Tristan Tarrant created ISPN-12620: -------------------------------------- Summary: Implicit authorization Key: ISPN-12620 URL: https://issues.redhat.com/browse/ISPN-12620 Project: Infinispan Issue Type: Enhancement Components: Security, Server Reporter: Tristan Tarrant Assignee: Tristan Tarrant Fix For: 13.0.0.Final Authorization should be enabled OOTB in the server. * out-of-the-box, authorization would apply only at the cache manager level. Caches would not have authz enabled by default (the performance cost is non-negligible) * the current small set of permissions which can be combined to form roles is not flexible enough. We would need to have named roles, possibly mapping to the REST resource names (e.g. {{/v2/logging/loggers, /v2/caches/cacheName}}) and map permissions to verbs ({{GET/HEAD = READ, POST,PUT,DELETE = WRITE}}). We might want to use resource prefixes to provide coarser management * users upgrading from older versions will need to add the roles to their existing users. To make use of authorization less cumbersome we should also have some defaults. Adding the empty {{<authorization>}} element should enable authorization with a set of default predefined roles A proposed list of these roles: * admin superuser, allowed to do everything * application allowed to perform all read/write ops, but not allowed to create/remove caches, schemas, scripts * deployer allowed to create/remove caches, schemas, scripts * observer a read-only role. Can use the CLI/console but all write ops are forbidden In terms of {{org.infinispan.security.AuthorizationPermission}} add the following permission: CREATE which would allow create/remove of caches, counters, schemas, scripts -- This message was sent by Atlassian Jira (v8.13.1#813001)