<div dir="ltr">Hi,<div style>I wanted to start a fresh new thread about user management in the Unified Push Server, please check below the proposition I made for the next release (0.10.0) , feel free to comment / ask questions etc ...</div>
<div style><br></div><div style>(<a href="https://gist.github.com/sebastienblanc/6547605">https://gist.github.com/sebastienblanc/6547605</a>)</div><div style><h1 style="font-size:2.5em;margin-right:0px;margin-bottom:15px;margin-left:0px;padding:0px;line-height:1.7;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(221,221,221);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;margin-top:0px!important">
User Management for the Aerogear Unfied Push Server</h1><h2 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif">
<a name="introduction" class="" href="https://gist.github.com/sebastienblanc/6547605#introduction" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Introduction</h2>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">The goal of this document is to describe how the User Management will be implemented in the Unified Push Server. Currently there is only one user created by default when installing UPS. Having the possibility to create multiple users is a "Must Have" and should be manageable from the Admin Console. Some roles should also be introduced</p>
<h2 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif">
<a name="roles--permissions" class="" href="https://gist.github.com/sebastienblanc/6547605#roles--permissions" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Roles / Permissions</h2>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">There will be 3 different roles in this first version :</p><ul style="margin:15px 0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">
<li><em>Admin</em> : The Admin is like the super-user, it can access all the features of UPS including the creation of users.</li><li><em>Developer</em> : The developer can create/read/update and delete Applications/variants.</li>
<li><em>viewer</em> : Can only 'Read', can be useful for monitoring apps (or for the future UPS Forge Plugin).</li></ul><table style="border-collapse:collapse;border-spacing:0px;font-size:15.199999809265137px;margin:15px 0px;width:724.4000244140625px;overflow:auto;display:block;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;line-height:20px">
<tbody><tr style="border-top-width:1px;border-top-style:solid;border-top-color:rgb(204,204,204)"><th style="border:1px solid rgb(221,221,221);padding:6px 13px">Role / action</th><th style="border:1px solid rgb(221,221,221);padding:6px 13px">
Create</th><th style="border:1px solid rgb(221,221,221);padding:6px 13px">Update</th><th style="border:1px solid rgb(221,221,221);padding:6px 13px">Read</th><th style="border:1px solid rgb(221,221,221);padding:6px 13px">Delete</th>
<th style="border:1px solid rgb(221,221,221);padding:6px 13px">Reset pwd</th><th style="border:1px solid rgb(221,221,221);padding:6px 13px">User Mngt</th></tr><tr style="border-top-width:1px;border-top-style:solid;border-top-color:rgb(204,204,204);background-color:rgb(248,248,248)">
<td style="border:1px solid rgb(221,221,221);padding:6px 13px">Admin</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">
X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td></tr><tr style="border-top-width:1px;border-top-style:solid;border-top-color:rgb(204,204,204)">
<td style="border:1px solid rgb(221,221,221);padding:6px 13px">Developer</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">
X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">X</td><td style="border:1px solid rgb(221,221,221);padding:6px 13px"></td></tr><tr style="border-top-width:1px;border-top-style:solid;border-top-color:rgb(204,204,204);background-color:rgb(248,248,248)">
<td style="border:1px solid rgb(221,221,221);padding:6px 13px">Viewer </td><td style="border:1px solid rgb(221,221,221);padding:6px 13px"> </td><td style="border:1px solid rgb(221,221,221);padding:6px 13px"> </td>
<td style="border:1px solid rgb(221,221,221);padding:6px 13px"> X </td><td style="border:1px solid rgb(221,221,221);padding:6px 13px"> </td><td style="border:1px solid rgb(221,221,221);padding:6px 13px"> </td><td style="border:1px solid rgb(221,221,221);padding:6px 13px">
</td></tr></tbody></table><h2 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif">
<a name="user-management-flow" class="" href="https://gist.github.com/sebastienblanc/6547605#user-management-flow" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>User management flow</h2>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">An Admin can create new user by providing a <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">loginName</code>. This will be possible through :</p>
<ul style="margin:15px 0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px"><li>The console</li><li>The REST service</li></ul>
<h3 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:1.5em;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="password-management" class="" href="https://gist.github.com/sebastienblanc/6547605#password-management" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Password Management</h3>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">At creation, the user will have a default password , i.e <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">123</code>.</p>
<h4 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:1.2em;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="first-login" class="" href="https://gist.github.com/sebastienblanc/6547605#first-login" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>First Login</h4>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">When logging in for this first time, the new created user will be prompted to change his password.</p>
<h4 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:1.2em;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="reset-password-instruction" class="" href="https://gist.github.com/sebastienblanc/6547605#reset-password-instruction" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Reset Password Instruction</h4>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">If a user wants to reset his password, he has to request it manually (email, post pigeon ...) to an admin. The password will be again the default one and the user will have to change it again when logging in.</p>
<h4 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:1.2em;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="scope-of-the-current-permissions" class="" href="https://gist.github.com/sebastienblanc/6547605#scope-of-the-current-permissions" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Scope of the current permissions</h4>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">Currently, a authenticated user can see all the applications / variants / installations, no matter he is the author or not. There is also no concept of groups, that may come in the future releases.</p>
<h2 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif">
<a name="security-implementation" class="" href="https://gist.github.com/sebastienblanc/6547605#security-implementation" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Security Implementation</h2>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">Currently, it would be possible to implement this using Aerogear-Security-Picketlink and with some raw Picketlink :</p>
<ul style="margin:15px 0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px"><li>Login / Logout / Registration : AG-Security offers all we need</li>
<li>Roles and permissions : AG-Security offers a <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">secures</code> annotation that can be used to protect the endpoints.</li>
</ul><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">I know there are some concerns about this last points (Role escalation etc ...) and would like to have advice / feedback on what is acceptable / doable for the 0.10.0 release (15/01).</p>
</div></div>