[Mailman-Developers] User-centric authentication and access control

Andrew Stuart andrew.stuart at supercoders.com.au
Wed Sep 2 05:02:43 CEST 2015 

As far as I know that’s a pretty good summary.  I should say however I really don’t know much except about Mailmania.  You’d get better information on Postorius from Aurelien and Barry is the authority on the Mailman core.

It’s important to understand that Mailman core defines the resources and allows assignment of membership and ownership of those resources.  The business rules for how that is interpreted is left up to the application server, so Mailmania and Postorius almost certainly do it differently.  Anyway you probably don’t need to think about that.

The most battle tested parts of this are Mailman Core and Postorius. Mailmania isn’t used as far as I know - someone may do so one day but for the most part it’s leading a quiet life.

>>I'm assuming Mailmania relies on presenting a username and password directly to the Mailman REST API to authenticate?
That is correct.

>>Or would it also have some mechanism to let you customize the authentication mechanism?
All Mailmania’s login function does is check username and password with the core. If all good then it hands back a token.  There’s no reason you couldn’t modify that very simple logic to do some other check like looking up in LDAP and then handing back the token.   Probably you’d create an additional login function that does whatever auth lo9gic you want and then hands backs a JWT.

I don’t know anything about Django authentication.  Others pmay commment on that.

as





On 2 Sep 2015, at 12:50 pm, Waldbieser, Carl <waldbiec at lafayette.edu> wrote:


I believe I have a better understanding of the puzzle pieces, now.  In a nutshell:

* Mailman 3 allows you to assign administrative privileges to individual users who may log in with their own credentials.
* Mailman 3 is composed of several separate projects that work together to form a coherent system.
* The Postorius component is the Django-based web UI component for Mailman 3.
* Because it is Django based, the authentication scheme for Postorious can be customized by configuring the appropriate Django authentication middleware (e.g. REMOTE_USER [1]).
* The Mailman REST API provides you with superuser-like access to Mailman, and should only be used to integrate trusted apps.
* Mailmania can be used to provide external access to the RESTful API.  Requests are are authenticated, and the typical access controls are enforced.

It seems to me that if I have an authentication mechanism that supports exporting the authenticated user via REMOTE_USER into the web server environment, then I could use that mechanism with Django + Postorius.

I'm assuming Mailmania relies on presenting a username and password directly to the Mailman REST API to authenticate?  Or would it also have some mechanism to let you customize the authentication mechanism?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

[1] https://docs.djangoproject.com/en/1.8/howto/auth-remote-user/

----- Original Message -----
From: "Andrew Stuart" <andrew.stuart at supercoders.com.au>
To: "waldbiec" <waldbiec at lafayette.edu>
Cc: "mailman-developers" <mailman-developers at python.org>
Sent: Tuesday, September 1, 2015 9:58:32 PM
Subject: Re: [Mailman-Developers] User-centric authentication and access control

Postorius is a Django app that talks directly to the Mailman 3 REST API and integrates everything needed to get the job done including user interface, authentication and authorization.

Mailmania is an authenticating reverse proxy server.  Effectively it would allow someone to write a purely JavaScript browser based interface to Mailman 3, and it would provide the back end authorization and authentication.  No such JavaScript interface exists though. Mailmania provides a way for the public to talk to the Mailman 3 core REST API. 

In very loose terms you can imagine if you pulled Postorius apart into a backend and a JavaScript userinterface/front end, then Mailmania would be the equivalent of the back end. Sort of.

If you wanted to write a user interface for Mailman using ReactJS or AngularJS then you’d probably want it to talk to Mailmania.

If you want to actually have a working interface to Mailman 3 then you need Postorius as no-one has written any user interface code for Mailmania.

as

More information about the Mailman-Developers mailing list