7:17 a.m.
Hi folks,
UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".
Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.
Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear how
best to achieve this with Keycloak.
A. Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B. Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C. Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.
a. As above but with additional filtering by resource type to trim the
options.
b. As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c. As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)
D. .?
I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?
Thanks,
Rob
7:35 a.m.
Hi,
We have an API that allows you to resources shared to a specific user if
the access was granted based on the standard UMA flow (using permission
tickets). The Keycloak AuthZ Java Client [1] provides access to this API.
[1]
https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b11e...
On Thu, Mar 7, 2019 at 10:21 AM <roxspring(a)imapmail.org> wrote:
Hi folks,
UMA seems to be a great solution to model fine grained permissions and
allow
scenarios such as "Alice shares Folder X with Bob".
Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.
Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear
how
best to achieve this with Keycloak.
A. Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B. Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C. Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.
a. As above but with additional filtering by resource type to trim the
options.
b. As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c. As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains
Alice)
D. .?
I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?
Thanks,
Rob
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:46 a.m.
Thanks Pedro – that gives me something to try out!
(Turns out I was using an old client and didn’t have that API available… time for some
upgrades!)
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: 07 March 2019 13:36
To: roxspring(a)imapmail.org
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user
Hi,
We have an API that allows you to resources shared to a specific user if the access was
granted based on the standard UMA flow (using permission tickets). The Keycloak AuthZ Java
Client [1] provides access to this API.
[1]
https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b11e...
On Thu, Mar 7, 2019 at 10:21 AM <roxspring(a)imapmail.org
<mailto:roxspring@imapmail.org> > wrote:
Hi folks,
UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".
Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.
Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear how
best to achieve this with Keycloak.
A. Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B. Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C. Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.
a. As above but with additional filtering by resource type to trim the
options.
b. As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c. As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)
D. .?
I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?
Thanks,
Rob
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:34 a.m.
Using a modern API client definitely improves things but I'm struggling to see how
this scales.
If there are 1000+ of resources then the policy seems to have to load each in turn for the
policy to execute (at least according to the Java and JavaScript Policy Evaluation API).
Presumably running a Java policy will be faster than the JavaScript ones I've played
with but fundamentally there's a lot of database access.
Do other built in policies get to use SQL filters and indexes to operate at database
speed? - perhaps I need to restrict myself to those sorts of policies to handle large
numbers of resources??
Or for 1000+ of resources am I better off having my resource server take control of
ownership and not using UMA for it at all?
Keycloak's UMA appears to offers great flexibility, and is great when you already know
the resources, but falls down for resource discovery. Or am I missing something?
I'm curious to know of other people's experience with Keycloak UMA + scale!
Thanks,
Rob
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-
bounces(a)lists.jboss.org> On Behalf Of roxspring(a)imapmail.org
Sent: 07 March 2019 14:47
To: 'Pedro Igor Silva' <psilva(a)redhat.com>
Cc: 'keycloak-user' <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user
Thanks Pedro – that gives me something to try out!
(Turns out I was using an old client and didn’t have that API available… time for
some upgrades!)
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: 07 March 2019 13:36
To: roxspring(a)imapmail.org
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user
Hi,
We have an API that allows you to resources shared to a specific user if the
access was granted based on the standard UMA flow (using permission tickets).
The Keycloak AuthZ Java Client [1] provides access to this API.
[1]
https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b1
1e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/res
ource/PermissionResource.java#L197
On Thu, Mar 7, 2019 at 10:21 AM <roxspring(a)imapmail.org
<mailto:roxspring@imapmail.org> > wrote:
Hi folks,
UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".
Keycloak seems to implement this well with APIs for the resource server to ask
"Given [User] and [Folder X], can the user do [Scope]?" and provide answers
for
both Alice and Bob based on some policy.
Where I'm struggling is that our application also needs to provide answer
"Given
[User], which folders can they do [Scope] to?" and I'm not clear how best to
achieve this with Keycloak.
A. Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource server
having a rigid model of the authorization rules and loses the benefits of
Keycloak's flexible policies (or duplicates the policy which seems just as bad).
B. Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C. Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of resources to
validate and 100s accessible.
a. As above but with additional filtering by resource type to trim the
options.
b. As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c. As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)
D. .?
I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way to
model such a (presumably common) scenario?
Thanks,
Rob
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:49 p.m.
On Wed, Mar 20, 2019 at 1:35 PM <roxspring(a)imapmail.org> wrote:
Using a modern API client definitely improves things but I'm
struggling to
see how this scales.
