I apologize for sending a second e-mail. Just wanted to make my opinion
more clear.
I think that we should have roles which represent duties:
e.g CreateVariant, DeleteVariant, CreatePushApplication, CreateUser
e.t.c
Each of these duties could be assigned/removed from a user. Having roles
like "developer", "simple" which contain "hidden" duties
creates risk.
The ability to create users with specific duties is what spreads the
risk. This way, the developers won't modify the role annotations in UPS
source code, since they will have the ability to create a user with the
desired duties. If specific duties like CreateVariant is too much, we
could unify duties like VariantManagement, UserManagement.
On Wed, 2013-11-06 at 10:33 +0100, Apostolos Emmanouilidis wrote:
In general, it is very hard to detect an improperly protected REST
endpoint. Using least privilege principles could improve the control.
Regarding the roles, how could someone create a new admin user? Having
one and only one admin user with all access rights is a security
vulnerability itself. If the same admin credentials are shared between
several people/administrators it will be almost impossible to detect
which one is the compromise.
In conclusion my opinion is that:
1. Logging the endpoint accessibility is a must: e.g DateTime: User
[admin] with roles [admin] accessed createUser endpoint
2. Roles should be based on delegation of duties. "developer" or
"simple" roles do not reflect any duties and it's hard to guess their
duties without reading the documentation. Of course, delegation of
duties (e.g having a UserManagement role and the ability to assign it)
will make the role based access management part of AeroGear Unified
Push Server much more complex. However this will spread the risk of
having a single admin user with all rights.
On Tue, 2013-11-05 at 16:34 +0100, Sebastien Blanc wrote:
> -admin : can do all the CRUD operations + creating/deleting users
> The default user (admin/123) should have the "admin" role
> Users created by the admin can have the role developer or simple
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev