Re: [security-dev] how to model services managed by a realm
On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
Hi Bill,
First of all, custom IdentityType implementations are targeted for Beta5 and is
related with PLINK-130.
I see custom relationship tests.
That said and considering what we have today, I would consider
mapping applications as realms. If I understood your use case correctly, each application
has its own users, roles, groups and relationships between them, not visible or accessible
by others.
I don't think you understood. Each application does not have its own
set of users, but does have its own set of roles. So the Realm manages
a set of users who have access to a set of applications, each of which
has their own set of roles. Think of a set of distributed applications
in a company. You don't want to require registering a user for each one
of these applications, you just want to define one user, then map their
permissions to each application.
A realm will allow you to organize identity data per
application, where you can have the same user, role and group (with the same loginName or
name) between different realms. Maybe this example application can be useful to
demonstrate how to handle different realms in a multi-tennancy architecture (using realms,
only).
https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-a...
Another way to organize identity data is using tiers. Tiers, different than realms,
can be used to store only roles and groups. So, if you want to share users you can use a
single realm to store them and use a specific tier for each application where its specific
roles and groups are located.
If you store your users in a realm, and each application's roles in a
tier, how do you create a role mapping between a role in the tier and
the user in the realm?
Then another problem with your suggestion is, for a given Realm, how do
I find out the associated Tiers? I'm not seeing any examples or code
that allows me to do this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com