[keycloak-dev] Restrict admins to only allow granting roles they are privileged to

Bolesław Dawidowicz bdawidow at redhat.com
Wed Mar 25 08:20:01 EDT 2015 

On 25/03/15 12:52, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com> To:
>> keycloak-dev at lists.jboss.org Sent: Wednesday, 25 March, 2015
>> 12:27:24 PM Subject: Re: [keycloak-dev] Restrict admins to only
>> allow granting roles they are privileged to
>>
>> +1 for the simple fix, however I agree that more flexibility might
>> be needed.
>
> Sure, but we have tons of work that has higher priority so we
> couldn't do that for a while

Also before we do anything more we need to sync with other pojects with 
similar requirements to make sure we have something meeting their reqs. 
Hawcular has such needs. FeedHenry guys have. etc.

>
>>
>> We may need some more fine grained authorization. For example user
>> is authorized to manage application "app1" but not application
>> "app2" (currently user with "manage-applications" role can manage
>> any application). Similarly I may want some user to grant/revoke
>> other users all application roles of particular application etc.
>>
>> I wonder if we should add the concept of "permission" ? Basically
>> permission would consist of action and target object (could
>> support wildcards). Permissions are given to roles. For example
>> current role "manage-applications" will have permissions like
>> this: - create-applications - update-applications: * -
>> remove-application: *
>>
>> So member of this role can CRUD any application.
>>
>> Now when users from role "myapp1/foo-role" should be able to
>> grant/revoke this role to other users, the permission given to the
>> foo-role will be: - grant-role: "myapp1", "foo-role"
>>
>> When users from role "myapp1/bar-role" should be able to
>> grant/revoke all roles from application "myapp1" to other users,
>> the permission will be: - grant-role: "myapp1", "*"
>>
>> The tricky part is to have the permission model flexible enough,
>> but not be too complex at the same time;-) Maybe it should be
>> driven mainly by real use-cases from community?
>
> I don't see the difference in that to just having more roles. We
> could just have a manage-app role for individual applications.

Depends how much apps/roles you need have. You get nasty looking app 
specific role names although I agree you can still cover most of common 
needs

Permissions makes more sense if you try to include app specific 
resources, org structure in form of groups and etc. Then doing anything 
with just roles radically increases their number and makes it very hard 
to manage.

>
>>
>> Marek
>>
>> On 25.3.2015 06:49, Stian Thorgersen wrote:
>>> I propose we add a check when an admin wants to grant a role. For
>>> a admin to be allowed to grant a role the admin either has to
>>> have the admin/realm-admin role or have the role itself. This
>>> prevents admins from adding more privileges to themselves than
>>> they already have and would also be a way to allow admins that
>>> can only manage roles for specific applications.
>>>
>>> This should be a simple fix. In the future I think we may need to
>>> re-design how we map permissions for Keycloak. I'm really not
>>> that happy with the realm apps and such, it's messy and not
>>> flexible enough. _______________________________________________
>>> keycloak-dev mailing list keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________ keycloak-dev
>> mailing list keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________ keycloak-dev mailing
> list keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 
Bolesław Dawidowicz

More information about the keycloak-dev mailing list