If there are 1000+ of resources then the policy seems to have to load each
in turn for the policy to execute (at least according to the Java and
JavaScript Policy Evaluation API). Presumably running a Java policy will be
faster than the JavaScript ones I've played with but fundamentally there's
a lot of database access.
Do other built in policies get to use SQL filters and indexes to
operate
at database speed? - perhaps I need to restrict myself to those sorts of
policies to handle large numbers of resources??
Or for 1000+ of resources am I better off having my resource server
take
control of ownership and not using UMA for it at all?
Resources are loaded depending on the requested permissions. And yeah, JS
is using Nashorn and it is indeed slower than other policy types. You
should not see a lot of database access though as we cache entries such as
resources, permissions and policies. Authorization requests should benefit
from this cache once it is hot.
When doing UMA you usually make authorization requests for a single
resource (the one you received the ticket from the resource server
response). And evaluation should be fast. The same goes if you make
authorization requests for specific resources.
During evaluation the engine also tries to avoid re-evaluating policies
that were already processed for a given resource or scopes.
Keycloak's UMA appears to offers great flexibility, and is great when you
already know the resources, but falls down for resource discovery. Or am I
missing something?
Yeah, you are right. Although we allow you to query permissions based on
resource names and scopes. In case your client is aware of the resources
and scopes protected by the RS.
I'm curious to know of other people's experience with Keycloak UMA + scale!
Thanks,
Rob
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-
> bounces(a)lists.jboss.org> On Behalf Of roxspring(a)imapmail.org
> Sent: 07 March 2019 14:47
> To: 'Pedro Igor Silva' <psilva(a)redhat.com>
> Cc: 'keycloak-user' <keycloak-user(a)lists.jboss.org>
> Subject: Re: [keycloak-user] Listing the UMA resources accessible by a
user
>
> Thanks Pedro – that gives me something to try out!
>
>
>
> (Turns out I was using an old client and didn’t have that API available…
time for
> some upgrades!)
>
>
>
> From: Pedro Igor Silva <psilva(a)redhat.com>
> Sent: 07 March 2019 13:36
> To: roxspring(a)imapmail.org
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
> Subject: Re: [keycloak-user] Listing the UMA resources accessible by a
user
>
>
>
> Hi,
>
>
>
> We have an API that allows you to resources shared to a specific user if
the
> access was granted based on the standard UMA flow (using permission
tickets).
> The Keycloak AuthZ Java Client [1] provides access to this API.
>
>
>
> [1]
> https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b1
>
1e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/res
> ource/PermissionResource.java#L197
>
>
>
> On Thu, Mar 7, 2019 at 10:21 AM <roxspring(a)imapmail.org
> <mailto:roxspring@imapmail.org> > wrote:
>
> Hi folks,
>
>
>
> UMA seems to be a great solution to model fine grained permissions and
allow
> scenarios such as "Alice shares Folder X with Bob".
>
>
>
> Keycloak seems to implement this well with APIs for the resource server
to ask
> "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for
> both Alice and Bob based on some policy.
>
>
>
> Where I'm struggling is that our application also needs to provide
answer "Given
> [User], which folders can they do [Scope] to?" and I'm not clear how
best to
> achieve this with Keycloak.
>
>
>
> A. Track which folders a user owns or can access and answer the
> question directly in the resource server, but that results in the
resource server
> having a rigid model of the authorization rules and loses the benefits of
> Keycloak's flexible policies (or duplicates the policy which seems just
as bad).
> B. Have the resource server chose some subset of all folders and ask
> Keycloak to validate each resource, but that becomes very chatty and slow
> when there are 1000s of resources to validate.
> C. Just ask Keycloak to validate all resources and just return those
> the user can access, but that's also potentially slow with 1000s of
resources to
> validate and 100s accessible.
>
> a. As above but with additional filtering by resource type to trim
the
> options.
> b. As above but with additional filtering by attributes (e.g. where
> property:owner = "Alice")
> c. As above but with a full blown query language (e.g. "WHERE
> type=Folder AND (property:owner=Alice OR property:sharedwith contains
Alice)
>
> D. .?
>
>
>
> I was expecting some variant of C to be the recommended way forward but I
> can't find the relevant APIs (even without filtering). What's the best
way to
> model such a (presumably common) scenario?
>
>
>
> Thanks,
>
>
>
> Rob
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2576
days inactive
2589
days old
4 comments
2 participants
participants (2)
-
Pedro Igor Silva -
roxspring@imapmail.org