<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 4, 2013 at 5:22 PM, Lucas Holmquist <span dir="ltr"><<a href="mailto:lholmqui@redhat.com" target="_blank">lholmqui@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Currently i think "Apps" are associated with a specific user, so if we introduce new users, then those new users won't be able to see any of the existing apps, even if they have the same roles.<br>
</blockquote><div><br></div><div style>That's a interesting point : I assume the relation between user and apps is now 1-1 but do we want n-1 (multiple users could manage an app) in the future ? so after creating a user we could affect him to an app.</div>
<div style> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
this should probably change to be more role based, example:<br>
<br>
Admin role:<br>
All CRUD on Apps and CRUD user management<br>
Developer:<br>
CRUD on Apps<br>
User:<br>
just READ Apps<br>
<div><div class="h5"><br>
<br>
<br>
On Sep 4, 2013, at 11:06 AM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:<br>
<br>
><br>
><br>
> Sebastien Blanc wrote:<br>
>> Hi,<br>
>> Start point is this jira <a href="https://issues.jboss.org/browse/AGPUSH-282" target="_blank">https://issues.jboss.org/browse/AGPUSH-282</a> for<br>
>> allowing the creation of additional users/developers.<br>
>> In the current situation we have just one role : "developer" , so the<br>
>> first question is :<br>
>><br>
>> - Should a user with the role "developer" be able to create another user ?<br>
><br>
> It depends, I think is a matter of rules inside AGPUSH. Maybe we should<br>
> have a role hierarchy definition? Would be nice.<br>
><br>
>> - Should we introduce a "admin" role that can manage users (create,<br>
>> reset password, delete) ?<br>
><br>
> Makes sense.<br>
><br>
>> - A mix of permissions ? (a developer can create other users but not<br>
>> remove them nor reset (except its own) password )<br>
><br>
> The hierarchy should be clear users/roles and levels, we can start a<br>
> simple gist on it.<br>
>><br>
>> From there the second question regarding password management :<br>
>> In the current situation, our default user (called "admin" , yeah a bit<br>
>> confusing :) ) has a temporary password that must be changed the first<br>
>> time he logs in.<br>
>><br>
>> - Do we want to keep this ?<br>
><br>
> That is a old request from my side and violates CWE-798<br>
> (<a href="http://cwe.mitre.org/data/definitions/798.html" target="_blank">http://cwe.mitre.org/data/definitions/798.html</a>)<br>
>><br>
>> - Shall we move to a script that creates a user(s) ?<br>
><br>
> +1 for provide a script like "sample-db.sql" or whatever out of the box.<br>
</div></div>+1<br>
<div class="HOEnZb"><div class="h5">>><br>
>> - When we add a user through the admin UI, should we provide a password<br>
>> or should it be generated and changed on first login ?<br>
><br>
> In theory we should send the password reset instructions with the url to<br>
> change it like:<br>
><br>
> <a href="http://admin-ui.org/changeme/424242424242424" target="_blank">http://admin-ui.org/changeme/424242424242424</a> (Using the SecureRandom<br>
> entropy from Java)<br>
><br>
>><br>
>> In other words, I think we must concretely spec out the user management<br>
>> for the UPS and we could use this thread to discuss that !<br>
><br>
> +1 I'm all for it<br>
><br>
>><br>
>> _______________________________________________<br>
>> aerogear-dev mailing list<br>
>> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br>
> --<br>
> abstractj<br>
><br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br></div></div>