Do you mean, return all permissions associated with a resource ? If so, yes
you can do that through Keycloak Java Admin Client. See
.
On Mon, Mar 5, 2018 at 3:43 PM, Nhut Thai Le <ntle(a)castortech.com> wrote:
Is it possible to customize the adapter to return all resource
mapped
permission ? I know keycloak is opensource so we can customize it but i
need a general guideline where to put my change.
Thanks
Thai
---------- Forwarded message ----------
From: Pedro Igor Silva <psilva(a)redhat.com>
Date: Mon, Mar 5, 2018 at 11:42 AM
Subject: Re: [keycloak-user] How to get permission to all child resources
To: Nhut Thai Le <ntle(a)castortech.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
There is no way to ask permissions based on paths. Currently, all the
logic that maps URIs/paths to protected resources in Keycloak is is within
the policy enforcers (adapters). One thing we might do is maybe have a
similar logic on the server where we could resolve resources based on
patterns, etc .... Something we need to think about ....
That is an area we are looking to improve though. We are working on some
improvements in order to offer better support for RESTful security. Things
like what you are asking is what we are looking for.
Could you create an issue in JIRA describing your requirements so we can
include them in our roadmap ?
Thanks.
Pedro Igor
On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle(a)castortech.com> wrote:
> thanks for the suggestion but the application which uses the REST API
> protected by Keycloak will not know all the resources i defined on keycloak
> to start asking permission for the closest ancestor known to Keycloak
> (/Document/Administration) when it needs to know permissions for all
> files/folders under /Document/Administration/Contracts/Sarah/*.
>
> When testing Keycloak, we know that if Sarah tried to access a specific
> child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
> from the browser then she got access denied although this specific resource
> is not defined in Keycloak. Can we use any API to get this result? The
> Entitlement API only allow me to ask permission for a specific
> resource_set_name, not a path. If i can do this then i may be able loop
> through all the files within /Dcoument/Administration/Contacts/Sarah/*
> to get permission, although it gonna be a huge performance issue.
>
> Thai
>
> On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hey,
>>
>> In your application you could perform some logic that asks permissions
>> for the resource with URI "/Document/Administration". Right now
Keycloak
>> does not perform any parent/child mapping between resources on the server
>> side.
>>
>> Would that work for you ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle(a)castortech.com>
>> wrote:
>>
>>> Hello,
>>>
>>> We are new to Keycloak and we are exploring its abilities for securing
>>> our
>>> web api. One things we are trying to do is to get all permissions
>>> associated with a user for all child resources in a RPT. For example,
>>> let's
>>> say I'm trying to expose the folder Document on my file system to the
>>> network via REST. This Document folder may have millions of files and
>>> subfolders, most of them are accessible by all Users, some are only
>>> available to Admin, and some are for Customers only.
>>>
>>> On Keycloak server, i would define 3 resources named:
>>> "All Docs" with URL /Document/* and Role policy granting access to
all
>>> Users
>>> "For Admin" with URL /Document/Administration/* and Role policy
granting
>>> access to only Admins
>>> "For Customer" with URL /Document/Products/* and Role policy
granting
>>> access to only Customers
>>>
>>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>>> Customers can access "All Docs". However, if Sarah want to
know/list all
>>> files under /Document/Administration/Contracts/Sarah/* then how should
>>> i
>>> ask entitlement API since this URL is not declared as a resource in
>>> Keycloak? If i can call the API for this path, I would like to receive
>>> from
>>> the API some permissions info starting from /Document/Administration
>>> because this is the closest ancestor known to Keycloak regarding the
>>> path
>>> being asked.
>>>
>>> Hope to get some insight soon
>>>
>>> Thai
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
>
<
https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&so...
> Ouest, Suite 613
> Montréal, Québec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle(a)castortech.com
>
www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
> confidentiel, peut être protégé par le secret professionnel et est réservé
> à l'usage exclusif du destinataire. Toute autre personne est par les
> présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez reçu cette communication par erreur,
> veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
>
--
Castor Technologies Inc
460 rue St-Catherine St
<
https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&so...
Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.