Re: [security-dev] how to model services managed by a realm
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Tuesday, June 11, 2013 11:14:05 AM
Subject: Re: [security-dev] how to model services managed by a realm
On 6/11/2013 10:00 AM, Pedro Igor Silva wrote:
>>
>> Then another problem with your suggestion is, for a given Realm, how do
>> I find out the associated Tiers? I'm not seeing any examples or code
>> that allows me to do this.
>>
>
> I think we don't support this kind of query. But you can always get all
> users, groups or roles for a specific partition.
>
Maybe create a default Agent within the realm and set an attribute which
contains the related tiers?
This is possible, but I'm not sure how much this is a workaround :). I think is
better wait for PLINK-130, then you can use your custom identity types to better satisfy
your requirements.
There are other alternatives that I can think of, but none of them looks better then
using tiers for application-specific roles and groups and realms for users. Which does not
fit your requirements, as you said.
Would be nice to be able to associate a tier with a realm and be able
to
query to find out which tiers are associated with a realm. Also, it
would be nice to be able to define attributes for a tier or realm. I
guess the only way to do this would again be to create a default Agent
that has the attributes you need to set.
The main idea behind tiers are to share role/groups between realms. And not tie them to
a specific realm. From the documentation:
"A Tier is a more restrictive type of partition than a realm, as it only allows
groups and roles to
be defined (but not users). A Tier may be used to define a set of application-specific
groups and
roles, which may then be assigned to groups within the same Tier, or to users and groups
within
a separate Realm."
I think I have discussed that with Shane some time ago about attributes on partitions.
Need to recall that. But I agree that partition-scoped attributes can be handy.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com