[keycloak-user] Listing the UMA resources accessible by a user

Pedro Igor Silva psilva at redhat.com
Wed Mar 20 13:49:09 EDT 2019


On Wed, Mar 20, 2019 at 1:35 PM <roxspring at imapmail.org> wrote:

> Using a modern API client definitely improves things but I'm struggling to
> see how this scales.
>
> If there are 1000+ of resources then the policy seems to have to load each
> in turn for the policy to execute (at least according to the Java and
> JavaScript Policy Evaluation API). Presumably running a Java policy will be
> faster than the JavaScript ones I've played with but fundamentally there's
> a lot of database access.


> Do other built in policies get to use SQL filters and indexes to operate
> at database speed? - perhaps I need to restrict myself to those sorts of
> policies to handle large numbers of resources??


> Or for 1000+ of resources am I better off having my resource server take
> control of ownership and not using UMA for it at all?
>

Resources are loaded depending on the requested permissions. And yeah, JS
is using Nashorn and it is indeed slower than other policy types. You
should not see a lot of database access though as we cache entries such as
resources, permissions and policies. Authorization requests should benefit
from this cache once it is hot.
When doing UMA you usually make authorization requests for a single
resource (the one you received the ticket from the resource server
response). And evaluation should be fast. The same goes if you make
authorization requests for specific resources.

During evaluation the engine also tries to avoid re-evaluating policies
that were already processed for a given resource or scopes.


>
> Keycloak's UMA appears to offers great flexibility, and is great when you
> already know the resources, but falls down for resource discovery. Or am I
> missing something?
>

Yeah, you are right. Although we allow you to query permissions based on
resource names and scopes. In case your client is aware of the resources
and scopes protected by the RS.


>
> I'm curious to know of other people's experience with Keycloak UMA + scale!
>
> Thanks,
>
> Rob
>
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org <keycloak-user-
> > bounces at lists.jboss.org> On Behalf Of roxspring at imapmail.org
> > Sent: 07 March 2019 14:47
> > To: 'Pedro Igor Silva' <psilva at redhat.com>
> > Cc: 'keycloak-user' <keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] Listing the UMA resources accessible by a
> user
> >
> > Thanks Pedro – that gives me something to try out!
> >
> >
> >
> > (Turns out I was using an old client and didn’t have that API available…
> time for
> > some upgrades!)
> >
> >
> >
> > From: Pedro Igor Silva <psilva at redhat.com>
> > Sent: 07 March 2019 13:36
> > To: roxspring at imapmail.org
> > Cc: keycloak-user <keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] Listing the UMA resources accessible by a
> user
> >
> >
> >
> > Hi,
> >
> >
> >
> > We have an API that allows you to resources shared to a specific user if
> the
> > access was granted based on the standard UMA flow (using permission
> tickets).
> > The Keycloak AuthZ Java Client [1] provides access to this API.
> >
> >
> >
> > [1]
> > https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b1
> >
> 1e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/res
> > ource/PermissionResource.java#L197
> >
> >
> >
> > On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org
> > <mailto:roxspring at imapmail.org> > wrote:
> >
> > Hi folks,
> >
> >
> >
> > UMA seems to be a great solution to model fine grained permissions and
> allow
> > scenarios such as "Alice shares Folder X with Bob".
> >
> >
> >
> > Keycloak seems to implement this well with APIs for the resource server
> to ask
> > "Given [User] and [Folder X], can the user do [Scope]?" and provide
> answers for
> > both Alice and Bob based on some policy.
> >
> >
> >
> > Where I'm struggling is that our application also needs to provide
> answer "Given
> > [User], which folders can they do [Scope] to?" and I'm not clear how
> best to
> > achieve this with Keycloak.
> >
> >
> >
> > A.      Track which folders a user owns or can access and answer the
> > question directly in the resource server, but that results in the
> resource server
> > having a rigid model of the authorization rules and loses the benefits of
> > Keycloak's flexible policies (or duplicates the policy which seems just
> as bad).
> > B.      Have the resource server chose some subset of all folders and ask
> > Keycloak to validate each resource, but that becomes very chatty and slow
> > when there are 1000s of resources to validate.
> > C.      Just ask Keycloak to validate all resources and just return those
> > the user can access, but that's also potentially slow with 1000s of
> resources to
> > validate and 100s accessible.
> >
> > a.      As above but with additional filtering by resource type to trim
> the
> > options.
> > b.      As above but with additional filtering by attributes (e.g. where
> > property:owner = "Alice")
> > c.      As above but with a full blown query language (e.g. "WHERE
> > type=Folder AND (property:owner=Alice OR property:sharedwith contains
> Alice)
> >
> > D.      .?
> >
> >
> >
> > I was expecting some variant of C to be the recommended way forward but I
> > can't find the relevant APIs (even without filtering). What's the best
> way to
> > model such a (presumably common) scenario?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Rob
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


More information about the keycloak-user mailing list