[security-dev] IDM API - Final review
Bill Burke
bburke at redhat.com
Mon Nov 26 16:23:59 EST 2012
I think you may have to have more attributes as well for:
Roles
Groups
Users
Realms
For example, with OAuth, a client may request a specific grant for a
role. The IDM will need a description of requested role so it can
properly ask the user for the grant request.
On 11/26/2012 4:14 PM, David M. Lloyd wrote:
> I don't think the attribute API is really sophisticated enough for any
> nontrivial usage. A string key will yield inconsistent naming policies
> and questions of key ownership.
>
> There are two key use cases for that API that I can see:
>
> 1. User preference storage. In this case, the user would have (perhaps
> indirect) access to these values for the purposes of changing their
> preferences and other user-controlled data.
>
> 2. Per-application, per-user information storage. In this case the
> application might be storing non-role access or authorization
> information (e.g. how many of resource XYZ am I alloted?), or non-user
> controlled configuration.
>
> On 11/20/2012 04:41 PM, Shane Bryzak wrote:
>> I've updated the IdentityManager API based on the latest design, could
>> everyone please take a couple of minutes to review and let me know if
>> you spot any issues. We'll probably do a time-boxed release (Anil,
>> could you please confirm?) shortly so that projects consuming PLIDM can
>> start building against the API.
>>
>> Thanks,
>> Shane
>>
>>
>> public interface IdentityManager {
>> void bootstrap(IdentityConfiguration configuration,
>> IdentityStoreInvocationContextFactory contextFactory);
>>
>> void setIdentityStoreFactory(IdentityStoreFactory factory);
>>
>> // User
>>
>> void createUser(User user);
>>
>> void removeUser(User user);
>>
>> void updateUser(User user);
>>
>> User getUser(String name);
>>
>> // Group
>>
>> void createGroup(Group group);
>>
>> void removeGroup(Group group);
>>
>> Group getGroup(String groupId);
>>
>> Group getGroup(String groupName, Group parent);
>>
>> boolean isMember(IdentityType identityType, Group group);
>>
>> void addToGroup(IdentityType identityType, Group group);
>>
>> void removeFromGroup(IdentityType identityType, Group group);
>>
>> // Roles
>>
>> void createRole(Role role);
>>
>> void removeRole(Role role);
>>
>> Role getRole(String name);
>>
>> boolean hasRole(IdentityType identityType, Role role, Group group);
>>
>> void grantRole(IdentityType identityType, Role role, Group group);
>>
>> void revokeRole(IdentityType identityType, Role role, Group group);
>>
>> boolean hasApplicationRole(IdentityType identityType, Role role);
>>
>> void grantApplicationRole(IdentityType identityType, Role role);
>>
>> void revokeApplicationRole(IdentityType identityType, Role role);
>>
>> // Query API
>>
>> <T extends IdentityType> IdentityQuery<T> createQuery();
>>
>> // Credential management
>>
>> boolean validateCredential(User user, Credential credential);
>>
>> void updateCredential(User user, Credential credential);
>>
>> // User / Role / Group enablement / expiry
>>
>> void setEnabled(IdentityType identityType, boolean enabled);
>>
>> void setExpirationDate(IdentityType identityType, Date expirationDate);
>>
>> IdentityType lookupIdentityByKey(String key);
>>
>> // Attributes
>>
>> void setAttribute(IdentityType identityType, Attribute<? extends
>> Serializable> attribute);
>>
>> <T extends Serializable> Attribute<T> getAttribute(IdentityType
>> identityType, String attributeName);
>>
>> void removeAttribute(IdentityType identityType, String attributeName);
>>
>> // Realm
>>
>> void createRealm(Realm realm);
>>
>> void removeRealm(Realm realm);
>>
>> Realm getRealm(String name);
>>
>> // Tier
>>
>> void createTier(Tier tier);
>>
>> void removeTier(Tier tier);
>>
>> Tier getTier(String id);
>>
>> // Context
>>
>> IdentityManager forRealm(Realm realm);
>>
>> IdentityManager forTier(Tier tier);
>> }
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list