[security-dev] IDM API - Final review

Shane Bryzak sbryzak at redhat.com
Mon Nov 26 18:16:14 EST 2012


On 11/27/2012 07:47 AM, Anil Saldhana wrote:
> On 11/26/2012 03:14 PM, David M. Lloyd wrote:
>> I don't think the attribute API is really sophisticated enough for any
>> nontrivial usage.  A string key will yield inconsistent naming policies
>> and questions of key ownership.
>>
>> There are two key use cases for that API that I can see:
>>
>> 1. User preference storage.  In this case, the user would have (perhaps
>> indirect) access to these values for the purposes of changing their
>> preferences and other user-controlled data.
> David, are you thinking of the Java Preferences API here?
> http://docs.oracle.com/javase/6/docs/api/java/util/prefs/Preferences.html
>
> I have never personally used them.  But I am wondering are you referring to
> IDM having its own implementation of the Java Pref class?  Would that be
> better?

I took a quick look at this, and I think we could implement this as an 
add-on feature (i.e. not part of the IdentityManager itself, but still 
based on our Identity model) if David agrees that it will meet the 
requirements.  Although I think that the Attributes API as it stands 
should be able to support the user preferences use case (we just never 
give the user direct control over the attribute keys, they would instead 
go through a facade).

>
>> 2. Per-application, per-user information storage.  In this case the
>> application might be storing non-role access or authorization
>> information (e.g. how many of resource XYZ am I alloted?), or non-user
>> controlled configuration.

This one is a little trickier.  The model currently only supports 
storing User attributes within the realm, and they are 
Tier(Application)-independent.  I can't currently think of a way to 
easily support per-tier attributes that isn't going to be extremely 
messy, although leave it with me for a while and I'll see if I can come 
up with something.

>>
>> On 11/20/2012 04:41 PM, Shane Bryzak wrote:
>>> I've updated the IdentityManager API based on the latest design, could
>>> everyone please take a couple of minutes to review and let me know if
>>> you spot any issues.  We'll probably do a time-boxed release (Anil,
>>> could you please confirm?) shortly so that projects consuming PLIDM can
>>> start building against the API.
>>>
>>> Thanks,
>>> Shane
>>>
>>>
>>> public interface IdentityManager {
>>>         void bootstrap(IdentityConfiguration configuration,
>>> IdentityStoreInvocationContextFactory contextFactory);
>>>
>>>         void setIdentityStoreFactory(IdentityStoreFactory factory);
>>>
>>>         // User
>>>
>>>         void createUser(User user);
>>>
>>>         void removeUser(User user);
>>>
>>>         void updateUser(User user);
>>>
>>>         User getUser(String name);
>>>
>>>         // Group
>>>
>>>         void createGroup(Group group);
>>>
>>>         void removeGroup(Group group);
>>>
>>>         Group getGroup(String groupId);
>>>
>>>         Group getGroup(String groupName, Group parent);
>>>
>>>         boolean isMember(IdentityType identityType, Group group);
>>>
>>>         void addToGroup(IdentityType identityType, Group group);
>>>
>>>         void removeFromGroup(IdentityType identityType, Group group);
>>>
>>>         // Roles
>>>
>>>         void createRole(Role role);
>>>
>>>         void removeRole(Role role);
>>>
>>>         Role getRole(String name);
>>>
>>>         boolean hasRole(IdentityType identityType, Role role, Group group);
>>>
>>>         void grantRole(IdentityType identityType, Role role, Group group);
>>>
>>>         void revokeRole(IdentityType identityType, Role role, Group group);
>>>
>>>         boolean hasApplicationRole(IdentityType identityType, Role role);
>>>
>>>         void grantApplicationRole(IdentityType identityType, Role role);
>>>
>>>         void revokeApplicationRole(IdentityType identityType, Role role);
>>>
>>>         // Query API
>>>
>>>         <T extends IdentityType> IdentityQuery<T> createQuery();
>>>
>>>         // Credential management
>>>
>>>         boolean validateCredential(User user, Credential credential);
>>>
>>>         void updateCredential(User user, Credential credential);
>>>
>>>         // User / Role / Group enablement / expiry
>>>
>>>         void setEnabled(IdentityType identityType, boolean enabled);
>>>
>>>         void setExpirationDate(IdentityType identityType, Date expirationDate);
>>>
>>>         IdentityType lookupIdentityByKey(String key);
>>>
>>>         // Attributes
>>>
>>>         void setAttribute(IdentityType identityType, Attribute<? extends
>>> Serializable> attribute);
>>>
>>>         <T extends Serializable> Attribute<T> getAttribute(IdentityType
>>> identityType, String attributeName);
>>>
>>>         void removeAttribute(IdentityType identityType, String attributeName);
>>>
>>>         // Realm
>>>
>>>         void createRealm(Realm realm);
>>>
>>>         void removeRealm(Realm realm);
>>>
>>>         Realm getRealm(String name);
>>>
>>>         // Tier
>>>
>>>         void createTier(Tier tier);
>>>
>>>         void removeTier(Tier tier);
>>>
>>>         Tier getTier(String id);
>>>
>>>         // Context
>>>
>>>         IdentityManager forRealm(Realm realm);
>>>
>>>         IdentityManager forTier(Tier tier);
>>> }
>>>
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list