<div dir="ltr">To make sure that the user has all roles of a given application. If someone creates another role after granting app-admin, it is automatically inserted into app-admin composite role and therefore granted.<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 3:38 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What's the purpose of app-admin?<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</span><div class="HOEnZb"><div class="h5">> Sent: Wednesday, 1 April, 2015 7:33:26 PM<br>
> Subject: Re: [keycloak-user] Application Management<br>
><br>
> Speaking with my colleagues, I believe it won't cause troubles for us. We<br>
> had to give view-applications: the admin console wouldn't work properly,<br>
> but this is also OK according to our requirements.<br>
><br>
> Would you mind giving us some feedback on [1]? We wrote this to experiment<br>
> a bit with the proposal, but I'm not familiar with keycloak's source or<br>
> practices. What should I do to help get this merged?<br>
><br>
> [1] <a href="https://github.com/keycloak/keycloak/compare/master...tpresa:master" target="_blank">https://github.com/keycloak/keycloak/compare/master...tpresa:master</a><br>
><br>
> On Fri, Mar 27, 2015 at 10:51 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Friday, 27 March, 2015 2:01:56 PM<br>
> > > Subject: Re: [keycloak-user] Application Management<br>
> > ><br>
> > > Ah, yes, I didn't understand your proposal properly. Wouldn't giving<br>
> > > manage-users to app-admins wouldn't cause trouble, since app-admins could<br>
> > > create and modify user accounts?<br>
> ><br>
> > Whether or not it's causing trouble depends on your requirements, but yes,<br>
> > they could create and modify user accounts, but not grant more privileges.<br>
> ><br>
> > If you need to go beyond this one alternative is to wrap the admin<br>
> > endpoints in your own application. We've just got so much on our plate at<br>
> > the moment that we can't provide this level of control on permissions.<br>
> ><br>
> > ><br>
> > > On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > wrote:<br>
> > ><br>
> > > > Well, yes.. I told you it was a bit rubbish and would need some<br>
> > re-design<br>
> > > > to implement more fine grained permissions. Doing that is a relatively<br>
> > big<br>
> > > > task and is not a high priority for us ATM.<br>
> > > ><br>
> > > > I'm a bit confused by this email as I proposed a simple solution that<br>
> > > > would resolve your requirements. If an admin can only grant permissions<br>
> > > > that admin has access to all you have to do is to create an admin that<br>
> > can<br>
> > > > only access roles for certain applications and your problem should be<br>
> > > > solved. That's a simple solution that we can add soon.<br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> > > > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > Sent: Thursday, 26 March, 2015 8:10:07 PM<br>
> > > > > Subject: Re: [keycloak-user] Application Management<br>
> > > > ><br>
> > > > > So I've spent the last couple of days playing with the source. :-)<br>
> > > > ><br>
> > > > > The current authorization mechanism is based on Realm/RealmApp i.e.<br>
> > > > > whenever an API resource is called, check if the User has the<br>
> > required<br>
> > > > > Right (manage, any, view) in the resource's Realm/RealmApp.<br>
> > > > ><br>
> > > > > Consider, for example, the URI<br>
> > > > ><br>
> > /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}.<br>
> > > > What<br>
> > > > > I was trying to do is to create a permission for {app-name} so that<br>
> > this<br>
> > > > > API call wouldn't require any Realm/RealmApp right.<br>
> > > > ><br>
> > > > > The problem I see is that this API call trigger many methods (i.e.<br>
> > > > > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,<br>
> > > > > RealmAdminResource#getApplicationsById, and so on...), and at those<br>
> > > > methods<br>
> > > > > there is not enough information to figure out whether this is:<br>
> > > > ><br>
