4 p.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Monday, June 10, 2013 10:45:00 PM
Subject: Re: [security-dev] how to model services managed by a realm
On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
> Hi Bill,
>
> First of all, custom IdentityType implementations are targeted for
> Beta5 and is related with PLINK-130.
>
I see custom relationship tests.
Custom relationships are supported, but IdentityTypes not yet.
> That said and considering what we have today, I would consider mapping
> applications as realms. If I understood your use case correctly, each
> application has its own users, roles, groups and relationships
> between them, not visible or accessible by others.
>
I don't think you understood. Each application does not have its own
set of users, but does have its own set of roles. So the Realm manages
a set of users who have access to a set of applications, each of which
has their own set of roles. Think of a set of distributed applications
in a company. You don't want to require registering a user for each one
of these applications, you just want to define one user, then map their
permissions to each application.
I see. I was thinking about each "application" having only a reference for a
single user (same user maps to different accounts in twitter, google and fb, for example).
But this is another scenario.
> A realm will allow you to organize identity data per
application,
> where you can have the same user, role and group (with the same
> loginName or name) between different realms. Maybe this example
> application can be useful to demonstrate how to handle different
> realms in a multi-tennancy architecture (using realms, only).
>
>
https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-a...
>
> Another way to organize identity data is using tiers. Tiers, different
> than realms, can be used to store only roles and groups. So, if you
> want to share users you can use a single realm to store them and use
> a specific tier for each application where its specific roles and
> groups are located.
>
If you store your users in a realm, and each application's roles in a
tier, how do you create a role mapping between a role in the tier and
the user in the realm?
Please, take a look at:
https://github.com/picketlink/picketlink/blob/master/modules/idm/tests/sr...
Then another problem with your suggestion is, for a given Realm, how do
I find out the associated Tiers? I'm not seeing any examples or code
that allows me to do this.
I think we don't support this kind of query. But you can always get all users, groups
or roles for a specific partition.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com