[keycloak-user] How to get permission to all child resources

Mon Mar 5 11:42:48 EST 2018

There is no way to ask permissions based on paths. Currently, all the logic
that maps URIs/paths to protected resources in Keycloak is is within the
policy enforcers (adapters). One thing we might do is maybe have a similar
logic on the server where we could resolve resources based on patterns, etc
.... Something we need to think about ....

That is an area we are looking to improve though. We are working on some
improvements in order to offer better support for RESTful security. Things
like what you are asking is what we are looking for.

Could you create an issue in JIRA describing your requirements so we can
include them in our roadmap ?

Thanks.
Pedro Igor

On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle at castortech.com> wrote:

> thanks for the suggestion but the application which uses the REST API
> protected by Keycloak will not know all the resources i defined on keycloak
> to start asking permission for the closest ancestor known to Keycloak
> (/Document/Administration) when it needs to know permissions for all
> files/folders under /Document/Administration/Contracts/Sarah/*.
>
> When testing Keycloak, we know that if Sarah tried to access a specific
> child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
> from the browser then she got access denied although this specific resource
> is not defined in Keycloak. Can we use any API to get this result? The
> Entitlement API only allow me to ask permission for a specific
> resource_set_name, not a path. If i can do this then i may be able loop
> through all the files within  /Dcoument/Administration/Contacts/Sarah/*
> to get permission, although it gonna be a huge performance issue.
>
> Thai
>
> On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hey,
>>
>> In your application you could perform some logic that asks permissions
>> for the resource with URI "/Document/Administration". Right now Keycloak
>> does not perform any parent/child mapping between resources on the server
>> side.
>>
>> Would that work for you ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>>
>>> Hello,
>>>
>>> We are new to Keycloak and we are exploring its abilities for securing
>>> our
>>> web api. One things we are trying to do is to get all permissions
>>> associated with a user for all child resources in a RPT. For example,
>>> let's
>>> say I'm trying to expose the folder Document on my file system to the
>>> network via REST. This Document folder may have millions of files and
>>> subfolders, most of them are accessible by all Users, some are only
>>> available to Admin, and some are for Customers only.
>>>
>>> On Keycloak server, i would define 3 resources named:
>>> "All Docs" with URL /Document/* and Role policy granting access to all
>>> Users
>>> "For Admin" with URL /Document/Administration/* and Role policy granting
>>> access to only Admins
>>> "For Customer" with URL /Document/Products/* and Role policy granting
>>> access to only Customers
>>>
>>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>>> Customers can access "All Docs". However, if Sarah want to know/list all
>>> files under /Document/Administration/Contracts/Sarah/* then how should i
>>> ask entitlement API since this URL is not declared as a resource in
>>> Keycloak? If i can call the API for this path, I would like to receive
>>> from
>>> the API some permissions info starting from /Document/Administration
>>> because this is the closest ancestor known to Keycloak regarding the path
>>> being asked.
>>>
>>> Hope to get some insight soon
>>>
>>> Thai
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montréal, Québec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
> confidentiel, peut être protégé par le secret professionnel et est réservé
> à l'usage exclusif du destinataire. Toute autre personne est par les
> présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez reçu cette communication par erreur,
> veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
>