> > > > > 1- An app-specific call and thus should be authorized even without<br>
> > realm<br>
> > > > > authorization, or;<br>
> > > > > 2- Not app-specific call and this should be properly authorized by<br>
> > > > > Realm/RealmApp.<br>
> > > > ><br>
> > > > > Even in the case of (1), the information on which app should I check<br>
> > for<br>
> > > > > authorization is not available.<br>
> > > > ><br>
> > > > > So it seems to me that this resource-loading mechanisms pressuposes<br>
> > an<br>
> > > > > authorization mechanism that checks only against the realm for<br>
> > > > permission,<br>
> > > > > and changing this seems daunting to me.<br>
> > > > ><br>
> > > > > Do you guys have any idea on a more local change I could make to<br>
> > achieve<br>
> > > > > the intended behavior?<br>
> > > > ><br>
> > > > > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <<br>
> > <a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a><br>
> > > > ><br>
> > > > > wrote:<br>
> > > > ><br>
> > > > > > OK, agreed. We thought this out of consistency, but if that's not a<br>
> > > > good<br>
> > > > > > design we surely can consider a better one.<br>
> > > > > ><br>
> > > > > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <<br>
> > <a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > > wrote:<br>
> > > > > ><br>
> > > > > >><br>
> > > > > >><br>
> > > > > >> ----- Original Message -----<br>
> > > > > >> > From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> > > > > >> > To: <a href="mailto:stian@redhat.com">stian@redhat.com</a><br>
> > > > > >> > Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM<br>
> > > > > >> > Subject: Re: [keycloak-user] Application Management<br>
> > > > > >> ><br>
> > > > > >> > Hi there,<br>
> > > > > >> ><br>
> > > > > >> > I'm Alex's coworker and I'll be working on this too.<br>
> > > > > >> ><br>
> > > > > >> > We were just discussing your idea, and it seems to fit our<br>
> > > > requirements.<br>
> > > > > >> ><br>
> > > > > >> > As far as we have seen, keycloak already has a realm-admin<br>
> > concept.<br>
> > > > > >> > Whenever a realm "R" is created, it creates a R-realm<br>
> > application<br>
> > > > with<br>
> > > > > >> > a bunch of default roles (manage-users, manage-roles, etc.)<br>
> > into the<br>
> > > > > >> > realm master.<br>
> > > > > >> ><br>
> > > > > >> > We are currently thinking if we could mimic this structure for<br>
> > > > > >> > applications. What do you think?<br>
> > > > > >><br>
> > > > > >> It's already messy with the way I modelled it and adding the same<br>
> > for<br>
> > > > > >> applications would be even worse. I don't see why that's needed<br>
> > > > though if<br>
> > > > > >> we'd add what I proposed.<br>
> > > > > >><br>
> > > > > >> ><br>
> > > > > >> > > I had an idea a while back that is a simple way to achieve<br>
> > what<br>
> > > > you're<br>
> > > > > >> > > asking for. Th> e idea would be to only allow an admin to<br>
> > grant<br>
> > > > roles<br>
> > > > > >> that<br>
> > > > > >> > > the admin has access to.<br>
> > > > > >> ><br>
> > > > > >> > > Basically:> * A user with admin (super user) role can grant<br>
> > any<br>
> > > > roles<br>
> > > > > >> (we<br>
> > > > > >> > > would need to add a per-> realm super user role)<br>
> > > > > >> ><br>
> > > > > >> > > * A user with the role manage-users and some roles on app1 can<br>
> > > > only<br>
> > > > > >> grant<br>
> > > > > >> > > other users > the roles on app1<br>
> > > > > >> ><br>
> > > > > >> > > * A user with the role manage-users and some roles on app2 can<br>
> > > > only<br>
> > > > > >> grant<br>
> > > > > >> > > other users > the roles on app2<br>
> > > > > >> ><br>
> > > > > >> > ><br>
> > > > > >> ><br>
> > > > > >> > > This is something we should add in either case (to prevent<br>
> > users<br>
> > > > > >> granting<br>
> > > > > >> > themselves more access). Would it solve your problems?<br>
> > > > > >> ><br>
> > > > > >><br>
> > > > > ><br>
> > > > > ><br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div></div>