On 08/12/15 13:50, Bill Burke wrote:
Continuing our hangout from yesterday...
The primary goal, IMO is to 1) clean up the master realm realm clients
2) remove the master realm requirement for cross-realm impersonation 3)
give possibility to remove the master realm
Right now non-master realms trust admins in the master realm. These
"child" realms allow the master realm to decide which users in the
master realm are allowed to access it. I'll call this "cross-realm
administration". We could continue this model, but without role
namespaces you'd have to create realm-clients in each trusted realm.
Another idea is to do something really simple. Realm A decides to trust
Realm B and they "share" admin roles. If user in Realm B has
"view-user" permission, then he also has "view-user" permission. The
UI
is simple and there's no need for Realm A and B to know anything else
about each other. This is a simpler version of "cross-realm
administration" which doesn't give you any fine grain per-realm control.
This requires very little UI work which is the big blocker for me.
Building on that idea, which is what I started to implement, is that
Realm A "shares" admin roles still, but only allows certain permissions
for Realm B. Realm A grants admins in Realm B "view user and create client"
How about the case when I want to have:
1) user "a-admin" in realm A, which is supposed to have "view-user"
permission just for realm A
2) user "b-admin" in realm B, which is supposed to have "view-user"
permission just for realm B
3) user "admin" in realm A, which is supposed to have "view-user"
permission for both realms A and B
If I understand correctly, I won't be able to model this because:
For rule (3), I need realm B to trust realm A . However that implies
that user "a-admin" from realm A will be able to have "view-user" for
realm B, which breaks rule (1) and is something I don't want.
But still, maybe most of the people don't need something powerful and
this simple model will be sufficient for them? Maybe we can go with
simple model for now and later (after 1.0) we can introduce something
more powerful and incorporate Pedro's authorization stuff to be able to
specify more fine-grained permissions?
Marek
If you want to go further with the ability to grant a specific user or
group in another realm admin privileges then it becomes more
complicated. You have a chicken and egg problem first as you'd need a
way to view users and groups in another realm so you can grant
permission to them. I guess it could be you
1. Granting trust ot a realm allows that realm to view your users and
groups. Well, at least query for username/email/attributes
2. UI screens would have to be created specific for managing
users/groups in another realm as you would want to filter what
information gets displayed