5:28 p.m.
I'm trying to figure out how to do the following scenario with the
IdentityManager API:
* A realm with N users
* A realm which manages X applications
* Each application has Y roles
* Users have role mappings for each of those roles
I'll need to be able to query:
* What are the applications in the realm
* What roles does a service have
* What are the role mappings for each service for a particular user
It looks like a Role only has a name. So, I can't have "admin" role for
each of my services and different role mappings per service. Would I
have to model this as different "partitions"? I see that you can create
"partitions", but how do you create relationships between "partitions"
or share users between partitions?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
6:49 p.m.
I guess an Application would be an Agent. Application role names could
either be scoped, i.e. "ApplicationName.RoleName" or I could generate a
unique id for the Role.getName() and add a special "applicationRoleName"
attribute. Then create a custom relationship between the Appplication's
Agent and each role.
That sound right? Should I scope the name, or generate a unique id and
add an attribute?
On 6/10/2013 6:28 PM, Bill Burke wrote:
I'm trying to figure out how to do the following scenario with
the
IdentityManager API:
* A realm with N users
* A realm which manages X applications
* Each application has Y roles
* Users have role mappings for each of those roles
I'll need to be able to query:
* What are the applications in the realm
* What roles does a service have
* What are the role mappings for each service for a particular user
It looks like a Role only has a name. So, I can't have "admin" role for
each of my services and different role mappings per service. Would I
have to model this as different "partitions"? I see that you can create
"partitions", but how do you create relationships between
"partitions"
or share users between partitions?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:54 p.m.
Hi Bill,
First of all, custom IdentityType implementations are targeted for Beta5 and is
related with PLINK-130.
That said and considering what we have today, I would consider mapping applications as
realms. If I understood your use case correctly, each application has its own users,
roles, groups and relationships between them, not visible or accessible by others.
A realm will allow you to organize identity data per application, where you can have
the same user, role and group (with the same loginName or name) between different realms.
Maybe this example application can be useful to demonstrate how to handle different realms
in a multi-tennancy architecture (using realms, only).
https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-a...
Another way to organize identity data is using tiers. Tiers, different than realms,
can be used to store only roles and groups. So, if you want to share users you can use a
single realm to store them and use a specific tier for each application where its specific
roles and groups are located.
The Query API is ready to give you what you want if you use both approaches:
- What roles or groups an application have
- What roles or groups an user is related with
You can get which applications are supported by getting from the
IdentityManagerFactory which realms or tiers are configured.
Regards.
Pedro Igor
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: security-dev(a)lists.jboss.org
Sent: Monday, June 10, 2013 8:49:26 PM
Subject: Re: [security-dev] how to model services managed by a realm
I guess an Application would be an Agent. Application role names could
either be scoped, i.e. "ApplicationName.RoleName" or I could generate a
unique id for the Role.getName() and add a special "applicationRoleName"
attribute. Then create a custom relationship between the Appplication's
Agent and each role.
That sound right? Should I scope the name, or generate a unique id and
add an attribute?
On 6/10/2013 6:28 PM, Bill Burke wrote:
I'm trying to figure out how to do the following scenario with
the
IdentityManager API:
* A realm with N users
* A realm which manages X applications
* Each application has Y roles
* Users have role mappings for each of those roles
I'll need to be able to query:
* What are the applications in the realm
* What roles does a service have
* What are the role mappings for each service for a particular user
It looks like a Role only has a name. So, I can't have "admin" role for
each of my services and different role mappings per service. Would I
have to model this as different "partitions"? I see that you can create
"partitions", but how do you create relationships between
"partitions"
or share users between partitions?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
8:45 p.m.
On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
Hi Bill,
First of all, custom IdentityType implementations are targeted for Beta5 and is
related with PLINK-130.
I see custom relationship tests.
That said and considering what we have today, I would consider
mapping applications as realms. If I understood your use case correctly, each application
has its own users, roles, groups and relationships between them, not visible or accessible
by others.
I don't think you understood. Each application does not have its own
set of users, but does have its own set of roles. So the Realm manages
a set of users who have access to a set of applications, each of which
has their own set of roles. Think of a set of distributed applications
in a company. You don't want to require registering a user for each one
of these applications, you just want to define one user, then map their
permissions to each application.
A realm will allow you to organize identity data per
application, where you can have the same user, role and group (with the same loginName or
name) between different realms. Maybe this example application can be useful to
demonstrate how to handle different realms in a multi-tennancy architecture (using realms,
only).
https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-a...
