[aerogear-dev] Admin and Developer roles for UPS

Bruno Oliveira bruno at abstractj.org
Thu Oct 9 00:35:32 EDT 2014


For the fine grained authorization model, Keycloak already implements it
with:

@Path("bananas")
@SecurityDomain("aerogear")
public class BananaService {

    @GET
    @Produces("application/json")
    @RolesAllowed("admin")
    public List<String> getBananas() {
       return something();
    }
}

Is this the correct place to implement the query?
https://github.com/aerogear/aerogear-unifiedpush-server/blob/4641e69362ba677663f56a6c34488b705bac3de9/model/api/src/main/java/org/jboss/aerogear/unifiedpush/dao/PushApplicationDao.java


On 2014-10-08, Bruno Oliveira wrote:
> On 2014-10-08, Matthias Wessendorf wrote:
> > On Wed, Oct 8, 2014 at 6:25 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> >
> > > On 2014-10-08, Matthias Wessendorf wrote:
> > > > On Wed, Oct 8, 2014 at 5:34 PM, Bruno Oliveira <bruno at abstractj.org>
> > > wrote:
> > > >
> > > > > If I understood correctly what we want to achieve tl;dr is:
> > > > >
> > > > > - Include a JPA query on UPS to list all app/variants on UPS
> > > > >
> > > >
> > > > yes
> > > >
> > > >
> > > > > - Introduce fine grained permissions for this query. Into this way we
> > > > >   can differentiate admin from developers[1]
> > > > >
> > > >
> > > > the 'how' is tbd;
> > >
> > > I just want to check if my reading is correct and we can start to work
> > > on the "how" with Jiras. If you are fine with it.
> > >
> > > > today we query for the user's own apps/variant:
> > > >
> > > https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/jaxrs/src/main/java/org/jboss/aerogear/unifiedpush/rest/registry/applications/PushApplicationEndpoint.java#L88
> > > >
> > > > One (simple) option is: the underlying service could do a "select *
> > > > from..." if the role is 'admin'
> > >
> > > Alright. But the query must display that some app "golum" belongs to
> > > "abstractj" and another app with the same name, belongs to matzew.
> > > Because is pretty likely to happen naming duplication.
> > >
> >
> > yeah, sure. That info is already present on the PushApplication - currently
> > that is just not displayed.
> >
> >
> > >
> > > >
> > > >
> > > > > - Create an interface on UPS to the admin, otherwise the whole
> > > > >   implementation is useless.
> > > > >
> > > >
> > > > what do you mean ?
> > >
> > > If you query the database for all apps created. How do you delete the
> > > application "golum" created by bruno if I have 10 apps named "golum" in
> > > my database?
> > >
> >
> > Ah, ok. I was wondering you wanted to define some completely new UI :)
> >
> > I had something like this in mind (yes, I am not a designer :))
> > http://people.apache.org/~matzew/AdminViewOnApps.png
>
> The interface design is not a big deal. Would be nice to add some
> filtering to the search:
>
> - search by owner
> - search by variant
> - search by app name
>
>
> >
> > That's just one initial thought. Once we agree on this overall feature, I
> > think we will nail the details of the 'how' in the relevant JIRA subtasks
> > of AGPUSH-697.
> > However I fully agree that we need to apply some tweaks to the existing UI,
> > so that the owner name is visible when the 'admin' is looking at the
> > "application overview" page, like in the screenshot.
>
> Subtasks already created: https://issues.jboss.org/browse/AGPUSH-697
>
>
> >
> >
> > >
> > > That's why I think the mininum for the UPS admin interface must be
> > > defined, right
> > > now, before start the whole implementation. What would you expect to see
> > > when you query the whole database?
> > >
> >
> > I thought about adding 'pagination' on the "application overview" page,
> > similar like we do on the installations.
> >
> > -Matthias
> >
> >
> >
> > >
> > > >
> > > >
> > > > >
> > > > > >From my understanding, Keycloak will just manage these users and
> > > unless
> > > > > something has changed, we provide the fine grained authorization model
> > > on
> > > > > UPS. Like
> > > > > we did in the past.
> > > > >
> > > >
> > > > yeah, the users live in Keycloak - we somehow differentiate on the
> > > > role/user if we do a "select all" or just those for the specific user
> > > >
> > > >
> > > > >
> > > > > Am I correct?
> > > > >
> > > > > [1] -
> > > http://lists.jboss.org/pipermail/keycloak-dev/2014-May/001851.html
> > > > >
> > > > > On 2014-10-08, Matthias Wessendorf wrote:
> > > > > > Hi,
> > > > > >
> > > > > > as of today, we have a single user (admin), to revisit that we have
> > > > > > AGPUSH-697 (see [1]).
> > > > > >
> > > > > > Based on changes over the months (e.g new UI and being based on
> > > > > Keycloak),
> > > > > > I have updated our old spec/gist:
> > > > > > https://gist.github.com/matzew/ed0055000a8347488a37
> > > > > >
> > > > > > Greetings,
> > > > > > Matthias
> > > > > >
> > > > > > [1] https://issues.jboss.org/browse/AGPUSH-697
> > > > > >
> > > > > > --
> > > > > > Matthias Wessendorf
> > > > > >
> > > > > > blog: http://matthiaswessendorf.wordpress.com/
> > > > > > sessions: http://www.slideshare.net/mwessendorf
> > > > > > twitter: http://twitter.com/mwessendorf
> > > > >
> > > > > > _______________________________________________
> > > > > > aerogear-dev mailing list
> > > > > > aerogear-dev at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > abstractj
> > > > > PGP: 0x84DC9914
> > > > > _______________________________________________
> > > > > aerogear-dev mailing list
> > > > > aerogear-dev at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Matthias Wessendorf
> > > >
> > > > blog: http://matthiaswessendorf.wordpress.com/
> > > > sessions: http://www.slideshare.net/mwessendorf
> > > > twitter: http://twitter.com/mwessendorf
> > >
> > > > _______________________________________________
> > > > aerogear-dev mailing list
> > > > aerogear-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > >
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > >
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
>
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

--

abstractj
PGP: 0x84DC9914


More information about the aerogear-dev mailing list