[keycloak-user] How to get permission to all child resources

[Pedro Igor Silva]

Do you mean, return all permissions associated with a resource ? If so, yes
you can do that through Keycloak Java Admin Client. See
https://github.com/keycloak/keycloak/blob/3.4.3.Final/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java
.

On Mon, Mar 5, 2018 at 3:43 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Is it possible to customize the adapter to return all resource mapped
> permission ? I know keycloak is opensource so we can customize it but i
> need a general guideline where to put my change.
>
> Thanks
>
> Thai
> ---------- Forwarded message ----------
> From: Pedro Igor Silva <psilva at redhat.com>
> Date: Mon, Mar 5, 2018 at 11:42 AM
> Subject: Re: [keycloak-user] How to get permission to all child resources
> To: Nhut Thai Le <ntle at castortech.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>
>
> There is no way to ask permissions based on paths. Currently, all the
> logic that maps URIs/paths to protected resources in Keycloak is is within
> the policy enforcers (adapters). One thing we might do is maybe have a
> similar logic on the server where we could resolve resources based on
> patterns, etc .... Something we need to think about ....
>
> That is an area we are looking to improve though. We are working on some
> improvements in order to offer better support for RESTful security. Things
> like what you are asking is what we are looking for.
>
> Could you create an issue in JIRA describing your requirements so we can
> include them in our roadmap ?
>
> Thanks.
> Pedro Igor
>
> On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> ​thanks for the suggestion but the application which uses the REST API
>> protected by Keycloak will not know all the resources i defined on keycloak
>> to start asking permission for the closest ancestor known to Keycloak
>> (/Document/Administration) when it needs to know permissions for all
>> files/folders under /Document/Administration/Contracts/Sarah/*.
>>
>> When testing Keycloak, we know that if Sarah tried to access a specific
>> child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
>> from the browser then she got access denied although this specific resource
>> is not defined in Keycloak. Can we use any API to get this result? The
>> Entitlement API only allow me to ask permission for a specific
>> resource_set_name, not a path. If i can do this then i may be able loop
>> through all the files within  /Dcoument/Administration/Contacts/Sarah/*
>> to get permission, although it gonna be a huge performance issue.
>>
>> Thai
>>
>> On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hey,
>>>
>>> In your application you could perform some logic that asks permissions
>>> for the resource with URI "/Document/Administration". Right now Keycloak
>>> does not perform any parent/child mapping between resources on the server
>>> side.
>>>
>>> Would that work for you ?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> We are new to Keycloak and we are exploring its abilities for securing
>>>> our
>>>> web api. One things we are trying to do is to get all permissions
>>>> associated with a user for all child resources in a RPT. For example,
>>>> let's
>>>> say I'm trying to expose the folder Document on my file system to the
>>>> network via REST. This Document folder may have millions of files and
>>>> subfolders, most of them are accessible by all Users, some are only
>>>> available to Admin, and some are for Customers only.
>>>>
>>>> On Keycloak server, i would define 3 resources named:
>>>> "All Docs" with URL /Document/* and Role policy granting access to all
>>>> Users
>>>> "For Admin" with URL /Document/Administration/* and Role policy granting
>>>> access to only Admins
>>>> "For Customer" with URL /Document/Products/* and Role policy granting
>>>> access to only Customers
>>>>
>>>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>>>> Customers can access "All Docs". However, if Sarah want to know/list all
>>>> files under /Document/Administration/Contracts/Sarah/* then how should
>>>> i
>>>> ask entitlement API since this URL is not declared as a resource in
>>>> Keycloak? If i can call the API for this path, I would like to receive
>>>> from
>>>> the API some permissions info starting from /Document/Administration
>>>> because this is the closest ancestor known to Keycloak regarding the
>>>> path
>>>> being asked.
>>>>
>>>> Hope to get some insight soon
>>>>
>>>> ​Thai​
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>> --
>> Castor Technologies Inc
>> 460 rue St-Catherine St
>> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
>> Ouest, Suite 613
>> Montréal, Québec H3B-1A7
>> (514) 360-7208 o
>> (514) 798-2044 f
>> ntle at castortech.com
>> www.castortech.com
>>
>> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
>> confidential and may be proprietary information intended only for the use
>> of the individual or entity to whom it is addressed. If the reader of this
>> message is not the intended recipient, you are hereby notified that any
>> viewing, dissemination, distribution, disclosure, copy or use of the
>> information contained in this e-mail message is strictly prohibited. If you
>> have received and/or are viewing this e-mail in error, please immediately
>> notify the sender by reply e-mail, and delete it from your system without
>> reading, forwarding, copying or saving in any manner. Thank you.
>> AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
>> confidentiel, peut être protégé par le secret professionnel et est réservé
>> à l'usage exclusif du destinataire. Toute autre personne est par les
>> présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
>> ou reproduire ce message. Si vous avez reçu cette communication par erreur,
>> veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
>>
>
>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montréal, Québec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
> confidentiel, peut être protégé par le secret professionnel et est réservé
> à l'usage exclusif du destinataire. Toute autre personne est par les
> présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez reçu cette communication par erreur,
> veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
>