[security-dev] Group clarification
Marek Posolda
mposolda at redhat.com
Thu Feb 7 07:02:18 EST 2013
Hello,
One of the current requirements in GateIn is possibility to have groups
with same name and with different parents. For example: I can have
groups "/qa/management" and "/dev/management"
In other words, I have two groups called "management" but both are in
different parts of group tree, because first one has parent group "qa"
and second has parent group "dev". Currently Picketlink IDM 3 doesn't
support it (it always throws exception when it recognize that group with
same name already exists). Also I am seeing that concept of GroupID
(path to group from root group - something like "/qa/management") and
group key has been removed as well even if it was supported in IDM 3.x
couple of weeks before.
Also for read usecase, there are two methods in IdentityManager to find
groups:
Group getGroup(String groupId);
Group getGroup(String groupName, Group parent);
I think that first one has been designed to find group with argument as
groupId, so usage could looks like:
Group qaManagersGroup = identityManager.getGroup("/qa/management");
Second one has been designed with usage of plain group names like:
Group qaGroup = identityManager.getGroup("qa", null);
Group qaManagersGroup = identityManager.getGroup("management", qaGroup);
Problem is that currently we are always using first one with groupName
as an argument (not groupId), so it obviously can't work correctly if we
have two groups with same name "management" because it's unclear which
one should be result of finding...:-\
Any ideas to address this? My current proposal is:
- Return concept of groupId, which will return the path like
"/qa/management". So usage could be like:
Group qaGroup = new SimpleGroup("qa");
Group qaManagementGroup = new SimpleGroup("management", qaGroup);
assertEquals("management", qaManagementGroup.getName());
assertEquals("/qa/management", qaManagement);
- Either
-- fix all existing usages of identityManager.getGroup(String groupId),
so it really expects groupId as argument (not groupName):
-- or introduce new method on IdentityManager (and IdentityStore) like:
Group getGroupByGroupId(String groupId);
It's possible that some identityStore implementations doesn't support
groups with same name (For example current LDAPIdentityStore can't
support it because there is only one DN for access all groups, but we
discussed with Pedro that this is planned to address later)
Any thoughts?
Marek
More information about the security-dev
mailing list