Rushmin, How about implementing a sharing model for XACML scripts (aka policies)?
for example, when we create filters in JIRA, we either keep them to ourself or decide to share it with a selected group/users. Why not follow the same model? That feel more natural. We follow a similar approach for sharing APIs. On Tue, May 19, 2015 at 11:00 AM, Rushmin Fernando <[email protected]> wrote: > We started with an initial f2f discussion about $subject. Below is the > summary. > > Problem > ------------ > > We maintain a configuration in the app-manager.xml, to create the service > client for the XACML admin service. And we use that admin service to > persist the XACML policies and to evaluate the policies. Assume that the > credentials we currently have in the config is the admin credentials of the > super tenant. As a result the policies get persisted in the super tenant. > > Impact > --------- > > 1) In the carbon console of the super-tenant admin (or whoever the user in > the above configuration), he can see the XACML policies of other tenants > too. (But in the App Manager UI (admin dashboard) visibility is not an > issues since we manage another mapping in App Manager side) > > 2) When a relevant tenant XACML policy is evaluated, the claim retrieves > can't fetch the user roles of the tenant user, since it fetches the roles > from the current tenant (in this example, the super tenant) > > Solutions > ------------- > > Solution 1 - Writing a custom retriever to fetch the roles from all > tenants (addresses impact 1) > > --------------------------------------------------------------------------------------------------------------------------- > > Dulanja suggested this solution but both Dulanja and RuwanY mentioned that > the lack of tenant level isolation is an issue. > > Solution 2 - Having a config for the XACML client user credentials for > each tenant (addresses impact 1 and 2) > > -------------------------------------------------------------------------------------------------------------------------------- > > We can add another UI to the App Manager admin dashboard to add these > configs, and achieved the tenant level isolation. LahiruC mentioned that if > we can use a tenant creation hook to get these information then we can get > rid of the UI part. > > But then we have to think about the security concerns of maintaining a > these credentials. > > Thoughts are welcome. > > -- > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > email : [email protected] > mobile : +94772310855 > > > -- /sumedha m: +94 773017743 b : bit.ly/sumedha
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
