7:45 a.m.
Hi,
My name is Duarte, and this is the first post on this dev-list.
My question is regarding Attribute-based Access Control. Is there any
usable feature for Attribute based decision for resource access? Or do I
have to make my own?
Basically what I want to do is a PEP (Policy Enforcement Point) and a PDP
(Policy Decision Point) on Keycloak with external attributes (Federated).
e.g: User has attribute of X can only access files A<->B and User with
attribute Y can only access B<->L.
Thank you.
--
7:48 a.m.
There is authorization prototype by Pedro in progress. You can check it
here https://github.com/pedroigor/keycloak-authz
Marek
On 09/04/16 14:45, Duarte wrote:
Hi,
My name is Duarte, and this is the first post on this dev-list.
My question is regarding Attribute-based Access Control. Is there any
usable feature for Attribute based decision for resource access? Or do
I have to make my own?
Basically what I want to do is a PEP (Policy Enforcement Point) and a
PDP (Policy Decision Point) on Keycloak with external attributes
(Federated).
e.g: User has attribute of X can only access files A<->B and User with
attribute Y can only access B<->L.
Thank you.
--
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:42 a.m.
Like Marek said, we are working a new set of functionalities to leverage Keycloak's
authorization model to also support fine-grained permissions.
By fine-grained, that means you'll be able to manage your resources and their
respective scopes and associate them with authorization policies that rule who,when,how
access should be granted. Where these policies can be based on ABAC, RBAC, Context-based,
etc. Some policies can be even written using Javascript (which gives you great
flexibility) or JBoss Drools.
Right now, I'm merging that code that Marek pointed out with upstream/master. However,
For latest code about this stuff, please consider [1].
I hope to get a PR this week, but fell free to take a look and try it out :)
[1] https://github.com/pedroigor/keycloak/tree/KEYCLOAK-2753
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Duarte" <duarteetraud(a)gmail.com>, keycloak-dev(a)lists.jboss.org
Cc: "Pedro Igor Silva" <psilva(a)redhat.com>
Sent: Monday, April 11, 2016 9:48:08 AM
Subject: Re: [keycloak-dev] Attribute-based Access Control
There is authorization prototype by Pedro in progress. You can check it
here https://github.com/pedroigor/keycloak-authz
Marek
On 09/04/16 14:45, Duarte wrote:
Hi,
My name is Duarte, and this is the first post on this dev-list.
My question is regarding Attribute-based Access Control. Is there any
usable feature for Attribute based decision for resource access? Or do
I have to make my own?
Basically what I want to do is a PEP (Policy Enforcement Point) and a
PDP (Policy Decision Point) on Keycloak with external attributes
(Federated).
e.g: User has attribute of X can only access files A<->B and User with
attribute Y can only access B<->L.
Thank you.
--
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:28 a.m.
Hi Marek, Pedro
Thank you for the replies.
Very interesting indeed I'm surely take a look into this!! Let me know If I
can help you with anything.
Just one question before I pull this version, do you have the web interface
to manage the policies?
Cheers.
2016-04-11 14:42 GMT+01:00 Pedro Igor Silva <psilva(a)redhat.com>:
Like Marek said, we are working a new set of functionalities to
leverage
Keycloak's authorization model to also support fine-grained permissions.
By fine-grained, that means you'll be able to manage your resources and
their respective scopes and associate them with authorization policies that
rule who,when,how access should be granted. Where these policies can be
based on ABAC, RBAC, Context-based, etc. Some policies can be even written
using Javascript (which gives you great flexibility) or JBoss Drools.
Right now, I'm merging that code that Marek pointed out with
upstream/master. However, For latest code about this stuff, please consider
[1].
