[security-dev] how to model services managed by a realm
Bill Burke
bburke at redhat.com
Wed Jun 12 17:05:38 EDT 2013
On 6/11/2013 11:27 PM, Shane Bryzak wrote:
> Bill,
>
> I'm currently working on some changes that will allow you to create a
> custom Partition type, so you'll be able to do something like this:
>
> @IdentityPartition(supportedTypes = {Role.class, Group.class})
> public class Application implements Partition {
> private String id;
> private String name;
>
> // snip getters/setters
> }
>
Will what you're working on allow you to create partitions on the fly?
Right now, tiers and realms must be preknown and fixed for the lifetime
of the IdentityManagerFactory. I just finished some work to allow File
and JPA-based stores to be able to create and find partitions and was
about to submit a pull request.
> The supportedTypes member of the annotation allows you to define which
> identity types can be persisted in your particular partition implementation.
>
> I'll also be changing the Partition interface to extend AttributedType
> (which has getAttribute/setAttribute methods), so it will support
> setting arbitrary attribute values for partitions, as well as being able
> to declare formal attributes on the partition implementation itself.
>
> I'm a bit unclear about the use case for associating a Realm with Tiers
> - could you please elaborate on this?
>
There is a company-wide set of users. This is the Realm. A company has
a set of distributed applications, each of these applications has their
own role sets. I want to assign role mappings from the realm, to each
one of these applications.
From a management perspective you'll want to be able to manage all
application user-role mappings from a specific Realm, or add/remove
roles from an application. To be able to do this, you need to know
which applications are managed by the Realm.
Also, I want to be able to create a token for an individual
authenticated user that contains role mappings for each application
within the realm.
All this needs to work in a SaaS model, where multiple realms can be
created and managed.
Pedro suggested that I model each Application as a Tier, but I'm having
doubts about this because LDAP doesn't currently support the notion of a
partition. Maybe I could federate this? Store username/credentials in
the company's LDAP store, but store application, roles, and role
mappings within a local store? Is this type of application data even
stored in LDAP in reality?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list