Monday, April 30, 2007

Authentication in Ruby on Rails

I've been getting sporadic time fragments to spend on Ruby on Rails, hardly throwing myself into it, but the best I can manage with my work and family commitments. One of the key items I'm wrestling with is user authentication.

This is an important area to me as any web app I am likely to write in Rails will need to authenticate users, at the very least site admins, but more likely regular users that have private data/functions they need to access.

Allow me to explain a crucial point here; when people look at application security there are two related, but different, concepts that are often confused. These are authentication and authorisation.
This is how you prove that you are who you claim to be. An authenticated user is one who we accept the identity of.

This is how we determine what you are allowed to do. The first step is always to authenticate that you are really who you claim to be, the next is to determine what authorisation you have been granted within our application.
I actually intend to implement both concepts in my breakable toy apps, but unless I can find a good answer to the first one, I won't be able to do the second.

Fortunately authentication systems can be easily shared, for example I could try to implement Google account authentication, which would allow users to login to my application using their Google account. The acts_as_google_account plugin might give me exactly what I need in this area. That places the burden of user administration on Google and leaves me just worrying about authorisation.

It is much harder to take on board someone else's authorisation system, as it is by necessity interwoven with the object model we are using, and may not meet anyone else's expectations about how to control user access. A truly orthogonal authorisation system may be possible, but I have yet to see one.

Anyway, my problem at the moment is that acts_as_google_account has minimal documentation, no test cases and a module called "Foo" ... hardly something that instils confidence in the code. I could look at the Acts as Authenticated plugin, which at least is documented (almost well documented) and widely used, and someone has already worked out how to install the plugins as generators (which is more what they are).

ModelSecurity is very nice as it implements at the model level, avoiding the potential loopholes that controller-based authorisation schemes provide (e.g. a new controller is built that exposes the models without implementing the right security scheme). However there are some concerns with its integration with auto-completing text fields. But at least some of the issues have been worked out for me.

I had read someone complain that ModelSecurity implements a single level of security, which would be less than useful for me, however a read of the ModelSecurity class reference shows that the security scheme allows you to specify any test you like, so you could implement user security groups or other funkiness as you will (e.g. allow access for users whose firstname begins with "A" and a date of birth in April for any even-numbered year).

Other possibilities are to look at ActiveRBAC (RBAC = Role-Based Access Control) and the Authorization plugin.

Of them all, ModelSecurity appeals to me the most as it secures at the lowest level possible. Hopefully the next time I write about this I will have implemented it in one of my toy apps.

Sunday, April 29, 2007

Managing badly against the grain

Bob Sutton (author of The No Asshole Rule) has an interesting article at Harvard Business Online on the discontinuity between the accepted wisdom regarding 'superstar' employees and the objective evidence about that wisdom. I've got family members in the HR consulting area, so I find this sort of thing interesting, but I came across this bit about the No Asshole Rule which seemed worth sharing:
“there were several CIOs who emphasized that such bosses and work climates not only drove people out, but they created environments were people devoted too much energy to avoiding blame and the wrath of others, and not enough time to actually doing their jobs”
Have you ever experienced an asshole boss or work climate? I have, at two different workplaces, and it took a terrible toll both times. Apart from the fact that it wears you down to deal with such dysfunctional people, it can influence your own attitudes, so that you find yourself exhibiting signs of being an asshole yourself, not to mention taking on full-time blame avoidance and wrath dodging.

It doesn't help that asshole behaviour usually comes from people you feel you should respect (they're senior, the cream of the crop, the respected director, the firm's rising star), which can hide the harm it does if you let it make you too self-critical (they're right, I'm not good enough, I screwed up, I don't deserve this job ...). But the truth is that if a manager criticises your performance, does nothing to help you improve it, and yet expects improvement - then they are acting like an asshole.

When it comes to looking at what managers should do, Bob Sutton suggests we look at evidence-based management. Jeffrey Pfeffer runs a website about evidence-based management and recently testified to Congress about it. He summarised his testimony into five points (re-formatted by me):
“First, organizations in both the public and private sector ought to base policies not on casual benchmarking, on ideology or belief, on what they have done in the past or what they are comfortable with doing, but instead should implement evidence-based management.

Second, the mere prevalence or persistence of some management practice is not evidence that it works -- there are numerous examples of widely diffused and quite persistent management practices, strongly advocated by practicing executives and consultants, where the systematic empirical evidence for their ineffectiveness is just overwhelming.

