[security-dev] PicketLink IDM Relationships and SASL Authorizations
Pedro Igor Silva
psilva at redhat.com
Fri Jun 21 15:55:14 EDT 2013
----- Original Message -----
> From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Friday, June 21, 2013 2:29:18 PM
> Subject: Re: [security-dev] PicketLink IDM Relationships and SASL Authorizations
>
> Thank you for the test Pedro,
>
> I have been able to see how to perform the single queries but the part I
> am still thinking about is how we deal with the issue that each of the
> two agents could be a member of many groups.
>
> To cross check this could involve many queries.
>
Yeah, I agree. But usually the IDM data will be cached and this can help.
> In a similar way how are the agent to group to role queries handled? If
> a user is a member of a group and the group is associated with a role
> does the user have that role or does the relationship need to be
> manually queried?
>
Something like this ?
https://github.com/picketlink/picketlink/blob/master/modules/idm/tests/src/test/java/org/picketlink/test/idm/relationship/AgentGroupRoleRelationshipTestCase.java#L106
In this test we have the following scenario:
Administrators -> System Administrators
Administrators -> Database Administrators
Agent is the "Manager" of Administrators. So he is also manager of System and Database Administrators groups.
> Regards,
> Darran Lofthouse.
>
>
> On 20/06/13 20:15, Pedro Igor Silva wrote:
> > Hi Darran,
> >
> > I wrote a simple test case to try to satisfy your objectives.
> >
> > https://gist.github.com/pedroigor/5825698
> >
> > We can also use custom attributes if you need some kind of metadata for
> > each relationship instance.
> >
> > ----- Original Message -----
> > From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> > To: security-dev at lists.jboss.org
> > Sent: Thursday, June 20, 2013 12:27:08 PM
> > Subject: [security-dev] PicketLink IDM Relationships and SASL
> > Authorizations
> >
> > Within SASL there is a capability where during the authentication phase
> > the agent being authenticated can request that subsequently they want
> > the authorization privileged of another agent.
> >
> > The loading the identity of the agent being requested is fine but at the
> > moment I am looking within PicketLink IDM at how this one agent being
> > able to run as another agent can be modeled.
> >
> > I can see using a custom relationship how it should be fairly easy to
> > model a 1:1 mapping of users that an 'impersonate' each other but I have
> > a few additional scenarios that could also be needed so wanted to look
> > for ideas on how to support all of these simultaneously.
> >
> > - A single agent can impersonate a single agent.
> > - A single agent can impersonate any user that is a member of a
> > specified group.
> > - A member of a specific group can impersonate a single agent.
> > - A member of one group can impersonate an agent of another (or same)
> > group.
> >
> > As mentioned in IRC over the last couple of days having some form of
> > permissions check API in the IDM for the non AS processes feels like it
> > would fit this really well - however at the moment I can perform this
> > check outside of any permissions API so just looking for ideas how it
> > could be achieved.
> >
> > Regards,
> > Darran Lofthouse.
> >
> >
> > _______________________________________________
> > security-dev mailing list
> > security-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/security-dev
> >
>
More information about the security-dev
mailing list