5:26 p.m.
Hello,
My name is Ulrik Sjölin and where I work we are currently looking into
Keycloak (4.4). I have a question regarding permissions and policy
evaluation.
My very simple setup is like this:
User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
Write, Delete)
User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
via the Keycloak web UI.
There a 5 scope-based permissions, one for each scope, that allows the
owner & admin each scope (Only Owner and Administrators Policy). My idea
here is that the owner of a resource
should not have to add the permissions on himself to be able to access the
resource.
I now run evaluate and I get a surprising result:
Input:
User JDoe
Resource: JDoe
Scope: Any
Output:
Result
PERMIT
Scopes
Delete
Admin
Policies
Resource owner (jdoe(a)keycloak.org) grants access to alice(a)keycloak.org
decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Read.
Only Owner and Administrators Policy voted to PERMIT .
Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Write.
Only Owner and Administrators Policy voted to PERMIT .
Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
decision. Granted Scopes: Delete.
Only Owner and Administrators Policy voted to PERMIT .
Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Admin.
Only Owner and Administrators Policy voted to PERMIT .
Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
decision. Granted Scopes: Peek.
Peek resource role policy voted to PERMIT .
Only Owner and Administrators Policy voted to PERMIT .
I would expect JDoe to have full access to his resource since he is the
owner and all the policies are reporting PERMIT. It is the top DENY that I
can’t wrap my head around.
The grants JDoe has given to Alice are removed from his own grants list, is
this expected behavior? Why do grants to user Alice affect the grants of
user JDoe?
Best Regards,
Ulrik
6:22 p.m.
Hi,
What permissions did you actually get in the token ? Wondering if this is
an issue with the evaluation tool report.
Regards.
Pedro Igor
On Fri, Sep 28, 2018 at 1:03 PM Ulrik Sjölin <ulrik.sjolin(a)gmail.com> wrote:
Hello,
My name is Ulrik Sjölin and where I work we are currently looking into
Keycloak (4.4). I have a question regarding permissions and policy
evaluation.
My very simple setup is like this:
User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
Write, Delete)
User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
via the Keycloak web UI.
There a 5 scope-based permissions, one for each scope, that allows the
owner & admin each scope (Only Owner and Administrators Policy). My idea
here is that the owner of a resource
should not have to add the permissions on himself to be able to access the
resource.
I now run evaluate and I get a surprising result:
Input:
User JDoe
Resource: JDoe
Scope: Any
Output:
Result
PERMIT
Scopes
Delete
Admin
Policies
Resource owner (jdoe(a)keycloak.org) grants access to alice(a)keycloak.org
decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Read.
Only Owner and Administrators Policy voted to PERMIT .
Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Write.
Only Owner and Administrators Policy voted to PERMIT .
Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
decision. Granted Scopes: Delete.
Only Owner and Administrators Policy voted to PERMIT .
Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Admin.
Only Owner and Administrators Policy voted to PERMIT .
Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
decision. Granted Scopes: Peek.
Peek resource role policy voted to PERMIT .
Only Owner and Administrators Policy voted to PERMIT .
I would expect JDoe to have full access to his resource since he is the
owner and all the policies are reporting PERMIT. It is the top DENY that I
can’t wrap my head around.
The grants JDoe has given to Alice are removed from his own grants list, is
this expected behavior? Why do grants to user Alice affect the grants of
user JDoe?
Best Regards,
Ulrik
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:24 p.m.
You are right, there is a bug there.
The problem is that evaluation is also evaluating UMA permissions for
resource owners and if there is no "resource-based permission" for the
resource it will result in a deny. So far, we have been considering UMA
where at least one permission is granting access to the resource. When
using only scope permissions, the issue shows up. If you could at least
define a permission that is evaluated for all your resources (define a type
for your resources + a permission for this type), you should work around
this.
I've submitted a fix to https://issues.jboss.org/browse/KEYCLOAK-8445.
Regards.
Pedro Igor
On Fri, Sep 28, 2018 at 1:22 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi,
What permissions did you actually get in the token ? Wondering if this is
an issue with the evaluation tool report.
Regards.
Pedro Igor
On Fri, Sep 28, 2018 at 1:03 PM Ulrik Sjölin <ulrik.sjolin(a)gmail.com>
wrote:
> Hello,
>
> My name is Ulrik Sjölin and where I work we are currently looking into
> Keycloak (4.4). I have a question regarding permissions and policy
> evaluation.
>
> My very simple setup is like this:
>
> User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
> Write, Delete)
> User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
> User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
> via the Keycloak web UI.
>
> There a 5 scope-based permissions, one for each scope, that allows the
> owner & admin each scope (Only Owner and Administrators Policy). My idea
> here is that the owner of a resource
> should not have to add the permissions on himself to be able to access the
> resource.
>
> I now run evaluate and I get a surprising result:
>
> Input:
> User JDoe
> Resource: JDoe
> Scope: Any
>
> Output:
> Result
> PERMIT
> Scopes
> Delete
> Admin
> Policies
> Resource owner (jdoe(a)keycloak.org) grants access to alice(a)keycloak.org
> decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
> Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Read.
> Only Owner and Administrators Policy voted to PERMIT .
> Write Entity Resource Permission decision was PERMIT by UNANIMOUS
> decision.
> Granted Scopes: Write.
> Only Owner and Administrators Policy voted to PERMIT .
> Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
> decision. Granted Scopes: Delete.
> Only Owner and Administrators Policy voted to PERMIT .
> Admin Entity Resource Permission decision was PERMIT by UNANIMOUS
> decision.
> Granted Scopes: Admin.
> Only Owner and Administrators Policy voted to PERMIT .
> Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
> decision. Granted Scopes: Peek.
> Peek resource role policy voted to PERMIT .
> Only Owner and Administrators Policy voted to PERMIT .
>
>
> I would expect JDoe to have full access to his resource since he is the
> owner and all the policies are reporting PERMIT. It is the top DENY that I
> can’t wrap my head around.
> The grants JDoe has given to Alice are removed from his own grants list,
> is
> this expected behavior? Why do grants to user Alice affect the grants of
> user JDoe?
>
> Best Regards,
>
> Ulrik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2314
days inactive
2314
days old
2 comments
2 participants
participants (2)
-
Pedro Igor Silva -
Ulrik Sjölin