Another way to organize identity data is using tiers. Tiers, different than realms,
can be used to store only roles and groups. So, if you want to share users you can use a
single realm to store them and use a specific tier for each application where its specific
roles and groups are located.
If you store your users in a realm, and each application's roles in a
tier, how do you create a role mapping between a role in the tier and
the user in the realm?
Then another problem with your suggestion is, for a given Realm, how do
I find out the associated Tiers? I'm not seeing any examples or code
that allows me to do this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Monday, June 10, 2013 10:45:00 PM
Subject: Re: [security-dev] how to model services managed by a realm
On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
> Hi Bill,
>
> First of all, custom IdentityType implementations are targeted for
> Beta5 and is related with PLINK-130.
>
I see custom relationship tests.
Custom relationships are supported, but IdentityTypes not yet.
> That said and considering what we have today, I would consider mapping
> applications as realms. If I understood your use case correctly, each
> application has its own users, roles, groups and relationships
> between them, not visible or accessible by others.
>
I don't think you understood. Each application does not have its own
set of users, but does have its own set of roles. So the Realm manages
a set of users who have access to a set of applications, each of which
has their own set of roles. Think of a set of distributed applications
in a company. You don't want to require registering a user for each one
of these applications, you just want to define one user, then map their
permissions to each application.
I see. I was thinking about each "application" having only a reference for a
single user (same user maps to different accounts in twitter, google and fb, for example).
But this is another scenario.
> A realm will allow you to organize identity data per
application,
> where you can have the same user, role and group (with the same
> loginName or name) between different realms. Maybe this example
> application can be useful to demonstrate how to handle different
> realms in a multi-tennancy architecture (using realms, only).
>
>
https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-a...
>
> Another way to organize identity data is using tiers. Tiers, different
> than realms, can be used to store only roles and groups. So, if you
> want to share users you can use a single realm to store them and use
> a specific tier for each application where its specific roles and
> groups are located.
>
If you store your users in a realm, and each application's roles in a
tier, how do you create a role mapping between a role in the tier and
the user in the realm?
Please, take a look at:
https://github.com/picketlink/picketlink/blob/master/modules/idm/tests/sr...
Then another problem with your suggestion is, for a given Realm, how do
I find out the associated Tiers? I'm not seeing any examples or code
that allows me to do this.
I think we don't support this kind of query. But you can always get all users, groups
or roles for a specific partition.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:14 a.m.
On 6/11/2013 10:00 AM, Pedro Igor Silva wrote:
>
> Then another problem with your suggestion is, for a given Realm, how do
> I find out the associated Tiers? I'm not seeing any examples or code
> that allows me to do this.
>
I think we don't support this kind of query. But you can always get all users, groups
or roles for a specific partition.
Maybe create a default Agent within the realm and set an attribute which
contains the related tiers?
Would be nice to be able to associate a tier with a realm and be able to
query to find out which tiers are associated with a realm. Also, it
would be nice to be able to define attributes for a tier or realm. I
guess the only way to do this would again be to create a default Agent
that has the attributes you need to set.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:58 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Tuesday, June 11, 2013 11:14:05 AM
Subject: Re: [security-dev] how to model services managed by a realm
On 6/11/2013 10:00 AM, Pedro Igor Silva wrote:
>>
>> Then another problem with your suggestion is, for a given Realm, how do
>> I find out the associated Tiers? I'm not seeing any examples or code
>> that allows me to do this.
>>
>
> I think we don't support this kind of query. But you can always get all
> users, groups or roles for a specific partition.
>
Maybe create a default Agent within the realm and set an attribute which
contains the related tiers?
This is possible, but I'm not sure how much this is a workaround :). I think is
better wait for PLINK-130, then you can use your custom identity types to better satisfy
your requirements.
There are other alternatives that I can think of, but none of them looks better then
using tiers for application-specific roles and groups and realms for users. Which does not
fit your requirements, as you said.
Would be nice to be able to associate a tier with a realm and be able
to
query to find out which tiers are associated with a realm. Also, it
would be nice to be able to define attributes for a tier or realm. I
guess the only way to do this would again be to create a default Agent
that has the attributes you need to set.
The main idea behind tiers are to share role/groups between realms. And not tie them to
a specific realm. From the documentation:
"A Tier is a more restrictive type of partition than a realm, as it only allows
groups and roles to
be defined (but not users). A Tier may be used to define a set of application-specific
groups and
roles, which may then be assigned to groups within the same Tier, or to users and groups
within
a separate Realm."
I think I have discussed that with Shane some time ago about attributes on partitions.
Need to recall that. But I agree that partition-scoped attributes can be handy.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:18 a.m.
