The FamilySearch Security Policy Editor and the Zope Component Architecture

Over the past couple of months, I have been working to make it easy for administrators to create and maintain a complex security policy for a giant archive of digital artifacts.  In the process, I think I have found a useful way to configure complex software systems such as Zope 3.

A Security Policy for Dead People

The archive in question stores images, documents, and various other records about dead people.  (Genealogy is mostly about dead people, after all!)  The archive has not yet been deployed, but it will replace an existing simpler system.  Assuming the archive is successful, developers at familysearch.org (my employer) will want to adopt it for their own purposes.  As adoption grows, so will the complexity of the security policy applied to the archive.  Therefore, the security policy must be manageable.  People should not fear the prospect of making changes to the security policy.  Changes in how the system is used should lead to changes in the policy.  If the policy does not evolve with usage, the archive will stagnate to some extent and so will some of the work being done.

Because the requirements are complex, the security policy is also complex.  There are currently six degrees of freedom, meaning that there are six independent variables that affect the outcome of a security policy check.  I don’t know about everyone else, but my quick intuition is typically limited to three dimensions; any more requires a great deal more rational exercise.  Six dimensions is often too much to work with quickly and confidently.

However, I believe the right user interface can optimize that kind of rational exercise.  Following that belief, I created a graphical tool for managing the security policy.  It can answer questions with simple interactions, increasing people’s confidence that they are changing the policy correctly.  I eliminated the need for humans to parse and generate XML, which I think they will find helpful.  But the best part, I think, is I put test-first methodology right before the user’s face.  A screen shot follows.

FamilySearch RBAC Policy Editor

The acronym RBAC in the title stands for Role-Based Access Control.  The six trees in the top left represent the six degrees of freedom; each degree has a grouping hierarchy.  On the right is a report of whether users attempting the selected combination would be granted access.  The reports are updated instantly whenever the user selects a tree node.  The screen shot posted here is showing that according to the policy.xml file in my home directory, users with any role can retrieve any image stream of any published image artifact, regardless of license.  This interface is the place to change that policy.

At the bottom, there are three tabs.  The first tab has a table showing all policy directives.  A directive states that access is to be allowed or denied if the request fits the specified combination.  To change the policy so that people must at least be authenticated before viewing images, the user of this application simply selects the directive shown, clicks the Edit button, chooses a different role, and clicks Ok.

In the status bar is a report of how many tests are passing.  If people use this feature, I expect the application to be quite successful.  The tests tab contains a matrix of tests and test users; each test user has a list of roles.  The cells of the matrix each have a checkbox that shows whether a given test user is expected to be able to do something according to the policy.  If the outcome of the policy does not match the expectation, the cell turns red and the number of passing tests decreases.

RBAC Editor showing tests tab

The report panels on the right feature the ability to show all directives or tests that meet some criteria.  If I want to know why someone’s access is denied when I thought some directive allowed it, I select the conditions of their request, then look on the right to see what the policy says about it.  If it says no directives match, then I select or deselect conditions on the left until I find the directive that needs to change.  If there really is no directive that matches, I add a new directive (and a test!) and verify the change using the report panels again.

The application has other goodies designed to increase users’ confidence, such as fully integrated undo/redo, error and warning highlights instead of cryptic dialog boxes, and “find” fields that filter the rows of the tables.  I expect that this is enough for a security policy administrator.  To make it as friendly as an iPod is not a goal and would even be a disservice for people who are responsible for complex things like a security policy.

A Configuration for Living People

Throughout the process of designing and implementing this, I have kept one thought in my mind: could I use something like this to configure components in the Zope component architecture?  The component architecture solves big, interesting problems, but it also makes the outcome of configuration decisions much less obvious.  If I made an application like this that lets you see and modify the outcome of configuration decisions interactively, would it be useful to the developer community at large?

Boy, would I love to find out.  I started the Zope Jam project some time ago and haven’t done anything with it since, although I thought my initial prototypes looked promising.  I stopped the project because I felt something nagging at me that the design was wrong.  Now I think I see one specific blocker: the whole thing was designed around ZCML.  It appears today that the Zope community strongly supports the component architecture, but not necessarily ZCML.  So the new project would be an interactive configuration browser and it may support more than one way of modifying the configuration.

I still prefer to make it a desktop GUI application (written in Python, rather than Java Swing, which was required for the policy editor), with a variety of low-latency widgets and no access control issues, rather than a browser-based application.  It should run user code directly, so that when the user asks what the outcome of an adapter lookup would be, the GUI’s answer would always be correct.  It should integrate tests of the configuration much like I did with the policy editor.  It should do everything possible to increase the software developer’s confidence in the component architecture.

Let’s Build This

Does anyone else get excited about this?  I love finding ways to make complex things simple.  If I could find a company to fund the development of this, I would work on it full time.  I think it would be a major time saver for any company that is doing significant software development using the Zope component architecture.

There Goes Another Heater Barrel

I put together my fourth heater on Friday and Saturday.  It worked fine for a while; I was able to extrude both HDPE and ABS!  However, after I allowed the plastic to cool in the extruder, I could not get the extruder to drive the plastic again, no matter how hot I melted it.  I had to disassemble the heater to clean it out.  As I was working to remove the ABS, one of the leads attached to the nichrome wire broke.  I don’t have any way to fix those leads, so the fourth heater is lost.  At least I was able to salvage most of the parts.

I now see a pattern in nearly all of the heaters I have built: the nichrome leads have broken every time, and re-heating plastic already in the extruder has never worked and led to major problems.  The re-heated plastic simply refuses to move out the nozzle, no matter how hard the motor pushes; the plastic tends to find alternate paths to exit the heater!

I spent some time thinking about these problems.  I intend to solve the nichrome lead problem by attaching a short metal bar to the heater barrel, the bar extended horizontally, then gluing the leads (bare copper wire) to the bar using JB weld (a hard insulator that can withstand about 310 degrees C).  The extended end of the bar, which should be much cooler than the end attached to the heater, will have a 2 pin socket so I can detach the heater easily.

The problem with re-heated plastic is still a mystery.  The third heater used a PTFE insulator mounted flush against the heater barrel, as specified by the bitsfrombytes diagrams.  With that design, a lot of the plastic exited out the top of the barrel instead of the nozzle, although I can’t remember whether I was using re-heated plastic at the time.  The fourth heater had an 8mm length of the M6 pipe threaded into the PTFE insulator.  Although the fit between the heater and insulator seemed very tight, the ABS still found a way to exit out the top and made a nasty hard shell covering the threads.  I now realize that the M6 tap I used was designed for tapping hard materials like metal, not soft PTFE; an M6 tap designed for soft material would have a slightly smaller diameter.  Next time, I will make my own tap using brass or just force an M6 screw into the PTFE.

By the way, I have begun putting together a BoM for the hardware I actually used.  Tres expressed interest in it and I imagine others will be interested, especially now that Vik has provided a way to buy the laser cut parts for around $400, a lot less than what I paid.  Excellent work, Vik!