10:27 a.m.
Within SASL there is a capability where during the authentication phase
the agent being authenticated can request that subsequently they want
the authorization privileged of another agent.
The loading the identity of the agent being requested is fine but at the
moment I am looking within PicketLink IDM at how this one agent being
able to run as another agent can be modeled.
I can see using a custom relationship how it should be fairly easy to
model a 1:1 mapping of users that an 'impersonate' each other but I have
a few additional scenarios that could also be needed so wanted to look
for ideas on how to support all of these simultaneously.
- A single agent can impersonate a single agent.
- A single agent can impersonate any user that is a member of a
specified group.
- A member of a specific group can impersonate a single agent.
- A member of one group can impersonate an agent of another (or same)
group.
As mentioned in IRC over the last couple of days having some form of
permissions check API in the IDM for the non AS processes feels like it
would fit this really well - however at the moment I can perform this
check outside of any permissions API so just looking for ideas how it
could be achieved.
Regards,
Darran Lofthouse.
2:15 p.m.
Hi Darran,
I wrote a simple test case to try to satisfy your objectives.
https://gist.github.com/pedroigor/5825698
We can also use custom attributes if you need some kind of metadata for each
relationship instance.
----- Original Message -----
From: "Darran Lofthouse" <darran.lofthouse(a)jboss.com>
To: security-dev(a)lists.jboss.org
Sent: Thursday, June 20, 2013 12:27:08 PM
Subject: [security-dev] PicketLink IDM Relationships and SASL Authorizations
Within SASL there is a capability where during the authentication phase
the agent being authenticated can request that subsequently they want
the authorization privileged of another agent.
The loading the identity of the agent being requested is fine but at the
moment I am looking within PicketLink IDM at how this one agent being
able to run as another agent can be modeled.
I can see using a custom relationship how it should be fairly easy to
model a 1:1 mapping of users that an 'impersonate' each other but I have
a few additional scenarios that could also be needed so wanted to look
for ideas on how to support all of these simultaneously.
- A single agent can impersonate a single agent.
- A single agent can impersonate any user that is a member of a
specified group.
- A member of a specific group can impersonate a single agent.
- A member of one group can impersonate an agent of another (or same)
group.
As mentioned in IRC over the last couple of days having some form of
permissions check API in the IDM for the non AS processes feels like it
would fit this really well - however at the moment I can perform this
check outside of any permissions API so just looking for ideas how it
could be achieved.
Regards,
Darran Lofthouse.
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
12:29 p.m.
Thank you for the test Pedro,
I have been able to see how to perform the single queries but the part I
am still thinking about is how we deal with the issue that each of the
two agents could be a member of many groups.
To cross check this could involve many queries.
In a similar way how are the agent to group to role queries handled? If
a user is a member of a group and the group is associated with a role
does the user have that role or does the relationship need to be
manually queried?
Regards,
Darran Lofthouse.
On 20/06/13 20:15, Pedro Igor Silva wrote:
Hi Darran,
I wrote a simple test case to try to satisfy your objectives.
https://gist.github.com/pedroigor/5825698
We can also use custom attributes if you need some kind of metadata for each
relationship instance.
----- Original Message -----
From: "Darran Lofthouse" <darran.lofthouse(a)jboss.com>
To: security-dev(a)lists.jboss.org
Sent: Thursday, June 20, 2013 12:27:08 PM
Subject: [security-dev] PicketLink IDM Relationships and SASL Authorizations
Within SASL there is a capability where during the authentication phase
the agent being authenticated can request that subsequently they want
the authorization privileged of another agent.
The loading the identity of the agent being requested is fine but at the
moment I am looking within PicketLink IDM at how this one agent being
able to run as another agent can be modeled.
I can see using a custom relationship how it should be fairly easy to
model a 1:1 mapping of users that an 'impersonate' each other but I have
a few additional scenarios that could also be needed so wanted to look
for ideas on how to support all of these simultaneously.
- A single agent can impersonate a single agent.
- A single agent can impersonate any user that is a member of a
specified group.
- A member of a specific group can impersonate a single agent.
- A member of one group can impersonate an agent of another (or same)
group.
As mentioned in IRC over the last couple of days having some form of
permissions check API in the IDM for the non AS processes feels like it
would fit this really well - however at the moment I can perform this
check outside of any permissions API so just looking for ideas how it
could be achieved.
Regards,
Darran Lofthouse.
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
2:55 p.m.
----- Original Message -----
From: "Darran Lofthouse"
<darran.lofthouse(a)jboss.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Friday, June 21, 2013 2:29:18 PM
Subject: Re: [security-dev] PicketLink IDM Relationships and SASL Authorizations
Thank you for the test Pedro,
I have been able to see how to perform the single queries but the part I
am still thinking about is how we deal with the issue that each of the
two agents could be a member of many groups.
To cross check this could involve many queries.
Yeah, I agree. But usually the IDM data will be cached and this can help.
In a similar way how are the agent to group to role queries handled?
If
a user is a member of a group and the group is associated with a role
does the user have that role or does the relationship need to be
manually queried?
Something like this ?
https://github.com/picketlink/picketlink/blob/master/modules/idm/tests/sr...
In this test we have the following scenario:
Administrators -> System Administrators
Administrators -> Database Administrators
Agent is the "Manager" of Administrators. So he is also manager of System
and Database Administrators groups.
Regards,
Darran Lofthouse.
On 20/06/13 20:15, Pedro Igor Silva wrote:
> Hi Darran,
>
> I wrote a simple test case to try to satisfy your objectives.
>
> https://gist.github.com/pedroigor/5825698
>
> We can also use custom attributes if you need some kind of metadata for
> each relationship instance.
>
> ----- Original Message -----
> From: "Darran Lofthouse" <darran.lofthouse(a)jboss.com>
> To: security-dev(a)lists.jboss.org
> Sent: Thursday, June 20, 2013 12:27:08 PM
> Subject: [security-dev] PicketLink IDM Relationships and SASL
> Authorizations
>
> Within SASL there is a capability where during the authentication phase
> the agent being authenticated can request that subsequently they want
> the authorization privileged of another agent.
>
> The loading the identity of the agent being requested is fine but at the
> moment I am looking within PicketLink IDM at how this one agent being
> able to run as another agent can be modeled.
>
> I can see using a custom relationship how it should be fairly easy to
> model a 1:1 mapping of users that an 'impersonate' each other but I have
> a few additional scenarios that could also be needed so wanted to look
> for ideas on how to support all of these simultaneously.
>
> - A single agent can impersonate a single agent.
> - A single agent can impersonate any user that is a member of a
> specified group.
> - A member of a specific group can impersonate a single agent.
> - A member of one group can impersonate an agent of another (or same)
> group.
>
> As mentioned in IRC over the last couple of days having some form of
> permissions check API in the IDM for the non AS processes feels like it
> would fit this really well - however at the moment I can perform this
> check outside of any permissions API so just looking for ideas how it
> could be achieved.
>
> Regards,
> Darran Lofthouse.
>
>
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
4183
days inactive
4184
days old
3 comments
2 participants
participants (2)
-
Darran Lofthouse -
Pedro Igor Silva