[security-dev] how to model services managed by a realm

Pedro Igor Silva psilva at redhat.com
Mon Jun 10 20:54:20 EDT 2013 

Hi Bill,

    First of all, custom IdentityType implementations are targeted for Beta5 and is related with PLINK-130.

    That said and considering what we have today, I would consider mapping applications as realms. If I understood your use case correctly, each application has its own users, roles, groups and relationships between them, not visible or accessible by others.

    A realm will allow you to organize identity data per application, where you can have the same user, role and group (with the same loginName or name) between different realms. Maybe this example application can be useful to demonstrate how to handle different realms in a multi-tennancy architecture (using realms, only).

        https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-authentication-idm-multi-tennancy

    Another way to organize identity data is using tiers. Tiers, different than realms, can be used to store only roles and groups. So, if you want to share users you can use a single realm to store them and use a specific tier for each application where its specific roles and groups are located.

    The Query API is ready to give you what you want if you use both approaches:

        - What roles or groups an application have
        - What roles or groups an user is related with

    You can get which applications are supported by getting from the IdentityManagerFactory which realms or tiers are configured.

Regards.
Pedro Igor    

----- Original Message -----
From: "Bill Burke" <bburke at redhat.com>
To: security-dev at lists.jboss.org
Sent: Monday, June 10, 2013 8:49:26 PM
Subject: Re: [security-dev] how to model services managed by a realm

I guess an Application would be an Agent.  Application role names could 
either be scoped, i.e. "ApplicationName.RoleName" or I could generate a 
unique id for the Role.getName() and add a special "applicationRoleName" 
attribute.  Then create a custom relationship between the Appplication's 
Agent and each role.

That sound right?  Should I scope the name, or generate a unique id and 
add an attribute?

On 6/10/2013 6:28 PM, Bill Burke wrote:
> I'm trying to figure out how to do the following scenario with the
> IdentityManager API:
>
> * A realm with N users
> * A realm which manages X applications
> * Each application has Y roles
> * Users have role mappings for each of those roles
>
> I'll need to be able to query:
>
> * What are the applications in the realm
> * What roles does a service have
> * What are the role mappings for each service for a particular user
>
> It looks like a Role only has a name.  So, I can't have "admin" role for
> each of my services and different role mappings per service.  Would I
> have to model this as different "partitions"?  I see that you can create
> "partitions", but how do you create relationships between "partitions"
> or share users between partitions?
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list