Is it possible to customize the adapter to return all resource mapped
permission ? I know keycloak is opensource so we can customize it but i
need a general guideline where to put my change.
Thanks
Thai
---------- Forwarded message ----------
From: Pedro Igor Silva <psilva(a)redhat.com>
Date: Mon, Mar 5, 2018 at 11:42 AM
Subject: Re: [keycloak-user] How to get permission to all child resources
To: Nhut Thai Le <ntle(a)castortech.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
There is no way to ask permissions based on paths. Currently, all the logic
that maps URIs/paths to protected resources in Keycloak is is within the
policy enforcers (adapters). One thing we might do is maybe have a similar
logic on the server where we could resolve resources based on patterns, etc
.... Something we need to think about ....
That is an area we are looking to improve though. We are working on some
improvements in order to offer better support for RESTful security. Things
like what you are asking is what we are looking for.
Could you create an issue in JIRA describing your requirements so we can
include them in our roadmap ?
Thanks.
Pedro Igor
On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle(a)castortech.com> wrote:
thanks for the suggestion but the application which uses the REST
API
protected by Keycloak will not know all the resources i defined on keycloak
to start asking permission for the closest ancestor known to Keycloak
(/Document/Administration) when it needs to know permissions for all
files/folders under /Document/Administration/Contracts/Sarah/*.
When testing Keycloak, we know that if Sarah tried to access a specific
child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
from the browser then she got access denied although this specific resource
is not defined in Keycloak. Can we use any API to get this result? The
Entitlement API only allow me to ask permission for a specific
resource_set_name, not a path. If i can do this then i may be able loop
through all the files within /Dcoument/Administration/Contacts/Sarah/*
to get permission, although it gonna be a huge performance issue.
Thai
On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Hey,
>
> In your application you could perform some logic that asks permissions
> for the resource with URI "/Document/Administration". Right now Keycloak
> does not perform any parent/child mapping between resources on the server
> side.
>
> Would that work for you ?
>
> Regards.
> Pedro Igor
>
> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle(a)castortech.com> wrote:
>
>> Hello,
>>
>> We are new to Keycloak and we are exploring its abilities for securing
>> our
>> web api. One things we are trying to do is to get all permissions
>> associated with a user for all child resources in a RPT. For example,
>> let's
>> say I'm trying to expose the folder Document on my file system to the
>> network via REST. This Document folder may have millions of files and
>> subfolders, most of them are accessible by all Users, some are only
>> available to Admin, and some are for Customers only.
>>
>> On Keycloak server, i would define 3 resources named:
>> "All Docs" with URL /Document/* and Role policy granting access to all
>> Users
>> "For Admin" with URL /Document/Administration/* and Role policy
granting
>> access to only Admins
>> "For Customer" with URL /Document/Products/* and Role policy granting
>> access to only Customers
>>
>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>> Customers can access "All Docs". However, if Sarah want to know/list
all
>> files under /Document/Administration/Contracts/Sarah/* then how should i
>> ask entitlement API since this URL is not declared as a resource in
>> Keycloak? If i can call the API for this path, I would like to receive
>> from
>> the API some permissions info starting from /Document/Administration
>> because this is the closest ancestor known to Keycloak regarding the path
>> being asked.
>>
>> Hope to get some insight soon
>>
>> Thai
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
--
Castor Technologies Inc
460 rue St-Catherine St
<
https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&so...
Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.