[security-dev] PicketLink IDM Relationships and SASL Authorizations
Darran Lofthouse
darran.lofthouse at jboss.com
Fri Jun 21 13:29:18 EDT 2013
Thank you for the test Pedro,
I have been able to see how to perform the single queries but the part I
am still thinking about is how we deal with the issue that each of the
two agents could be a member of many groups.
To cross check this could involve many queries.
In a similar way how are the agent to group to role queries handled? If
a user is a member of a group and the group is associated with a role
does the user have that role or does the relationship need to be
manually queried?
Regards,
Darran Lofthouse.
On 20/06/13 20:15, Pedro Igor Silva wrote:
> Hi Darran,
>
> I wrote a simple test case to try to satisfy your objectives.
>
> https://gist.github.com/pedroigor/5825698
>
> We can also use custom attributes if you need some kind of metadata for each relationship instance.
>
> ----- Original Message -----
> From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> To: security-dev at lists.jboss.org
> Sent: Thursday, June 20, 2013 12:27:08 PM
> Subject: [security-dev] PicketLink IDM Relationships and SASL Authorizations
>
> Within SASL there is a capability where during the authentication phase
> the agent being authenticated can request that subsequently they want
> the authorization privileged of another agent.
>
> The loading the identity of the agent being requested is fine but at the
> moment I am looking within PicketLink IDM at how this one agent being
> able to run as another agent can be modeled.
>
> I can see using a custom relationship how it should be fairly easy to
> model a 1:1 mapping of users that an 'impersonate' each other but I have
> a few additional scenarios that could also be needed so wanted to look
> for ideas on how to support all of these simultaneously.
>
> - A single agent can impersonate a single agent.
> - A single agent can impersonate any user that is a member of a
> specified group.
> - A member of a specific group can impersonate a single agent.
> - A member of one group can impersonate an agent of another (or same)
> group.
>
> As mentioned in IRC over the last couple of days having some form of
> permissions check API in the IDM for the non AS processes feels like it
> would fit this really well - however at the moment I can perform this
> check outside of any permissions API so just looking for ideas how it
> could be achieved.
>
> Regards,
> Darran Lofthouse.
>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
More information about the security-dev
mailing list