Third, the idea that individual pay for performance will enhance organizational operations rests on a set of assumptions. Once those assumptions are spelled out and confronted with the evidence, it is clear that many -- maybe all -- do not hold in most organizations.

Fourth, the evidence for the effectiveness of individual pay for performance is mixed, at best -- not because pay systems don't motivate behavior, but more frequently, because such systems effectively motivate the wrong behavior.

And finally, the best way to encourage performance is to build a high performance culture. We know the components of such a system, and we ought to pay attention to this research and implement its findings.”
The assertion that organisations are sending their managers to courses and drafting their policies based on what is essentially made up rules is scary. Just because we wish something were true, doesn't mean it is, and acting otherwise is plain stupid.

Bringing that back to project management, which is my personal sphere of management experience, and Ross Pettit at The Agile Manager blog just posted on Patterns and Anti-Patterns in Project Portfolio Management. The anti-patterns he mentions are worth noting, although I'm not sure I buy the conclusion that Agile Management is the answer.

A good analogy for this stuff is the carpenter that stubbornly tries to plane against the grain and is unhappy with the resulting jagged finish. It is fair enough to say that in our personal experience we may not experience a particular situation often enough to be able to derive statistically relevant rules from it, but when others have done it for us, it behoves us to educate ourselves before we act.

[UPDATE: Another carpentry analogy is that we need to learn the trade and the tricks will follow. Too often we look for management shortcuts (the tricks) rather than getting the basics (the trade) right.]

Thinking of self-education, I'm in a place right now where I'm wondering whether I'm a software developer or a project manager. I find myself reading things like The Pragmatic Programmer and and tinkering with Ruby on Rails apps at home (my breakable toys) which clearly is part of my developer persona, but I also am interested in management and love the challenge of tackling projects at a level well above worrying about my daily tasks.

Articles found via Thoughtworks' Jason Yip here and again here.

Friday, April 27, 2007

Sydney weblogger April meetup

Thanks to I got a chance to meet a bunch of other Sydney bloggers last night. It was great fun and very interesting to meet other people with blogs, some of them very popular.

Of course you have to tread carefully when it comes to topics of conversation, as bloggers we are naturally opinionated and can find things to disagree about (politics, science, religion etc) pretty easily. However there was a surprisingly strong commonality when it came to reading sci-fi and fantasy - so that helped bring us together.

Funnily enough blogging itself was one of the least interesting topics - perhaps because we all do it so much - but it was nice to be able to share a laugh about waiting up for partners to come to bed because they are still blogging! The event was organised by Sara the Bargain Queen who does a great job of getting everyone together. Thanks Sara!

Monday, April 23, 2007 'Accountating'

I'm sure I only catch about 5% of these typos:

For goodness sake, if you work at can you please, please try using the new Firefox with your CMS? The integrated spell-checker will save you from these sorts of problems - it even has an Aussie dictionary (en-au).

Wednesday, April 18, 2007

Ruby on Rails embraces BigDecimal

I am just getting back into Ruby on Rails after ignoring it for far too long. One of the first things I did was buy some shiny new books. The first one I picked up was Designing the Obvious, by Robert Hoekman. The second was The Pragmatic Programmer by Andrew Hunt and Dave Thomas. Funnily enough, neither of these books is explicitly about Ruby on Rails - but both deal with ideals (simple, yet effective design and pragmatic programming) that lie behind Rails' appeal to me.

I also checked out Dave Thomas's blog and in one of his recent posts he points out that Rails now embraces decimal database fields:
“In the Rails trunk, numeric and decimal database columns with a scale factor are now converted into Ruby BigDecimal objects. If the scale factor is zero, they instead become integers.

Migrations now support decimal columns too, with the addition of two new attributes, precision and scale.
   add_column :orders, :price,
:decimal, :precision => 8, :scale => 2
I just spent a day reworking all the Depot chapters to use this, and it seems to work great.”
That is great news, and I'm really looking forward to not needing to use the workaround I previously found.

Monday, April 09, 2007

Is GDP impact the best way to measure global warming's effects?

