[keycloak-user] Authorization transfer
Corentin Dupont
corentin.dupont at gmail.com
Tue Nov 21 16:13:33 EST 2017
In parallel with the domains authorizations, I have other policies, such as
"owner" policies (similar to the photoz example).
I coded the owner policy with javascript:
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (identity.id == permission.getResource().getOwner()) {
$evaluation.grant();
}
But it leads to this result when evaluating a user:
Result*: DENY*
Policies:
- *Can access domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/resource/7323164c-3009-4cf8-9a48-b37cf009d2fe>*
decision was *PERMIT* by *UNANIMOUS* decision.
- *Users in domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/user/ef112bc8-c7a8-4300-be92-d0c9d0300971>*
voted to *PERMIT* .
*Can delete MyHouse
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/scope/53278490-b9c8-41f6-b2a5-bef5a0be6e73>*
decision was *DENY* by *UNANIMOUS* decision.
- *owner can access
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/js/762cf51c-9ff1-4b44-ba79-6890189db0f2>*
voted to *DENY*.
The two permissions are overlapping, so it seems normal that both got
evaluated.
But why the java policy ("Grant_owner") voted DENY?
I didn't mention explicitly the deny in the code...
I think that if you are the owner, you should be granted. But if you are
not the owner, no decision can be taken by the policy...
On Tue, Nov 21, 2017 at 6:54 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:
>
> I see, so I need to create "mydomain" as a resource.
> But what should be the type for both "mydomain" and "myhouse"? Should it
> be something like "domain:mydomain"?
>
> What I would like is to grant different access to users to that domain.
> For example: user Bob can only view resources in domain "mydomain".
> User Alice can view and delete resources in "mydomain".
> Should I create a "User Policy" with the list of users that have access?
>
> If I understand, I need to use the "resource-based" permission. However it
> does not seem to let me select the scopes (as in my example: Bob can only
> view, but Alice can delete).
>
> Another question: how to invoke the API for typed resources?
> I have:
> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
> $TOKEN" -d '{
> "permissions" : [
> {
> "resource_set_name" : "Sensors",
> "scopes" : [
> "view"
> ]
> }
> ]
> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
> But this uses the name of the resource, so I am not sure. Is there a
> reference for this API?
>
> Thanks a lot
> PS. I found some minor bugs related to the API, should I report them here
> or create a JIRA?
>
>
>
> On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Resources have a *type* field that can be used to group resources.
>> Permissions granted to a "typed resource" (which is created with the
>> resource server itself as the owner) applies to any other resource with the
>> same type and owned by an user. Think about a "typed resource" as a
>> general/parent resource.
>>
>> If you have a "mydomain" typed resource and a "myhouse" resource, sharing
>> the same type, any permission you apply to "mydomain" is going to be
>> applied to "myhouse".
>>
>> Does it makes sense ?
>>
>> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Thanks for the answer.
>>> My plan is to make authorizations based on groups of resources, that we
>>> call "domains".
>>> Basically, when a user creates a resource, he can decide to put it in an
>>> existing domain.
>>> The URL reflects that domain:
>>>
>>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>>
>>> The user can also create domains with the domains endpoint:
>>>
>>> POST http://www.example.com/api/v1/domains/
>>>
>>> What is not clear for me is how users can get access to domains.
>>> Probably users can have an attribute "domains", with the list of
>>> domains they have access to?
>>> Or should a domain be represented in Keycloak as a resource?
>>> In this case, should we create roles to access that domain?
>>> For example, the role "admin-mydomain" ?
>>>
>>> Or should it be implemented with user groups in Keycloak? Or with User
>>> policies?
>>>
>>>
>>>
>>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Right now you can't do it. This is all about the work we are doing to
>>>> better support UMA protocol. Soon you'll be able to let your users to
>>>> manage their resources (and their policies) from Keycloak Account Service,
>>>> grant and revoke access to other users, authorization flows. We are really
>>>> missing this.
>>>>
>>>> However, I think you can try to use the Policy Management API. It
>>>> provides a RESTful API that you can use to manage permissions and policies.
>>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>>> tests in the same package for other permission and policy types.
>>>>
>>>> Please, let me know about your achievements if you start doing
>>>> something with the Policy Management API. Any feedback is welcome and will
>>>> probably help with the work I mentioned before around UMA.
>>>>
>>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> is it possible for an application user to grant some authorizations to
>>>>> another user?
>>>>> For example in the photoz example, how can I give access to my albums
>>>>> to another user?
>>>>> What would be the mechanism?
>>>>>
>>>>> Thanks a lot
>>>>> Corentin
>>>>>
>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list