6:54 p.m.
I see, so I need to create "mydomain" as a resource.
But what should be the type for both "mydomain" and "myhouse"? Should
it be
something like "domain:mydomain"?
What I would like is to grant different access to users to that domain.
For example: user Bob can only view resources in domain "mydomain".
User Alice can view and delete resources in "mydomain".
Should I create a "User Policy" with the list of users that have access?
If I understand, I need to use the "resource-based" permission. However it
does not seem to let me select the scopes (as in my example: Bob can only
view, but Alice can delete).
Another question: how to invoke the API for typed resources?
I have:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"view"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But this uses the name of the resource, so I am not sure. Is there a
reference for this API?
Thanks a lot
PS. I found some minor bugs related to the API, should I report them here
or create a JIRA?
On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Resources have a *type* field that can be used to group resources.
Permissions granted to a "typed resource" (which is created with the
resource server itself as the owner) applies to any other resource with the
same type and owned by an user. Think about a "typed resource" as a
general/parent resource.
If you have a "mydomain" typed resource and a "myhouse" resource,
sharing
the same type, any permission you apply to "mydomain" is going to be
applied to "myhouse".
Does it makes sense ?
On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
> Thanks for the answer.
> My plan is to make authorizations based on groups of resources, that we
> call "domains".
> Basically, when a user creates a resource, he can decide to put it in an
> existing domain.
> The URL reflects that domain:
>
> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>
> The user can also create domains with the domains endpoint:
>
> POST http://www.example.com/api/v1/domains/
>
> What is not clear for me is how users can get access to domains.
> Probably users can have an attribute "domains", with the list of domains
> they have access to?
> Or should a domain be represented in Keycloak as a resource?
> In this case, should we create roles to access that domain?
> For example, the role "admin-mydomain" ?
>
> Or should it be implemented with user groups in Keycloak? Or with User
> policies?
>
>
>
> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Right now you can't do it. This is all about the work we are doing to
>> better support UMA protocol. Soon you'll be able to let your users to
>> manage their resources (and their policies) from Keycloak Account Service,
>> grant and revoke access to other users, authorization flows. We are really
>> missing this.
>>
>> However, I think you can try to use the Policy Management API. It
>> provides a RESTful API that you can use to manage permissions and policies.
>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/
>> client/authorization/UserPolicyManagementTest.java. There are other
>> tests in the same package for other permission and policy types.
>>
>> Please, let me know about your achievements if you start doing something
>> with the Policy Management API. Any feedback is welcome and will probably
>> help with the work I mentioned before around UMA.
>>
>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>> corentin.dupont(a)gmail.com> wrote:
>>
>>> Hi guys,
>>> is it possible for an application user to grant some authorizations to
>>> another user?
>>> For example in the photoz example, how can I give access to my albums
>>> to another user?
>>> What would be the mechanism?
>>>
>>> Thanks a lot
>>> Corentin
>>>
>>
>>
>
10:13 p.m.
New subject: Authorization transfer
In parallel with the domains authorizations, I have other policies, such as
"owner" policies (similar to the photoz example).
I coded the owner policy with javascript:
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (identity.id == permission.getResource().getOwner()) {
$evaluation.grant();
}
But it leads to this result when evaluating a user:
Result*: DENY*
Policies:
- *Can access domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
decision was *PERMIT* by *UNANIMOUS* decision.
- *Users in domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
voted to *PERMIT* .
*Can delete MyHouse
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
decision was *DENY* by *UNANIMOUS* decision.
- *owner can access
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
voted to *DENY*.
The two permissions are overlapping, so it seems normal that both got
evaluated.
But why the java policy ("Grant_owner") voted DENY?
I didn't mention explicitly the deny in the code...
I think that if you are the owner, you should be granted. But if you are
not the owner, no decision can be taken by the policy...
On Tue, Nov 21, 2017 at 6:54 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
I see, so I need to create "mydomain" as a resource.
But what should be the type for both "mydomain" and "myhouse"? Should
it
be something like "domain:mydomain"?
