[security-dev] how to model services managed by a realm
Pedro Igor Silva
psilva at redhat.com
Tue Jun 11 10:58:23 EDT 2013
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Tuesday, June 11, 2013 11:14:05 AM
> Subject: Re: [security-dev] how to model services managed by a realm
> On 6/11/2013 10:00 AM, Pedro Igor Silva wrote:
> >> Then another problem with your suggestion is, for a given Realm, how do
> >> I find out the associated Tiers? I'm not seeing any examples or code
> >> that allows me to do this.
> > I think we don't support this kind of query. But you can always get all
> > users, groups or roles for a specific partition.
> Maybe create a default Agent within the realm and set an attribute which
> contains the related tiers?
This is possible, but I'm not sure how much this is a workaround :). I think is better wait for PLINK-130, then you can use your custom identity types to better satisfy your requirements.
There are other alternatives that I can think of, but none of them looks better then using tiers for application-specific roles and groups and realms for users. Which does not fit your requirements, as you said.
> Would be nice to be able to associate a tier with a realm and be able to
> query to find out which tiers are associated with a realm. Also, it
> would be nice to be able to define attributes for a tier or realm. I
> guess the only way to do this would again be to create a default Agent
> that has the attributes you need to set.
The main idea behind tiers are to share role/groups between realms. And not tie them to a specific realm. From the documentation:
"A Tier is a more restrictive type of partition than a realm, as it only allows groups and roles to
be defined (but not users). A Tier may be used to define a set of application-specific groups and
roles, which may then be assigned to groups within the same Tier, or to users and groups within
a separate Realm."
I think I have discussed that with Shane some time ago about attributes on partitions. Need to recall that. But I agree that partition-scoped attributes can be handy.
> Bill Burke
> JBoss, a division of Red Hat
More information about the security-dev