[security-dev] Group clarification

Marek Posolda mposolda at redhat.com
Thu Feb 7 07:02:18 EST 2013


Hello,

One of the current requirements in GateIn is possibility to have groups 
with same name and with different parents. For example: I can have 
groups "/qa/management" and "/dev/management"

In other words, I have two groups called "management" but both are in 
different parts of group tree, because first one has parent group "qa" 
and second has parent group "dev". Currently Picketlink IDM 3 doesn't 
support it (it always throws exception when it recognize that group with 
same name already exists). Also I am seeing that concept of GroupID 
(path to group from root group - something like "/qa/management") and 
group key has been removed as well even if it was supported in IDM 3.x 
couple of weeks before.

Also for read usecase, there are two methods in IdentityManager to find 
groups:

     Group getGroup(String groupId);

     Group getGroup(String groupName, Group parent);

I think that first one has been designed to find group with argument as 
groupId, so usage could looks like:

Group qaManagersGroup = identityManager.getGroup("/qa/management");

Second one has been designed with usage of plain group names like:

Group qaGroup = identityManager.getGroup("qa", null);
Group qaManagersGroup = identityManager.getGroup("management", qaGroup);


Problem is that currently we are always using first one with groupName 
as an argument (not groupId), so it obviously can't work correctly if we 
have two groups with same name "management" because it's unclear which 
one should be result of finding...:-\


Any ideas to address this? My current proposal is:

- Return concept of groupId, which will return the path like 
"/qa/management". So usage could be like:
Group qaGroup = new SimpleGroup("qa");
Group qaManagementGroup = new SimpleGroup("management", qaGroup);
assertEquals("management", qaManagementGroup.getName());
assertEquals("/qa/management", qaManagement);

- Either
-- fix all existing usages of identityManager.getGroup(String groupId), 
so it really expects groupId as argument (not groupName):

-- or introduce new method on IdentityManager (and IdentityStore) like:

Group getGroupByGroupId(String groupId);

It's possible that some identityStore implementations doesn't support 
groups with same name (For example current LDAPIdentityStore can't 
support it because there is only one DN for access all groups, but we 
discussed with Pedro that this is planned to address later)

Any thoughts?
Marek


More information about the security-dev mailing list