[keycloak-user] Application Management
Thiago Presa
thiago.addevico at gmail.com
Tue May 5 14:11:06 EDT 2015
Sorry for the delay, I removed it.
On Wed, Apr 8, 2015 at 1:15 AM, Stian Thorgersen <stian at redhat.com> wrote:
> Keycloak doesn't add any roles to applications, as we don't want to make
> special/reserved roles on those and leave it up to users to decide what
> roles they want. So that would have to be removed.
>
> ----- Original Message -----
> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 7 April, 2015 3:24:59 PM
> > Subject: Re: [keycloak-user] Application Management
> >
> > To make sure that the user has all roles of a given application. If
> someone
> > creates another role after granting app-admin, it is automatically
> inserted
> > into app-admin composite role and therefore granted.
> >
> > On Tue, Apr 7, 2015 at 3:38 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > What's the purpose of app-admin?
> > >
> > > ----- Original Message -----
> > > > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 1 April, 2015 7:33:26 PM
> > > > Subject: Re: [keycloak-user] Application Management
> > > >
> > > > Speaking with my colleagues, I believe it won't cause troubles for
> us. We
> > > > had to give view-applications: the admin console wouldn't work
> properly,
> > > > but this is also OK according to our requirements.
> > > >
> > > > Would you mind giving us some feedback on [1]? We wrote this to
> > > experiment
> > > > a bit with the proposal, but I'm not familiar with keycloak's source
> or
> > > > practices. What should I do to help get this merged?
> > > >
> > > > [1]
> https://github.com/keycloak/keycloak/compare/master...tpresa:master
> > > >
> > > > On Fri, Mar 27, 2015 at 10:51 AM, Stian Thorgersen <stian at redhat.com
> >
> > > wrote:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Friday, 27 March, 2015 2:01:56 PM
> > > > > > Subject: Re: [keycloak-user] Application Management
> > > > > >
> > > > > > Ah, yes, I didn't understand your proposal properly. Wouldn't
> giving
> > > > > > manage-users to app-admins wouldn't cause trouble, since
> app-admins
> > > could
> > > > > > create and modify user accounts?
> > > > >
> > > > > Whether or not it's causing trouble depends on your requirements,
> but
> > > yes,
> > > > > they could create and modify user accounts, but not grant more
> > > privileges.
> > > > >
> > > > > If you need to go beyond this one alternative is to wrap the admin
> > > > > endpoints in your own application. We've just got so much on our
> plate
> > > at
> > > > > the moment that we can't provide this level of control on
> permissions.
> > > > >
> > > > > >
> > > > > > On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen <
> stian at redhat.com>
> > > > > wrote:
> > > > > >
> > > > > > > Well, yes.. I told you it was a bit rubbish and would need some
> > > > > re-design
> > > > > > > to implement more fine grained permissions. Doing that is a
> > > relatively
> > > > > big
> > > > > > > task and is not a high priority for us ATM.
> > > > > > >
> > > > > > > I'm a bit confused by this email as I proposed a simple
> solution
> > > that
> > > > > > > would resolve your requirements. If an admin can only grant
> > > permissions
> > > > > > > that admin has access to all you have to do is to create an
> admin
> > > that
> > > > > can
> > > > > > > only access roles for certain applications and your problem
> should
> > > be
> > > > > > > solved. That's a simple solution that we can add soon.
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > > > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > > > Sent: Thursday, 26 March, 2015 8:10:07 PM
> > > > > > > > Subject: Re: [keycloak-user] Application Management
> > > > > > > >
> > > > > > > > So I've spent the last couple of days playing with the
> source.
> > > :-)
> > > > > > > >
> > > > > > > > The current authorization mechanism is based on
> Realm/RealmApp
> > > i.e.
> > > > > > > > whenever an API resource is called, check if the User has the
> > > > > required
> > > > > > > > Right (manage, any, view) in the resource's Realm/RealmApp.
> > > > > > > >
> > > > > > > > Consider, for example, the URI
> > > > > > > >
> > > > >
> /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}.
> > > > > > > What
> > > > > > > > I was trying to do is to create a permission for {app-name}
> so
> > > that
> > > > > this
> > > > > > > > API call wouldn't require any Realm/RealmApp right.
> > > > > > > >
> > > > > > > > The problem I see is that this API call trigger many methods
> > > (i.e.
> > > > > > > > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,
> > > > > > > > RealmAdminResource#getApplicationsById, and so on...), and at
> > > those
> > > > > > > methods
> > > > > > > > there is not enough information to figure out whether this
> is:
> > > > > > > >
> > > > > > > > 1- An app-specific call and thus should be authorized even
> > > without
> > > > > realm
> > > > > > > > authorization, or;
> > > > > > > > 2- Not app-specific call and this should be properly
> authorized
> > > by
> > > > > > > > Realm/RealmApp.
> > > > > > > >
> > > > > > > > Even in the case of (1), the information on which app should
> I
> > > check
> > > > > for
> > > > > > > > authorization is not available.
> > > > > > > >
> > > > > > > > So it seems to me that this resource-loading mechanisms
> > > pressuposes
> > > > > an
> > > > > > > > authorization mechanism that checks only against the realm
> for
> > > > > > > permission,
> > > > > > > > and changing this seems daunting to me.
> > > > > > > >
> > > > > > > > Do you guys have any idea on a more local change I could
> make to
> > > > > achieve
> > > > > > > > the intended behavior?
> > > > > > > >
> > > > > > > > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <
> > > > > thiago.addevico at gmail.com
> > > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > OK, agreed. We thought this out of consistency, but if
> that's
> > > not a
> > > > > > > good
> > > > > > > > > design we surely can consider a better one.
> > > > > > > > >
> > > > > > > > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <
> > > > > stian at redhat.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > >>
> > > > > > > > >>
> > > > > > > > >> ----- Original Message -----
> > > > > > > > >> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > > > > > > > >> > To: stian at redhat.com
> > > > > > > > >> > Cc: keycloak-user at lists.jboss.org
> > > > > > > > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
> > > > > > > > >> > Subject: Re: [keycloak-user] Application Management
> > > > > > > > >> >
> > > > > > > > >> > Hi there,
> > > > > > > > >> >
> > > > > > > > >> > I'm Alex's coworker and I'll be working on this too.
> > > > > > > > >> >
> > > > > > > > >> > We were just discussing your idea, and it seems to fit
> our
> > > > > > > requirements.
> > > > > > > > >> >
> > > > > > > > >> > As far as we have seen, keycloak already has a
> realm-admin
> > > > > concept.
> > > > > > > > >> > Whenever a realm "R" is created, it creates a R-realm
> > > > > application
> > > > > > > with
> > > > > > > > >> > a bunch of default roles (manage-users, manage-roles,
> etc.)
> > > > > into the
> > > > > > > > >> > realm master.
> > > > > > > > >> >
> > > > > > > > >> > We are currently thinking if we could mimic this
> structure
> > > for
> > > > > > > > >> > applications. What do you think?
> > > > > > > > >>
> > > > > > > > >> It's already messy with the way I modelled it and adding
> the
> > > same
> > > > > for
> > > > > > > > >> applications would be even worse. I don't see why that's
> > > needed
> > > > > > > though if
> > > > > > > > >> we'd add what I proposed.
> > > > > > > > >>
> > > > > > > > >> >
> > > > > > > > >> > > I had an idea a while back that is a simple way to
> achieve
> > > > > what
> > > > > > > you're
> > > > > > > > >> > > asking for. Th> e idea would be to only allow an
> admin to
> > > > > grant
> > > > > > > roles
> > > > > > > > >> that
> > > > > > > > >> > > the admin has access to.
> > > > > > > > >> >
> > > > > > > > >> > > Basically:> * A user with admin (super user) role can
> > > grant
> > > > > any
> > > > > > > roles
> > > > > > > > >> (we
> > > > > > > > >> > > would need to add a per-> realm super user role)
> > > > > > > > >> >
> > > > > > > > >> > > * A user with the role manage-users and some roles on
> > > app1 can
> > > > > > > only
> > > > > > > > >> grant
> > > > > > > > >> > > other users > the roles on app1
> > > > > > > > >> >
> > > > > > > > >> > > * A user with the role manage-users and some roles on
> > > app2 can
> > > > > > > only
> > > > > > > > >> grant
> > > > > > > > >> > > other users > the roles on app2
> > > > > > > > >> >
> > > > > > > > >> > >
> > > > > > > > >> >
> > > > > > > > >> > > This is something we should add in either case (to
> prevent
> > > > > users
> > > > > > > > >> granting
> > > > > > > > >> > themselves more access). Would it solve your problems?
> > > > > > > > >> >
> > > > > > > > >>
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/474febbe/attachment-0001.html
More information about the keycloak-user
mailing list