7:54 p.m.
Hi Bill,
First of all, custom IdentityType implementations are targeted for Beta5 and is
related with PLINK-130.
That said and considering what we have today, I would consider mapping applications as
realms. If I understood your use case correctly, each application has its own users,
roles, groups and relationships between them, not visible or accessible by others.
A realm will allow you to organize identity data per application, where you can have
the same user, role and group (with the same loginName or name) between different realms.
Maybe this example application can be useful to demonstrate how to handle different realms
in a multi-tennancy architecture (using realms, only).
https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-a...
Another way to organize identity data is using tiers. Tiers, different than realms,
can be used to store only roles and groups. So, if you want to share users you can use a
single realm to store them and use a specific tier for each application where its specific
roles and groups are located.
The Query API is ready to give you what you want if you use both approaches:
- What roles or groups an application have
- What roles or groups an user is related with
You can get which applications are supported by getting from the
IdentityManagerFactory which realms or tiers are configured.
Regards.
Pedro Igor
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: security-dev(a)lists.jboss.org
Sent: Monday, June 10, 2013 8:49:26 PM
Subject: Re: [security-dev] how to model services managed by a realm
I guess an Application would be an Agent. Application role names could
either be scoped, i.e. "ApplicationName.RoleName" or I could generate a
unique id for the Role.getName() and add a special "applicationRoleName"
attribute. Then create a custom relationship between the Appplication's
Agent and each role.
That sound right? Should I scope the name, or generate a unique id and
add an attribute?
On 6/10/2013 6:28 PM, Bill Burke wrote:
I'm trying to figure out how to do the following scenario with
the
IdentityManager API:
* A realm with N users
* A realm which manages X applications
* Each application has Y roles
* Users have role mappings for each of those roles
I'll need to be able to query:
* What are the applications in the realm
* What roles does a service have
* What are the role mappings for each service for a particular user
It looks like a Role only has a name. So, I can't have "admin" role for
each of my services and different role mappings per service. Would I
have to model this as different "partitions"? I see that you can create
"partitions", but how do you create relationships between
"partitions"
or share users between partitions?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev