Please see "Data Isolation level for Data from APIM and IoT? Tenant vs. User" for decisions
--Srinath On Fri, Mar 25, 2016 at 10:06 AM, Srinath Perera <[email protected]> wrote: > As per meeting ( Sanjiva, Shankar, Sumedha, Anjana, Miyuru, Seshika, Suho, > Nirmal, Nuwan) > > We need APIM and IOT Server to be able to publish events as "system user", > but ask DAS to place data under Ann's ( related user) account. > > We need Devices to be able to *directly* send a event to DAS with an Oauth > token. > > Following is the picture describing full scenario > > [image: DASSecuirtyScenarios.png] > --Srinath > > On Thu, Mar 24, 2016 at 9:38 AM, Srinath Perera <[email protected]> wrote: > >> This thread described the authorization issue when reading data for >> gadgets ( as I mentioned in Dashboard server product council). >> >> When IoT server/ API manager publish events, it need to tell DAS whose >> data it is. ( however, server cannot login using that user, as then it will >> need to keep passwords and also end up having to keep too many >> connections). >> >> Gadget, when requesting data, has to tell DAS on whose behalf it is >> requesting the data. DAS has to verify and show visible data. ( also DAS >> data API need to be secured so that random users cannot call it and look at >> other people's data). >> >> --Srinath >> >> >> >> >> >> >> >> >> >> On Sat, Mar 19, 2016 at 9:13 PM, Srinath Perera <[email protected]> wrote: >> >>> Yes, and Ann can also generate a token and share with Smith, to send >>> with his requests. >>> >>> Also, IMO the most Dashboard requests would come from a browser ( in a >>> phone or PC), not from simple device. So storing or locating the token >>> should not be a problem. >>> >>> On Fri, Mar 18, 2016 at 3:21 PM, Chathura Ekanayake <[email protected]> >>> wrote: >>> >>>> >>>> >>>> >>>>> I think we should go for a taken based approach (e.g. OAuth) to handle >>>>> these scenarios. Following are few ideas >>>>> >>>>> >>>>> 1. >>>>> >>>>> Using a token ( Ann attesting system user can do publish/ access >>>>> to this stream on her behalf), Ann let the “system user“ publish data >>>>> into >>>>> Ann’s account >>>>> >>>>> >>>> If a device can store a token, Ann can generate a token with necessary >>>> scope (to access Ann's event store) and store the token in the device >>>> itself. In that case, device can send the token with each event, so that >>>> IoT platform can decide permissions based on the token. >>>> >>>> >>>>> >>>>> 1. >>>>> >>>>> When we give user Smith access to a gadget, we generate a token, >>>>> which he will send when he is accessing the gadget, which the gadget >>>>> will >>>>> send to the DAS backend to get access to correct tables >>>>> 2. >>>>> >>>>> Same token can be used for API access as well >>>>> 3. >>>>> >>>>> We need to manage the tokens issued to each user so this happen >>>>> transparently to the end user as much as possible. >>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> ============================ >>> Blog: http://srinathsview.blogspot.com twitter:@srinath_perera >>> Site: http://people.apache.org/~hemapani/ >>> Photos: http://www.flickr.com/photos/hemapani/ >>> Phone: 0772360902 >>> >> >> >> >> -- >> ============================ >> Blog: http://srinathsview.blogspot.com twitter:@srinath_perera >> Site: http://home.apache.org/~hemapani/ >> Photos: http://www.flickr.com/photos/hemapani/ >> Phone: 0772360902 >> > > > > -- > ============================ > Blog: http://srinathsview.blogspot.com twitter:@srinath_perera > Site: http://home.apache.org/~hemapani/ > Photos: http://www.flickr.com/photos/hemapani/ > Phone: 0772360902 > -- ============================ Blog: http://srinathsview.blogspot.com twitter:@srinath_perera Site: http://home.apache.org/~hemapani/ Photos: http://www.flickr.com/photos/hemapani/ Phone: 0772360902
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
