[aerogear-dev] [Unified Push Server] Roles structure & password management

Apostolos Emmanouilidis aemmanou at redhat.com
Wed Nov 6 05:47:00 EST 2013 

I apologize for sending a second e-mail. Just wanted to make my opinion
more clear. 

I think that we should have roles which represent duties:

e.g CreateVariant, DeleteVariant, CreatePushApplication, CreateUser
e.t.c

Each of these duties could be assigned/removed from a user. Having roles
like "developer", "simple" which contain "hidden" duties creates risk.
The ability to create users with specific duties is what spreads the
risk. This way, the developers won't modify the role annotations in UPS
source code, since they will have the ability to create a user with the
desired duties. If specific duties like CreateVariant is too much, we
could unify duties like VariantManagement, UserManagement.


On Wed, 2013-11-06 at 10:33 +0100, Apostolos Emmanouilidis wrote:

> In general, it is very hard to detect an improperly protected REST
> endpoint. Using least privilege principles could improve the control.
> Regarding the roles, how could someone create a new admin user? Having
> one and only one admin user with all access rights is a security
> vulnerability itself. If the same admin credentials are shared between
> several people/administrators it will be almost impossible to detect
> which one is the compromise.
> 
> In conclusion my opinion is that:
> 
> 1. Logging the endpoint accessibility is a must: e.g DateTime: User
> [admin] with roles [admin] accessed createUser endpoint
> 2. Roles should be based on delegation of duties. "developer" or
> "simple" roles do not reflect any duties and it's hard to guess their
> duties without reading the documentation. Of course, delegation of
> duties (e.g having a UserManagement role and the ability to assign it)
> will make the role based access management part of AeroGear Unified
> Push Server much more complex. However this will spread the risk of
> having a single admin user with all rights.
> 
> 
> On Tue, 2013-11-05 at 16:34 +0100, Sebastien Blanc wrote: 
> 
> 
> > -admin : can do all the CRUD operations + creating/deleting users
> > The default user (admin/123) should have the "admin" role
> 
> 
> 
> > Users created by the admin can have the role developer or simple 
> 
> 
> 
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131106/1af9697f/attachment-0001.html

More information about the aerogear-dev mailing list