[Hawkular-dev] Roles and Permissions in Hawkular

Juraci Paixão Kröhling jpkroehling at redhat.com
Mon Jan 26 09:19:52 EST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/22/2015 11:06 AM, Heiko W.Rupp wrote:
> Anyway: we need to start tagging endpoints with information about
> access levels so that we can enforce them by different policies.
> Those policies should probably not only take the user + credentials
> into account, but also the origin of requests, as for the above
> example, a request coming from the same machine or e.g. the
> Hawkular-glue may be treated differently than one coming from some
> random dump feed on the internet.
> 
> Note, that those access levels usually do not replace
> authentication (via KeyCloak), but are applied after successful
> authentication and probably role assignment. Depending on the use
> case (embedded Hawkular-metrics, Standalone Hawkular-Metrics,
> Standalone Hawkular) the check points may be at different places,
> or we decide to e.g. always enforce at the component boundary.

Keycloak supports nested roles, so, the checks on the Java side could
be *very* fine grained, while the roles that we "expose" are just a
grouping of those roles, probably to match Wildfly's names (monitor,
auditor, ...).

Also, if the backend is indeed going to be JAX-RS, the code can be
free from explicit checks by annotating the methods with the JAAS'
RolesAllowed and related.

Besides, we can also have roles that are exclusive to some
applications. So, user "jdoe" when using the application "standalone"
has an additional "standalone-super-duper" role. This way, instead of
checking the "origin", we can check if a specific role is present and
let JAAS handle the authorization part as well.

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUxk0IAAoJECKM1e+fkPrXmB0H/3YU7UXRc7htABhCRycurejP
gDQly/3DYu8qm1UNmYvMVeobQH14Kd0AQMW1RlNqldR8Nes6+b0Fg5Wm8U3F3YoY
nLs+Mp727FfmbSJHSXVTUUwbf43tHdCLSxo1LpSDmxcMvexmRXYYyJGO/M6Uo6YN
HpLy5gZdg+053xHjkinPcjxZY98tl7YYwLM31M1YQUf+a+kdqwSpIy9CN/Pjylbl
oW9pGsn/oi7ZFdcJICJosBet1Vf3blbiMY98pzZ/0Yy2iv+UmbeGqa7hmUWWjmFJ
b2kwxoh286sEe/I4cLoZUcAVoz4FDl5JIGy4IXX8KYHYHXZxJ0QpZeehQkmoo/E=
=OQj9
-----END PGP SIGNATURE-----

More information about the hawkular-dev mailing list