What I would like is to grant different access to users to that domain.
For example: user Bob can only view resources in domain "mydomain".
User Alice can view and delete resources in "mydomain".
Should I create a "User Policy" with the list of users that have access?
If I understand, I need to use the "resource-based" permission. However it
does not seem to let me select the scopes (as in my example: Bob can only
view, but Alice can delete).
Another question: how to invoke the API for typed resources?
I have:
curl -X POST -H "Content-Type: application/json" -H "Authorization:
Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"view"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But this uses the name of the resource, so I am not sure. Is there a
reference for this API?
Thanks a lot
PS. I found some minor bugs related to the API, should I report them here
or create a JIRA?
On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Resources have a *type* field that can be used to group resources.
> Permissions granted to a "typed resource" (which is created with the
> resource server itself as the owner) applies to any other resource with the
> same type and owned by an user. Think about a "typed resource" as a
> general/parent resource.
>
> If you have a "mydomain" typed resource and a "myhouse" resource,
sharing
> the same type, any permission you apply to "mydomain" is going to be
> applied to "myhouse".
>
> Does it makes sense ?
>
> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> Thanks for the answer.
>> My plan is to make authorizations based on groups of resources, that we
>> call "domains".
>> Basically, when a user creates a resource, he can decide to put it in an
>> existing domain.
>> The URL reflects that domain:
>>
>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>
>> The user can also create domains with the domains endpoint:
>>
>> POST http://www.example.com/api/v1/domains/
>>
>> What is not clear for me is how users can get access to domains.
>> Probably users can have an attribute "domains", with the list of
>> domains they have access to?
>> Or should a domain be represented in Keycloak as a resource?
>> In this case, should we create roles to access that domain?
>> For example, the role "admin-mydomain" ?
>>
>> Or should it be implemented with user groups in Keycloak? Or with User
>> policies?
>>
>>
>>
>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Right now you can't do it. This is all about the work we are doing to
>>> better support UMA protocol. Soon you'll be able to let your users to
>>> manage their resources (and their policies) from Keycloak Account Service,
>>> grant and revoke access to other users, authorization flows. We are really
>>> missing this.
>>>
>>> However, I think you can try to use the Policy Management API. It
>>> provides a RESTful API that you can use to manage permissions and policies.
>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>> tests in the same package for other permission and policy types.
>>>
>>> Please, let me know about your achievements if you start doing
>>> something with the Policy Management API. Any feedback is welcome and will
>>> probably help with the work I mentioned before around UMA.
>>>
>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> is it possible for an application user to grant some authorizations to
>>>> another user?
>>>> For example in the photoz example, how can I give access to my albums
>>>> to another user?
>>>> What would be the mechanism?
>>>>
>>>> Thanks a lot
>>>> Corentin
>>>>
>>>
>>>
>>
>
12:22 p.m.
New subject: Authorization transfer
On Tue, Nov 21, 2017 at 7:13 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
In parallel with the domains authorizations, I have other policies,
such
as "owner" policies (similar to the photoz example).
I coded the owner policy with javascript:
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (identity.id == permission.getResource().getOwner()) {
$evaluation.grant();
}
But it leads to this result when evaluating a user:
Result*: DENY*
Policies:
- *Can access domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
decision was *PERMIT* by *UNANIMOUS* decision.
- *Users in domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
voted to *PERMIT* .
*Can delete MyHouse
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
decision was *DENY* by *UNANIMOUS* decision.
- *owner can access
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0...
voted to *DENY*.
The two permissions are overlapping, so it seems normal that both got
evaluated.
But why the java policy ("Grant_owner") voted DENY?
I didn't mention explicitly the deny in the code...
By default, if your policy doesn't call either deny or grant, the result is
a DENY.
I think that if you are the owner, you should be granted. But if you
are
not the owner, no decision can be taken by the policy...
