[security-dev] Meaningful relationships

Shane Bryzak sbryzak at redhat.com
Tue Oct 16 15:44:25 EDT 2012


On 17/10/12 05:18, Shane Bryzak wrote:
> On 17/10/12 03:43, Boleslaw Dawidowicz wrote:
>> I like this. One of biggest mistakes I made in the original model was 
>> to define separate notion of user-group relationship.  Design where 
>> direct relationship is just another type of role (either 'member' or 
>> null) is much more elegant.
>>
>> The only concern is to keep Group tree and LDAP use case in mind.
>>
>> https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/model/Group.java
>>
>> Path id is in place to ensure name uniqueness in the tree. You can 
>> have a/b/a/b/a - which result in 3 groups with name "a" and 2 groups 
>> with name "b". Then question is if this path should be resolved on 
>> the fly from IdentityMembership (huge performance cost and 
>> implementation nightmare) or stored as an id in IdentityObject table 
>> during object creation. Second option is better however name also 
>> persists relationships between groups from the start. I have chosen 
>> first approach in PLIDM 1.x and this was my second biggest regret - 
>> mostly because of performance cost.
>
> The LDAP use case is a good point - I'll need to think about it some 
> more, but I think we can make the path validation an implementation 
> detail.  I agree we should go with the second option for the LDAP 
> implementation (because of it's strict tree structure), however I'm 
> thinking for JPA (in which we don't have the same restrictions) we 
> should possibly allow a Group to be a member of more than one parent 
> group.  It's conceivable that there's use cases that require this, 
> however I'm not totally sold on the idea and would like to hear some 
> feedback.

Actually after thinking about this I believe it would be problematic.  
So unless someone has strong objections, I propose we make it a 
restriction across the board that a Group may only have one parent 
group.  In fact, I'm toying with the idea of actually hard-coding the 
parent group as part of the IdentityObject schema, rather than model it 
through the IdentityMembership table.

>
>>
>> Bolek.
>>
>> On Oct 15, 2012, at 10:27 AM, Shane Bryzak <sbryzak at redhat.com 
>> <mailto:sbryzak at redhat.com>> wrote:
>>
>>> I should clarify something.  It is entirely possible for a user to 
>>> have a role in a group without being a member of that group.  One of 
>>> the good use cases that someone from the team informed me about 
>>> previously is an administrator for a group of doctors.  The 
>>> membership scenario would look like this:
>>>
>>> IdentityMembership
>>> -------------------------
>>> MEMBER = Bill (User)
>>> GROUP = Doctors
>>> ROLE = Admin
>>>
>>> In this case, Bill (the user) would not be a member of the Doctors 
>>> group himself, he would simply be an administrator for the group.  
>>> If he were to be a member of the group (as well as an Administrator) 
>>> then that would require the following additional record:
>>>
>>> IdentityMembership
>>> -------------------------
>>> MEMBER = Bill (User)
>>> GROUP = Doctors
>>> ROLE = null
>>>
>>> So, in a nutshell - if a Role is specified, it means the member has 
>>> that role for the specified group, however the member is not an 
>>> actual member of the group themselves.  Hope that makes sense!
>>>
>>>
>>> On 15/10/12 18:19, Shane Bryzak wrote:
>>>> No, not that kind.  I'm currently reviewing the database schema for 
>>>> the identity management module - in the previous version of 
>>>> PicketLink we had quite a good design [1] that was a little 
>>>> abstract, but met all the requirements well. Here's a summary of 
>>>> the key tables:
>>>>
>>>> IdentityObject - this table would contain both User and Group records
>>>> IdentityObjectRelationship - models the relationship between User 
>>>> and Group, i.e. Group memberships
>>>> IdentityObjectRelationshipName - this table is a special one that 
>>>> contained the names for "named relationships".  A named 
>>>> relationship can effectively be thought of as a Role, (and was also 
>>>> modelled in the IdentityObjectRelationship table) for example 
>>>> "John" (User) is a "Manager" (Role, the "named" bit of the 
>>>> relationship) in "Head Office" (Group) - see [2] for more details.
>>>>
>>>> With the introduction of application roles we need to jig this 
>>>> design a little bit.  I was thinking of keeping IdentityObject 
>>>> essentially the same, with the exception that it would also be used 
>>>> to contain Roles, as well as Users and Groups. Instead of the 
>>>> IdentityObjectRelationship table though, I propose we go with the 
>>>> following slightly less abstract design:
>>>>
>>>> IdentityMembership
>>>> -------------------------
>>>> MEMBER
>>>> GROUP
>>>> ROLE
>>>>
>>>> This basically allows us to make any IdentityType (User, Group or 
>>>> Role) a member of a Group or Role, or both.  Here's a few scenarios:
>>>>
>>>> 1. John is a part of the accounting group.
>>>>
>>>> IdentityMembership
>>>> -------------------------
>>>> MEMBER = John (User)
>>>> GROUP = accounting
>>>> ROLE = null
>>>>
>>>> 2. The Manager group is a subgroup of the Employee group.
>>>>
>>>> IdentityMembership
>>>> -------------------------
>>>> MEMBER = Manager (Group)
>>>> GROUP = Employee
>>>> ROLE = null
>>>>
>>>> 3. Kevin is an administrator for the Manager group
>>>>
>>>> IdentityMembership
>>>> -------------------------
>>>> MEMBER = Kevin (User)
>>>> GROUP = Manager
>>>> ROLE = Admin
>>>>
>>>> 4. Kelly is a superuser (which is an application role)
>>>>
>>>> IdentityMembership
>>>> -------------------------
>>>> MEMBER = Kelly (User)
>>>> GROUP = null
>>>> ROLE = Superuser
>>>>
>>>> With the above examples in mind, this now leads into the 
>>>> "meaningful relationships" theme - can anyone think of any other 
>>>> meaningful security relationships that cannot be modelled with this 
>>>> design?  I'm not really looking to make the design "future proof" 
>>>> as such, but I would like to ensure we cover all currently known 
>>>> scenarios / use cases.  Comments and feedback welcome of course.
>>>>
>>>>
>>>> [1] 
>>>> http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.0.0.GA/ReferenceGuide/en-US/html_single/index.html#spi_model
>>>> [2] 
>>>> http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.0.0.GA/ReferenceGuide/en-US/html_single/index.html#d0e342 
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> security-dev mailing list
>>>> security-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
>>>
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org <mailto:security-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>
>
>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20121017/481835da/attachment.html 


More information about the security-dev mailing list