Hi Shane On 18/05/2015 14:43, Shane Kerr wrote:
Tim, Denis, other database folks,
On Sat, 16 May 2015 16:46:44 +0200 Tim Bruijnzeels <tim@ripe.net> wrote:
The basic idea was to allow authorisation tokens in PERSON objects, Yes, the important point here is that the credentials are on PERSONs, rather than in one anonymous blob that is today's MNTNER. Basically, I think of PERSON objects as reflecting contact information about someone in the real world. This has nothing to do with database administration.
ROLE objects are a handy layer of indirection so that you can substitute a job function any place you need contact information. Again, nothing to do with database administration.
I think it is a question of mindset here. You are thinking of the ROLE object in the context it has been implemented within the RIPE Database. Right now it is only used for contacts. As a long established and experienced user of the DB that makes sense to you. It is how you have always seen it and used it. But think about the definition of the word 'role'. " A prescribed or expected behavior associated with a particular position or status in a group or organization." " Jobs or positions that have a specific set of expectations attached to them." So in an organisation, if a group of people carry out a shared or common task, they collectively fulfil a role. When you talk to newbies to the database this is how they tend to think. When they say "we maintain the data" they are actually thinking about a group of people tasked to perform this action collectively....that is a role. This is why it takes so long on the DB training course to teach newbies how to set up a person and maintainer. You have to first sweep away their natural thoughts and then re-educate them into the ways of the MNTNER object. cheers denis
MNTNER objects are the equivalent of a website login. They are a way to authenticate yourself to the database as a database user. They have nothing to do with contact information.
----
This seems pretty straightforward, but it does seem to confuse everyone. Possibly the confusion comes from the name? "Maintainer" doesn't really scream "this is how I authenticate myself, and what authorizations are attached to".
I guess I'm fine with adding new authorization mechanisms to the database... compared to our existing mechanisms it doesn't make anything less secure. I do worry about it increasing the confusion rather than making things more straightforward though. :(
Cheers,
-- Shane