You need to check who is the owner of your resource. I guess the "Can
delete MyHouse" is a permission for some "delete" scope you have. Because
you got a DENY, it does not necessarily means that you won`t get the
sub-set of permissions that were granted. When using the Policy Evaluation
Tool, take a look at a link on the results page that is called "Show
Authorization Data". Once you click this link, you will be presented with a
page that shows how a RPT would look like, with the permissions actually
granted during the evaluation.
On Tue, Nov 21, 2017 at 6:54 PM, Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
>
> I see, so I need to create "mydomain" as a resource.
> But what should be the type for both "mydomain" and "myhouse"?
Should it
> be something like "domain:mydomain"?
>
> What I would like is to grant different access to users to that domain.
> For example: user Bob can only view resources in domain "mydomain".
> User Alice can view and delete resources in "mydomain".
> Should I create a "User Policy" with the list of users that have access?
>
> If I understand, I need to use the "resource-based" permission. However
> it does not seem to let me select the scopes (as in my example: Bob can
> only view, but Alice can delete).
>
> Another question: how to invoke the API for typed resources?
> I have:
> curl -X POST -H "Content-Type: application/json" -H "Authorization:
> Bearer $TOKEN" -d '{
> "permissions" : [
> {
> "resource_set_name" : "Sensors",
> "scopes" : [
> "view"
> ]
> }
> ]
> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
> But this uses the name of the resource, so I am not sure. Is there a
> reference for this API?
>
> Thanks a lot
> PS. I found some minor bugs related to the API, should I report them here
> or create a JIRA?
>
>
>
> On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Resources have a *type* field that can be used to group resources.
>> Permissions granted to a "typed resource" (which is created with the
>> resource server itself as the owner) applies to any other resource with the
>> same type and owned by an user. Think about a "typed resource" as a
>> general/parent resource.
>>
>> If you have a "mydomain" typed resource and a "myhouse"
resource,
>> sharing the same type, any permission you apply to "mydomain" is going
to
>> be applied to "myhouse".
>>
>> Does it makes sense ?
>>
>> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
>> corentin.dupont(a)gmail.com> wrote:
>>
>>> Thanks for the answer.
>>> My plan is to make authorizations based on groups of resources, that we
>>> call "domains".
>>> Basically, when a user creates a resource, he can decide to put it in
>>> an existing domain.
>>> The URL reflects that domain:
>>>
>>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>>
>>> The user can also create domains with the domains endpoint:
>>>
>>> POST http://www.example.com/api/v1/domains/
>>>
>>> What is not clear for me is how users can get access to domains.
>>> Probably users can have an attribute "domains", with the list of
>>> domains they have access to?
>>> Or should a domain be represented in Keycloak as a resource?
>>> In this case, should we create roles to access that domain?
>>> For example, the role "admin-mydomain" ?
>>>
>>> Or should it be implemented with user groups in Keycloak? Or with User
>>> policies?
>>>
>>>
>>>
>>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>> wrote:
>>>
>>>> Right now you can't do it. This is all about the work we are doing
to
>>>> better support UMA protocol. Soon you'll be able to let your users
to
>>>> manage their resources (and their policies) from Keycloak Account
Service,
>>>> grant and revoke access to other users, authorization flows. We are
really
>>>> missing this.
>>>>
>>>> However, I think you can try to use the Policy Management API. It
>>>> provides a RESTful API that you can use to manage permissions and
policies.
>>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>>> tests in the same package for other permission and policy types.
>>>>
>>>> Please, let me know about your achievements if you start doing
>>>> something with the Policy Management API. Any feedback is welcome and
will
>>>> probably help with the work I mentioned before around UMA.
>>>>
>>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>>> corentin.dupont(a)gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> is it possible for an application user to grant some authorizations
>>>>> to another user?
>>>>> For example in the photoz example, how can I give access to my
albums
>>>>> to another user?
>>>>> What would be the mechanism?
>>>>>
>>>>> Thanks a lot
>>>>> Corentin
>>>>>
>>>>
>>>>
>>>
>>
>
12:14 p.m.