On 6/11/2013 10:58 AM, Pedro Igor Silva wrote:
The main idea behind tiers are to share role/groups between
realms. And not tie them to a specific realm. From the documentation:
"A Tier is a more restrictive type of partition than a realm, as it only allows
groups and roles to
be defined (but not users). A Tier may be used to define a set of application-specific
groups and
roles, which may then be assigned to groups within the same Tier, or to users and groups
within
a separate Realm."
I think I have discussed that with Shane some time ago about attributes on
partitions. Need to recall that. But I agree that partition-scoped attributes can be
handy.
Ok, yet another roadblock I've run into is that it seems you cannot
create tiers or realms on the fly. It looks like that all Realms and
Tiers you want to have must be known and pre-configured before you
create the IdentityManagerFactory.
If I understand the code correctly, an IdentityManagerFactory acts as a
cache for all realms and tiers stored under it? So, being able to
add/remote tiers/realms on the fly would be pretty key.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:33 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Tuesday, June 11, 2013 12:18:32 PM
Subject: Re: [security-dev] how to model services managed by a realm
On 6/11/2013 10:58 AM, Pedro Igor Silva wrote:
> The main idea behind tiers are to share role/groups between realms. And
> not tie them to a specific realm. From the documentation:
>
> "A Tier is a more restrictive type of partition than a realm, as it
> only allows groups and roles to
> be defined (but not users). A Tier may be used to define a set of
> application-specific groups and
> roles, which may then be assigned to groups within the same Tier, or to
> users and groups within
> a separate Realm."
>
> I think I have discussed that with Shane some time ago about attributes
> on partitions. Need to recall that. But I agree that partition-scoped
> attributes can be handy.
>
Ok, yet another roadblock I've run into is that it seems you cannot
create tiers or realms on the fly. It looks like that all Realms and
Tiers you want to have must be known and pre-configured before you
create the IdentityManagerFactory.
If I understand the code correctly, an IdentityManagerFactory acts as a
cache for all realms and tiers stored under it? So, being able to
add/remote tiers/realms on the fly would be pretty key.
I'll open a JIRA, would be nice have a feedback from Shane too.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:19 a.m.
On 6/11/2013 11:33 AM, Pedro Igor Silva wrote:
> Ok, yet another roadblock I've run into is that it seems you
cannot
> create tiers or realms on the fly. It looks like that all Realms and
> Tiers you want to have must be known and pre-configured before you
> create the IdentityManagerFactory.
>
> If I understand the code correctly, an IdentityManagerFactory acts as a
> cache for all realms and tiers stored under it? So, being able to
> add/remote tiers/realms on the fly would be pretty key.
I'll open a JIRA, would be nice have a feedback from Shane too.
I'm going to take a stab at implementing this. Picketlink IDM is
unusable for me until I have this feature.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:27 p.m.
Bill,
I'm currently working on some changes that will allow you to create a
custom Partition type, so you'll be able to do something like this:
@IdentityPartition(supportedTypes = {Role.class, Group.class})
public class Application implements Partition {
private String id;
private String name;
// snip getters/setters
}
The supportedTypes member of the annotation allows you to define which
identity types can be persisted in your particular partition implementation.
I'll also be changing the Partition interface to extend AttributedType
(which has getAttribute/setAttribute methods), so it will support
setting arbitrary attribute values for partitions, as well as being able
to declare formal attributes on the partition implementation itself.
I'm a bit unclear about the use case for associating a Realm with Tiers
- could you please elaborate on this?
On 12/06/13 00:14, Bill Burke wrote:
On 6/11/2013 10:00 AM, Pedro Igor Silva wrote:
>> Then another problem with your suggestion is, for a given Realm, how do
>> I find out the associated Tiers? I'm not seeing any examples or code
>> that allows me to do this.
>>
> I think we don't support this kind of query. But you can always get all users,
groups or roles for a specific partition.
>
Maybe create a default Agent within the realm and set an attribute which
contains the related tiers?
Would be nice to be able to associate a tier with a realm and be able to
query to find out which tiers are associated with a realm. Also, it
would be nice to be able to define attributes for a tier or realm. I
guess the only way to do this would again be to create a default Agent
that has the attributes you need to set.
4:05 p.m.
On 6/11/2013 11:27 PM, Shane Bryzak wrote:
Bill,
I'm currently working on some changes that will allow you to create a
custom Partition type, so you'll be able to do something like this:
@IdentityPartition(supportedTypes = {Role.class, Group.class})
public class Application implements Partition {
private String id;
private String name;
// snip getters/setters
}
Will what you're working on allow you to create partitions on the fly?
