[security-dev] how to model services managed by a realm

Pedro Igor Silva psilva at redhat.com
Tue Jun 11 10:00:52 EDT 2013 

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Monday, June 10, 2013 10:45:00 PM
> Subject: Re: [security-dev] how to model services managed by a realm
> 
> 
> 
> On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
> > Hi Bill,
> >
> >      First of all, custom IdentityType implementations are targeted for
> >      Beta5 and is related with PLINK-130.
> >
> 
> I see custom relationship tests.

Custom relationships are supported, but IdentityTypes not yet.

> 
> >      That said and considering what we have today, I would consider mapping
> >      applications as realms. If I understood your use case correctly, each
> >      application has its own users, roles, groups and relationships
> >      between them, not visible or accessible by others.
> >
> 
> I don't think you understood.  Each application does not have its own
> set of users, but does have its own set of roles.  So the Realm manages
> a set of users who have access to a set of applications, each of which
> has their own set of roles.  Think of a set of distributed applications
> in a company.  You don't want to require registering a user for each one
> of these applications, you just want to define one user, then map their
> permissions to each application.
> 

I see. I was thinking about each "application" having only a reference for a single user (same user maps to different accounts in twitter, google and fb, for example). But this is another scenario.

> >      A realm will allow you to organize identity data per application,
> >      where you can have the same user, role and group (with the same
> >      loginName or name) between different realms. Maybe this example
> >      application can be useful to demonstrate how to handle different
> >      realms in a multi-tennancy architecture (using realms, only).
> >
> >          https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-authentication-idm-multi-tennancy
> >
> >      Another way to organize identity data is using tiers. Tiers, different
> >      than realms, can be used to store only roles and groups. So, if you
> >      want to share users you can use a single realm to store them and use
> >      a specific tier for each application where its specific roles and
> >      groups are located.
> >
> 
> If you store your users in a realm, and each application's roles in a
> tier, how do you create a role mapping between a role in the tier and
> the user in the realm?

Please, take a look at:

    https://github.com/picketlink/picketlink/blob/master/modules/idm/tests/src/test/java/org/picketlink/test/idm/partition/TierManagementTestCase.java

> 
> Then another problem with your suggestion is, for a given Realm, how do
> I find out the associated Tiers?  I'm not seeing any examples or code
> that allows me to do this.
> 

I think we don't support this kind of query. But you can always get all users, groups or roles for a specific partition.

> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the security-dev mailing list