I hope to get a PR this week, but fell free to take a look and try it out
:)
[1] https://github.com/pedroigor/keycloak/tree/KEYCLOAK-2753
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Duarte" <duarteetraud(a)gmail.com>, keycloak-dev(a)lists.jboss.org
Cc: "Pedro Igor Silva" <psilva(a)redhat.com>
Sent: Monday, April 11, 2016 9:48:08 AM
Subject: Re: [keycloak-dev] Attribute-based Access Control
There is authorization prototype by Pedro in progress. You can check it
here https://github.com/pedroigor/keycloak-authz
Marek
On 09/04/16 14:45, Duarte wrote:
> Hi,
>
> My name is Duarte, and this is the first post on this dev-list.
>
> My question is regarding Attribute-based Access Control. Is there any
> usable feature for Attribute based decision for resource access? Or do
> I have to make my own?
>
> Basically what I want to do is a PEP (Policy Enforcement Point) and a
> PDP (Policy Decision Point) on Keycloak with external attributes
> (Federated).
>
> e.g: User has attribute of X can only access files A<->B and User with
> attribute Y can only access B<->L.
>
> Thank you.
>
> --
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
[Never forget "Security is not a product, but a process"]
9:38 a.m.
Yeah. There are a set of UIs from where you can manage things such as:
* Manage Resource Servers (the client applications acting as a RS)
* Manage Resources
* Manage Scopes
* Manage Permissions (resource and scope based permissions)
* Manage Policies (which are used to associated with permissions above)
Beside that, there are some built-in "enforcers"/PEPs that you can use to
protect:
* JAX-RS resources
* Servlet resources
That is what we are considering in the first release. But there are a plenty of other
things we are planning to add in the future ...
Please, feel free to contact me on IRC #keycloak for more info or any issue.
Regards.
Pedro Igor
----- Original Message -----
From: "Duarte" <duarteetraud(a)gmail.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "Marek Posolda" <mposolda(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Monday, April 11, 2016 11:28:26 AM
Subject: Re: [keycloak-dev] Attribute-based Access Control
Hi Marek, Pedro
Thank you for the replies.
Very interesting indeed I'm surely take a look into this!! Let me know If I
can help you with anything.
Just one question before I pull this version, do you have the web interface
to manage the policies?
Cheers.
2016-04-11 14:42 GMT+01:00 Pedro Igor Silva <psilva(a)redhat.com>:
Like Marek said, we are working a new set of functionalities to
leverage
Keycloak's authorization model to also support fine-grained permissions.
By fine-grained, that means you'll be able to manage your resources and
their respective scopes and associate them with authorization policies that
rule who,when,how access should be granted. Where these policies can be
based on ABAC, RBAC, Context-based, etc. Some policies can be even written
using Javascript (which gives you great flexibility) or JBoss Drools.
Right now, I'm merging that code that Marek pointed out with
upstream/master. However, For latest code about this stuff, please consider
[1].
I hope to get a PR this week, but fell free to take a look and try it out
:)
[1] https://github.com/pedroigor/keycloak/tree/KEYCLOAK-2753
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Duarte" <duarteetraud(a)gmail.com>, keycloak-dev(a)lists.jboss.org
Cc: "Pedro Igor Silva" <psilva(a)redhat.com>
Sent: Monday, April 11, 2016 9:48:08 AM
Subject: Re: [keycloak-dev] Attribute-based Access Control
There is authorization prototype by Pedro in progress. You can check it
here https://github.com/pedroigor/keycloak-authz
Marek
On 09/04/16 14:45, Duarte wrote:
> Hi,
>
> My name is Duarte, and this is the first post on this dev-list.
>
> My question is regarding Attribute-based Access Control. Is there any
> usable feature for Attribute based decision for resource access? Or do
> I have to make my own?
>
> Basically what I want to do is a PEP (Policy Enforcement Point) and a
> PDP (Policy Decision Point) on Keycloak with external attributes
> (Federated).
>
> e.g: User has attribute of X can only access files A<->B and User with
> attribute Y can only access B<->L.
>
> Thank you.
>
> --
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
[Never forget "Security is not a product, but a process"]
3182
days inactive
3184
days old
4 comments
3 participants
participants (3)
-
Duarte -
Marek Posolda -
Pedro Igor Silva