Right now, tiers and realms must be preknown and fixed for the lifetime
of the IdentityManagerFactory. I just finished some work to allow File
and JPA-based stores to be able to create and find partitions and was
about to submit a pull request.
The supportedTypes member of the annotation allows you to define
which
identity types can be persisted in your particular partition implementation.
I'll also be changing the Partition interface to extend AttributedType
(which has getAttribute/setAttribute methods), so it will support
setting arbitrary attribute values for partitions, as well as being able
to declare formal attributes on the partition implementation itself.
I'm a bit unclear about the use case for associating a Realm with Tiers
- could you please elaborate on this?
There is a company-wide set of users. This is the Realm. A company has
a set of distributed applications, each of these applications has their
own role sets. I want to assign role mappings from the realm, to each
one of these applications.
From a management perspective you'll want to be able to manage all
application user-role mappings from a specific Realm, or add/remove
roles from an application. To be able to do this, you need to know
which applications are managed by the Realm.
Also, I want to be able to create a token for an individual
authenticated user that contains role mappings for each application
within the realm.
All this needs to work in a SaaS model, where multiple realms can be
created and managed.
Pedro suggested that I model each Application as a Tier, but I'm having
doubts about this because LDAP doesn't currently support the notion of a
partition. Maybe I could federate this? Store username/credentials in
the company's LDAP store, but store application, roles, and role
mappings within a local store? Is this type of application data even
stored in LDAP in reality?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:20 p.m.
On 13/06/13 07:05, Bill Burke wrote:
On 6/11/2013 11:27 PM, Shane Bryzak wrote:
> Bill,
>
> I'm currently working on some changes that will allow you to create a
> custom Partition type, so you'll be able to do something like this:
>
> @IdentityPartition(supportedTypes = {Role.class, Group.class})
> public class Application implements Partition {
> private String id;
> private String name;
>
> // snip getters/setters
> }
>
Will what you're working on allow you to create partitions on the fly?
Right now, tiers and realms must be preknown and fixed for the lifetime
of the IdentityManagerFactory. I just finished some work to allow File
and JPA-based stores to be able to create and find partitions and was
about to submit a pull request.
Yes, it was an oversight that this isn't already supported and Pedro has
raised a JIRA issue [1] to track it. It is essentially a configuration
issue and we'll likely support it via the IdentityManagerFactory interface.
> The supportedTypes member of the annotation allows you to define which
> identity types can be persisted in your particular partition implementation.
>
> I'll also be changing the Partition interface to extend AttributedType
> (which has getAttribute/setAttribute methods), so it will support
> setting arbitrary attribute values for partitions, as well as being able
> to declare formal attributes on the partition implementation itself.
>
> I'm a bit unclear about the use case for associating a Realm with Tiers
> - could you please elaborate on this?
>
There is a company-wide set of users. This is the Realm. A company has
a set of distributed applications, each of these applications has their
own role sets. I want to assign role mappings from the realm, to each
one of these applications.
From a management perspective you'll want to be able to manage all
application user-role mappings from a specific Realm, or add/remove
roles from an application. To be able to do this, you need to know
which applications are managed by the Realm.
This is already possible without an
association between the Realm and
the Application, however we can probably add support for associations
between partitions if you think it will be a useful feature.
Also, I want to be able to create a token for an individual
authenticated user that contains role mappings for each application
within the realm.
I would probably implement this by storing the actual token values as an
attribute of the User, and then using the relationships API to define
the role mappings:
public class TokenRole extends AbstractAttributedType implements
Relationship {
// User
private User user;
// Application role that this token applies to
private Role role;
private String tokenCode;
// snip getters/setters
}
You would then execute a relationship query to determine which
application roles the user has assigned for a particular token.
All this needs to work in a SaaS model, where multiple realms can be
created and managed.
Pedro suggested that I model each Application as a Tier, but I'm having
doubts about this because LDAP doesn't currently support the notion of a
partition. Maybe I could federate this? Store username/credentials in
the company's LDAP store, but store application, roles, and role
mappings within a local store? Is this type of application data even
stored in LDAP in reality?
As previous, I would create a custom Application partition type and not
try to shoe-horn it into an existing type. I agree about LDAP, it's not
designed for multi-partition support and federating is the way to
achieve what you're describing. You could store just the basic user
data in LDAP and everything else in a JPA or JDBC store, just like you say.
[1] https://issues.jboss.org/browse/PLINK-189
4180
days inactive
4182
days old
12 comments
3 participants
participants (3)
-
Bill Burke -
Pedro Igor Silva -
Shane Bryzak