[aerogear-dev] UPS User Management - Reloaded

Sebastien Blanc scm.blanc at gmail.com
Tue Dec 3 05:54:14 EST 2013 

Hi,
I wanted to start a fresh new thread about user management in the Unified
Push Server, please check below the proposition I made for the next release
(0.10.0) , feel free to comment / ask questions etc ...

(https://gist.github.com/sebastienblanc/6547605)
User Management for the Aerogear Unfied Push
Server<https://gist.github.com/sebastienblanc/6547605#introduction>
Introduction

The goal of this document is to describe how the User Management will be
implemented in the Unified Push Server. Currently there is only one user
created by default when installing UPS. Having the possibility to create
multiple users is a "Must Have" and should be manageable from the Admin
Console. Some roles should also be introduced
<https://gist.github.com/sebastienblanc/6547605#roles--permissions>Roles /
Permissions

There will be 3 different roles in this first version :

   - *Admin* : The Admin is like the super-user, it can access all the
   features of UPS including the creation of users.
   - *Developer* : The developer can create/read/update and delete
   Applications/variants.
   - *viewer* : Can only 'Read', can be useful for monitoring apps (or for
   the future UPS Forge Plugin).

Role / actionCreateUpdateReadDeleteReset pwdUser MngtAdminXXXXXXDeveloperXXX
XXViewer             X
<https://gist.github.com/sebastienblanc/6547605#user-management-flow>User
management flow

An Admin can create new user by providing a loginName. This will be
possible through :

   - The console
   - The REST service

<https://gist.github.com/sebastienblanc/6547605#password-management>Password
Management

At creation, the user will have a default password , i.e 123.
<https://gist.github.com/sebastienblanc/6547605#first-login>First Login

When logging in for this first time, the new created user will be prompted
to change his password.
<https://gist.github.com/sebastienblanc/6547605#reset-password-instruction>Reset
Password Instruction

If a user wants to reset his password, he has to request it manually
(email, post pigeon ...) to an admin. The password will be again the
default one and the user will have to change it again when logging in.
<https://gist.github.com/sebastienblanc/6547605#scope-of-the-current-permissions>Scope
of the current permissions

Currently, a authenticated user can see all the applications / variants /
installations, no matter he is the author or not. There is also no concept
of groups, that may come in the future releases.
<https://gist.github.com/sebastienblanc/6547605#security-implementation>Security
Implementation

Currently, it would be possible to implement this using
Aerogear-Security-Picketlink and with some raw Picketlink :

   - Login / Logout / Registration : AG-Security offers all we need
   - Roles and permissions : AG-Security offers a secures annotation that
   can be used to protect the endpoints.

I know there are some concerns about this last points (Role escalation etc
...) and would like to have advice / feedback on what is acceptable /
doable for the 0.10.0 release (15/01).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131203/44963987/attachment.html

More information about the aerogear-dev mailing list