[security-dev] IDM API - Final review

Bill Burke bburke at redhat.com
Mon Nov 26 16:23:59 EST 2012


I think you may have to have more attributes as well for:

Roles
Groups
Users
Realms

For example, with OAuth, a client may request a specific grant for a 
role.  The IDM will need a description of requested role so it can 
properly ask the user for the grant request.

On 11/26/2012 4:14 PM, David M. Lloyd wrote:
> I don't think the attribute API is really sophisticated enough for any
> nontrivial usage.  A string key will yield inconsistent naming policies
> and questions of key ownership.
>
> There are two key use cases for that API that I can see:
>
> 1. User preference storage.  In this case, the user would have (perhaps
> indirect) access to these values for the purposes of changing their
> preferences and other user-controlled data.
>
> 2. Per-application, per-user information storage.  In this case the
> application might be storing non-role access or authorization
> information (e.g. how many of resource XYZ am I alloted?), or non-user
> controlled configuration.
>
> On 11/20/2012 04:41 PM, Shane Bryzak wrote:
>> I've updated the IdentityManager API based on the latest design, could
>> everyone please take a couple of minutes to review and let me know if
>> you spot any issues.  We'll probably do a time-boxed release (Anil,
>> could you please confirm?) shortly so that projects consuming PLIDM can
>> start building against the API.
>>
>> Thanks,
>> Shane
>>
>>
>> public interface IdentityManager {
>>        void bootstrap(IdentityConfiguration configuration,
>> IdentityStoreInvocationContextFactory contextFactory);
>>
>>        void setIdentityStoreFactory(IdentityStoreFactory factory);
>>
>>        // User
>>
>>        void createUser(User user);
>>
>>        void removeUser(User user);
>>
>>        void updateUser(User user);
>>
>>        User getUser(String name);
>>
>>        // Group
>>
>>        void createGroup(Group group);
>>
>>        void removeGroup(Group group);
>>
>>        Group getGroup(String groupId);
>>
>>        Group getGroup(String groupName, Group parent);
>>
>>        boolean isMember(IdentityType identityType, Group group);
>>
>>        void addToGroup(IdentityType identityType, Group group);
>>
>>        void removeFromGroup(IdentityType identityType, Group group);
>>
>>        // Roles
>>
>>        void createRole(Role role);
>>
>>        void removeRole(Role role);
>>
>>        Role getRole(String name);
>>
>>        boolean hasRole(IdentityType identityType, Role role, Group group);
>>
>>        void grantRole(IdentityType identityType, Role role, Group group);
>>
>>        void revokeRole(IdentityType identityType, Role role, Group group);
>>
>>        boolean hasApplicationRole(IdentityType identityType, Role role);
>>
>>        void grantApplicationRole(IdentityType identityType, Role role);
>>
>>        void revokeApplicationRole(IdentityType identityType, Role role);
>>
>>        // Query API
>>
>>        <T extends IdentityType> IdentityQuery<T> createQuery();
>>
>>        // Credential management
>>
>>        boolean validateCredential(User user, Credential credential);
>>
>>        void updateCredential(User user, Credential credential);
>>
>>        // User / Role / Group enablement / expiry
>>
>>        void setEnabled(IdentityType identityType, boolean enabled);
>>
>>        void setExpirationDate(IdentityType identityType, Date expirationDate);
>>
>>        IdentityType lookupIdentityByKey(String key);
>>
>>        // Attributes
>>
>>        void setAttribute(IdentityType identityType, Attribute<? extends
>> Serializable> attribute);
>>
>>        <T extends Serializable> Attribute<T> getAttribute(IdentityType
>> identityType, String attributeName);
>>
>>        void removeAttribute(IdentityType identityType, String attributeName);
>>
>>        // Realm
>>
>>        void createRealm(Realm realm);
>>
>>        void removeRealm(Realm realm);
>>
>>        Realm getRealm(String name);
>>
>>        // Tier
>>
>>        void createTier(Tier tier);
>>
>>        void removeTier(Tier tier);
>>
>>        Tier getTier(String id);
>>
>>        // Context
>>
>>        IdentityManager forRealm(Realm realm);
>>
>>        IdentityManager forTier(Tier tier);
>> }
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list