - http://en.wikipedia.org/wiki/Computer_security_model. 

Maybe instead of Zend\Acl we should talk more Zend\Security ? ps: marketing-wise, that ns would look awesome if included in the zf2 core ;) It could also group other security-related components.

Right now, I believe it's easier to reboot and start fresh with an RFC and use the "ZF2 opportunity" to remove old stuff. If we can't make it before 2.0.0 we should remove old component to avoid confusion and re-introduce it in 2.1 or whenever we're ready.

-- 
      __
     /.)\   <a href="tel:%2B48%20695%20600%20936" value="+48695600936" target="_blank">+48 695 600 936

     \(./   [hidden email]

 

@Arthur: on the other side, Zend\Acl can still be useful, especially now that it is available as a composer package. It does its job for simpler apps after all.
It could be deprecated or just not be enhanced, and since the idea seems to build a Zend\Rbac|Zend\Security instead (didn't follow closely the discussion on Zfc :( ), I don't see any problems in keeping something that is still very stable and well known without bringing some real innovation to it. As already pointed out, we won't really get anywhere without a rewrite, and having that major rewrite within a Zend\Security namespace seems to be a good idea!

On Mon, Jul 23, 2012 at 11:17 AM, Marco Pivetta <[hidden email]> wrote:

@Arthur: on the other side, Zend\Acl can still be useful, especially now that it is available as a composer package. It does its job for simpler apps after all.
It could be deprecated or just not be enhanced, and since the idea seems to build a Zend\Rbac|Zend\Security instead (didn't follow closely the discussion on Zfc :( ), I don't see any problems in keeping something that is still very stable and well known without bringing some real innovation to it. As already pointed out, we won't really get anywhere without a rewrite, and having that major rewrite within a Zend\Security namespace seems to be a good idea!

Marco - here is the problem with this solution:

1) We keep that (simple) Zend\Acl in ZF2.

2) It gets into ZF2.0.0

3) People start using it... 

4) Later ... we create Zend\Security\* with ACL, RBAC, LBAC etc.

5) Now you have BOTH ---- Zend\Acl  +  Zend\Security\Acl 

6) You cannot remove Zend\Acl, because people are using it....

-- 
      __
     /.)\   <a href="tel:%2B48%20695%20600%20936" value="+48695600936" target="_blank">+48 695 600 936
     \(./   [hidden email]

 

I think at this point the only real question I have is what _namespace_
our current implementation should live in for the stable release. Right
now, it's a top-level component, and I wonder if it should live in a
"Zend\Security" namespace, or a "Zend\Permissions" namespace.

> If we put it into Zend\Security it's even worse, because we use that
> brand new, shiny namespace and stuff it with ye olde component we
> clearly plan to refactor (with very high BC break probability).

See above. If you feel that strongly, we'll leave it where it is, but I
think that will cause more confusion later, when people wonder why it's
a top-level component and not under the Zend\Security namespace where
the other permission APIs live.