New subject: Authorization transfer
On Tue, Nov 21, 2017 at 3:54 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
I see, so I need to create "mydomain" as a resource.
But what should be the type for both "mydomain" and "myhouse"? Should
it
be something like "domain:mydomain"?
You can use whatever value you want ...
What I would like is to grant different access to users to that domain.
For example: user Bob can only view resources in domain "mydomain".
User Alice can view and delete resources in "mydomain".
Should I create a "User Policy" with the list of users that have access?
A user or group policy should do the trick.
If I understand, I need to use the "resource-based" permission. However it
does not seem to let me select the scopes (as in my example: Bob can only
view, but Alice can delete).
If you have permissions that should be applied to scopes, you need
scope-based permissions in order to tell the resource and scope you are
protecting.
I think we have a similar situation in that photoz example. If you take a
look there, there is a Delete Album Permission that by default grants
"delete" scope for resource owners and admin users. In this case, the
delete scope has its own permission. In case you want to change the
permission and only allow resource owners to delete resources, you just
remove from the permission the policy that grants access to admin users.
Note that whatever owned by an user, the permission will be applied even
though defined by the general/common "Album" resource and "delete"
scope.
Another question: how to invoke the API for typed resources?
I have:
curl -X POST -H "Content-Type: application/json" -H "Authorization:
Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"view"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But this uses the name of the resource, so I am not sure. Is there a
reference for this API?
Only what we have in docs, which can be always improved.
But in a nutshell, there is no difference when asking permissions for a
typed resource. You just send the name of the resource (typed or not) that
you want to get permissions and KC takes care of the rest.
Thanks a lot
PS. I found some minor bugs related to the API, should I report them here
or create a JIRA?
Yeah, please.
On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Resources have a *type* field that can be used to group resources.
> Permissions granted to a "typed resource" (which is created with the
> resource server itself as the owner) applies to any other resource with the
> same type and owned by an user. Think about a "typed resource" as a
> general/parent resource.
>
> If you have a "mydomain" typed resource and a "myhouse" resource,
sharing
> the same type, any permission you apply to "mydomain" is going to be
> applied to "myhouse".
>
> Does it makes sense ?
>
> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> Thanks for the answer.
>> My plan is to make authorizations based on groups of resources, that we
>> call "domains".
>> Basically, when a user creates a resource, he can decide to put it in an
>> existing domain.
>> The URL reflects that domain:
>>
>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>
>> The user can also create domains with the domains endpoint:
>>
>> POST http://www.example.com/api/v1/domains/
>>
>> What is not clear for me is how users can get access to domains.
>> Probably users can have an attribute "domains", with the list of
>> domains they have access to?
>> Or should a domain be represented in Keycloak as a resource?
>> In this case, should we create roles to access that domain?
>> For example, the role "admin-mydomain" ?
>>
>> Or should it be implemented with user groups in Keycloak? Or with User
>> policies?
>>
>>
>>
>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Right now you can't do it. This is all about the work we are doing to
>>> better support UMA protocol. Soon you'll be able to let your users to
>>> manage their resources (and their policies) from Keycloak Account Service,
>>> grant and revoke access to other users, authorization flows. We are really
>>> missing this.
>>>
>>> However, I think you can try to use the Policy Management API. It
>>> provides a RESTful API that you can use to manage permissions and policies.
>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>> tests in the same package for other permission and policy types.
>>>
>>> Please, let me know about your achievements if you start doing
>>> something with the Policy Management API. Any feedback is welcome and will
>>> probably help with the work I mentioned before around UMA.
>>>
>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> is it possible for an application user to grant some authorizations to
>>>> another user?
>>>> For example in the photoz example, how can I give access to my albums
>>>> to another user?
>>>> What would be the mechanism?
>>>>
>>>> Thanks a lot
>>>> Corentin
>>>>
>>>
>>>
>>
>
2620
days inactive
2621
days old
3 comments
2 participants
participants (2)
-
Corentin Dupont -
Pedro Igor Silva