[jboss-dev-forums] [Design of JBoss Portal] - Re: Initiall identity model discussion

[bdaw]

Time to push the discussion a little further. I don't have any definitive solutions at the moment, just want to categorize what need to be done and introduce some concepts. 

I see several categories in this topic:

1) Identity Model - model and structure of entities (users,groups,roles and etc.) and related backend (Identity Store - DB/LDAP)
2) Authentication - SSO, pluggable auth...
3) Authorization - both Portal and JEE security
4) Portal - concepts like communities (related to point 1)
5) other - dependent services and technologies like CMS, BPM, Rules and etc.

Antoine - thanks for bringing the last point to this topic. I'm not very knowledgeable about BPM but we'll need definitely look closer at those issues.


So:

Ad 1) Identity Model

Its mostly about how we store and group users. So here we have

- Organization/Business hierarchy - probably some 'Organization' entity that can have sub organizations/entities that store users
- Administration activities - groups and roles
- Portal features - communities

We should make some kind of generic API with Entity/Identity with assigned Type, where Type expose possible relations to another types. So above list could be easily widen with other features like common profile mentioned by julien. This will also easily allow entities besides user to have dynamic properties/attributes.

IdentityStore - with generic API like this all 4 identity modules could be integrated into one with natural implementations for LDAP and DB. Generic API like searchEntity(EntityType, Name, ....). Still the design need to be cautious as there are few challenges like updating the state of entities with the backend.

Its hard to define the model without having backend in mind. The thing is that we can create flexible structure but both backend (LDAP/DB) and portal use cases apply specific constraints. The main question is what we let to store in LDAP. From one side its impossible to store all stuff in LDAP (schema is limited in the matter of user preferences for eg.). Also DB and LDAP are different worlds, and its impossible to include all LDAP semantics as its hard to map it in DB.

It would be very tempting to be able to map whole organization structure (Organization entities + group and roles + users) from LDAP while the easiest approach is to let retreive only groups/roles/users. Still stuff like communities should be DB only.

*Problems* - few portal services (mostly CMS) rely deeply on identity and I'm sure those changes will be pain in the ass for their maintainers :)

Ad 2) Authentication

- Leveraging JAAS is good. Its easy to alter things by implementing proper LoginModule or extending PAM stack. We should make integration with additional services more simple by providing generic LoginModule implementation that invoke pluggable Authenticator service. 

- Currently we rely on userName for authentication. This should be configurable. In LDAP environment it often makes more sense to authenticate against email as its easier to achieve its uniqueness among whole organization structure.

- any changes for easier SSO integration?

Ad 3) Authorization

Identity changes touches both portal permissions and JEE security. Permissions should be applied to any kind of entity (organization, group, role, user, community, user ...). Two open topics here:

- Leverage Rules for security (Seam has it currently http://docs.jboss.com/seam/2.0.0.B1/reference/en/html/security.html)
- make authorization easily pluggable - for those who want to integrate with other security stacks like ACEGI or OpenSSO.

Ad 4) Portal - communities

For now the only use case for 'communities' I see is for access and management of common content/resources - pages, wiki, forum, blog etc... So this should be closely related to portal permissions and contract with those portlets/services need to be defined.

Basically this is more related to proper portal services that will leverage identity model, so we need to discuss how such 'community pages' would look like. Maybe its a subject for a separate thread....

Ad 5) other...

Antoine pointed out some issues with BPM integration. I will need to catch up with this.

When we were applying identity changes in 2.6, few issues with CMS integration pop up. Some are still there. We need to be aware of all requirements that other services have.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4079391#4079391

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4079391