We started with an initial f2f discussion about $subject. Below is the summary.
Problem ------------ We maintain a configuration in the app-manager.xml, to create the service client for the XACML admin service. And we use that admin service to persist the XACML policies and to evaluate the policies. Assume that the credentials we currently have in the config is the admin credentials of the super tenant. As a result the policies get persisted in the super tenant. Impact --------- 1) In the carbon console of the super-tenant admin (or whoever the user in the above configuration), he can see the XACML policies of other tenants too. (But in the App Manager UI (admin dashboard) visibility is not an issues since we manage another mapping in App Manager side) 2) When a relevant tenant XACML policy is evaluated, the claim retrieves can't fetch the user roles of the tenant user, since it fetches the roles from the current tenant (in this example, the super tenant) Solutions ------------- Solution 1 - Writing a custom retriever to fetch the roles from all tenants (addresses impact 1) --------------------------------------------------------------------------------------------------------------------------- Dulanja suggested this solution but both Dulanja and RuwanY mentioned that the lack of tenant level isolation is an issue. Solution 2 - Having a config for the XACML client user credentials for each tenant (addresses impact 1 and 2) -------------------------------------------------------------------------------------------------------------------------------- We can add another UI to the App Manager admin dashboard to add these configs, and achieved the tenant level isolation. LahiruC mentioned that if we can use a tenant creation hook to get these information then we can get rid of the UI part. But then we have to think about the security concerns of maintaining a these credentials. Thoughts are welcome. -- *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware email : [email protected] mobile : +94772310855
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