Roger Pielke (from the science policy blog Prometheus) has an interesting point to make about the relative weight the IPCC is placing on mitigation as the best way to deal with global warming. Roger points out that if you use GDP as the primary measure of the effect of global warming, which both Nicholas Stern and the IPCC do, then the inescapable conclusion from the IPCC's own report, is that how the world chooses to develop has a much greater effect on global GDP than global warming, making the mitigation of global warming a relatively poor investment compared to investing in better development solutions.
“To put this another way, from the standpoint of global GDP decisions that the world makes that make one storyline more likely to occur than another are between 19 and 74 times more important than decisions that are made about greenhouse gas emissions, under the assumptions provided by the IPCC!
It begs the question, is global GDP the best way to measure the impact of global warming? Given that this is the primary 'stick' that the Stern Report used to ensure we all got the message about global warming, it would seem that global warming alarmists would think it must be ... yet the IPCC themselves believe that making better development decisions can have a much greater impact on this figure than global warming!

Roger's not the first person to point this out, Arnold Kling at the economics blog EconLog has made a similar point. He also find the statistical basis for global warming more than a little suspect:
“These statistical projections are highly uncertain. In fact, I do not think that the climate modelers have anywhere near enough data to make usable predictions.

99 percent of the people who knowingly tell you that global warming is real and that the science is conclusive have no clue about statistical modeling. The statistical challenges of climate modeling that scientists understand among themselves are quite different from the popular conceptions that imagine some concrete certainty. To paraphrase Winston Churchill, never before in the field of public policy have so many had such confidence in model forecasts based on so few meaningful observations.
Finally, the real reason why human caused global warming has been pursued so vigorously may well be more political than environmental (or even religious), with some similarity to the way eugenics obtained the status of 'settled science'*:
“One must ask, "How in the world did university researchers come to conclusions that defended this outrageous affront to society?" A look back at the research concluded that the researchers adjusted their outcomes to support the theory of those paying for the research. This is not unusual. It is very easy to believe that the settled science regarding climate change is just as suspicious, and indeed may be another example of pseudo-science capturing the imagination of politicians, actors and the media elite who have a desperate need to embrace some "science" which may force us to change the way we live our lives. H. L. Mencken once wrote, "The urge to save humanity is almost always a false front for the urge to rule it." We see pictures of huge blocks of ice crashing into the sea from the Antarctic Peninsula, which comprises about 2 percent of the continent. The fact that the remaining 98 percent of Antarctica is growing by 26.8 gigatons of ice per year is ignored.”
* This is perilously close to equating it with the Nazis, a dead giveaway of an uncertain argument, however the point is well made by Rep. John Linder.

Monday, April 02, 2007

Countering Islamist radicalism - with soccer

We watched the ABC's Difference of Opinion tonight. As usual, the panel was pretty much close to each other in the views - although there were some noticeable areas of difference tonight. The topic tonight was the impact of Muslims on Australian society, and why opinion polls indicate a greater degree of distrust towards Muslim migrants than other groups.

By all means follow the show link above and check out the debate, although the audience was particularly incoherent this time compared to other shows. They quickly identified the elephant in the room - that Australians in general distrust the 1.5% of us that are Muslims because of the reputation that Islam is having as a religion for violent fundamentalists.

I was particularly impressed by Dr Tanveer Ahmed (more here), who made a well-argued case that in the West the young men who gravitate to Islamist organisations are often 2nd, 3rd or 4th generation immigrants who feel alienated from both their parent's society and the one of their birth.

There is nothing new in that, but Dr Tanveer took it a step further and pointed out that engaging with young Muslims via the avenue of religion only strengthens their identity issues. He was cut off before he could elaborate further, but in the past he has warned against the raising of cultural shields by migrants, seeking to protect their children from Australian culture, whilst enjoying the economic success it brings. More interesting though, was the comments he has made about sport bringing Aussies together, especially soccer.

By engaging these young men as fair dinkum athletes, or potential fellow team supporters, we can seek to bridge divides and help those who might be alienated (not just the children of Muslims, but all immigrants) find a place for themselves and their culture.
“It is soccer that can cross ethnic groups and social classes, sprouting a nationalism not felt by many.

If its wave continues, it can be the symbol that reflects best Australia's multicultural success and its confident presence on the world stage across all human endeavour.

Perhaps we will even begin to call it football.”
I have lived near several Muslim communities in Sydney, and I know how hard it can be to strike up a conversation with a bloke in white robe, slippers and knitted skull-cap. He might find my suit and tie similarly confronting. However, give us a soccer ball to kick about, someone else to play against, and we can both find the other more approachable. It is a simple solution, but many good answers are. It requires dedication and the selfless involvement of volunteers willing to bridge cultural divides, and sometimes be caught between them, and it will take both Muslim and non-Muslim encouragement - but the fruit of that labour might be a much sweeter future for Australia.