[keycloak-user] How to get permission to all child resources

Nhut Thai Le ntle at castortech.com
Mon Mar 5 09:51:36 EST 2018


​thanks for the suggestion but the application which uses the REST API
protected by Keycloak will not know all the resources i defined on keycloak
to start asking permission for the closest ancestor known to Keycloak
(/Document/Administration) when it needs to know permissions for all
files/folders under /Document/Administration/Contracts/Sarah/*.

When testing Keycloak, we know that if Sarah tried to access a specific
child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf) from
the browser then she got access denied although this specific resource is
not defined in Keycloak. Can we use any API to get this result? The
Entitlement API only allow me to ask permission for a specific
resource_set_name, not a path. If i can do this then i may be able loop
through all the files within  /Dcoument/Administration/Contacts/Sarah/* to
get permission, although it gonna be a huge performance issue.

Thai

On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hey,
>
> In your application you could perform some logic that asks permissions for
> the resource with URI "/Document/Administration". Right now Keycloak does
> not perform any parent/child mapping between resources on the server side.
>
> Would that work for you ?
>
> Regards.
> Pedro Igor
>
> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Hello,
>>
>> We are new to Keycloak and we are exploring its abilities for securing our
>> web api. One things we are trying to do is to get all permissions
>> associated with a user for all child resources in a RPT. For example,
>> let's
>> say I'm trying to expose the folder Document on my file system to the
>> network via REST. This Document folder may have millions of files and
>> subfolders, most of them are accessible by all Users, some are only
>> available to Admin, and some are for Customers only.
>>
>> On Keycloak server, i would define 3 resources named:
>> "All Docs" with URL /Document/* and Role policy granting access to all
>> Users
>> "For Admin" with URL /Document/Administration/* and Role policy granting
>> access to only Admins
>> "For Customer" with URL /Document/Products/* and Role policy granting
>> access to only Customers
>>
>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>> Customers can access "All Docs". However, if Sarah want to know/list all
>> files under /Document/Administration/Contracts/Sarah/* then how should i
>> ask entitlement API since this URL is not declared as a resource in
>> Keycloak? If i can call the API for this path, I would like to receive
>> from
>> the API some permissions info starting from /Document/Administration
>> because this is the closest ancestor known to Keycloak regarding the path
>> being asked.
>>
>> Hope to get some insight soon
>>
>> ​Thai​
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.


More information about the keycloak-user mailing list