[keycloak-user] Problem understanding authorization grants
Ulrik Sjölin
ulrik.sjolin at gmail.com
Fri Sep 28 11:26:46 EDT 2018
Hello,
My name is Ulrik Sjölin and where I work we are currently looking into
Keycloak (4.4). I have a question regarding permissions and policy
evaluation.
My very simple setup is like this:
User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
Write, Delete)
User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
via the Keycloak web UI.
There a 5 scope-based permissions, one for each scope, that allows the
owner & admin each scope (Only Owner and Administrators Policy). My idea
here is that the owner of a resource
should not have to add the permissions on himself to be able to access the
resource.
I now run evaluate and I get a surprising result:
Input:
User JDoe
Resource: JDoe
Scope: Any
Output:
Result
PERMIT
Scopes
Delete
Admin
Policies
Resource owner (jdoe at keycloak.org) grants access to alice at keycloak.org
decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Read.
Only Owner and Administrators Policy voted to PERMIT .
Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Write.
Only Owner and Administrators Policy voted to PERMIT .
Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
decision. Granted Scopes: Delete.
Only Owner and Administrators Policy voted to PERMIT .
Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Admin.
Only Owner and Administrators Policy voted to PERMIT .
Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
decision. Granted Scopes: Peek.
Peek resource role policy voted to PERMIT .
Only Owner and Administrators Policy voted to PERMIT .
I would expect JDoe to have full access to his resource since he is the
owner and all the policies are reporting PERMIT. It is the top DENY that I
can’t wrap my head around.
The grants JDoe has given to Alice are removed from his own grants list, is
this expected behavior? Why do grants to user Alice affect the grants of
user JDoe?
Best Regards,
Ulrik
More information about the keycloak-user
mailing list