Hi Manu, On Tue, May 24, 2016 at 9:03 PM, Manuranga Perera <[email protected]> wrote:
> Hi Darshana, > Can you please explain about the difference between Group and Role. In the > permission meeting Sanjiva said they are different but I don't see it from > the code. > > From semantic point of view > User has both getGroups and getRoles > Both Group and Role has getUsers > If we check from the Permission perspective, Permission have direct mapping with Roles only. In other words Users\Groups get necessary privileges only via Roles its assigned to. You can find this behaviour in the code from the Role bean which have getPermissions() method [1] where Groups doesn't have such method. Basically, > Group is a collection of users. > Role is a collection of permissions. IdentityStore is managing, > Users > Groups > User-Group mapping AuthorizationStore is managing, > Roles > Permissions > Role-Permission mapping > Role-Group mapping > Role-User mapping If we take "User bean"[2], it should have all necessary methods needed to done on a "User" and User bean internally make use of relevant store methods to produce its result. [1] https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/Role.java#L83 [2] https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/User.java Thanks, > > From implementation point of view > getGroup code in IdentityStore is almost identical to getRole code in > AuthorizationStore > > > On Tue, May 24, 2016 at 2:35 AM, Darshana Gunawardana <[email protected]> > wrote: > >> Hi Jayanga, >> >> Almost all APIs need to provide entryID and the relevant storeID. For >> example, >> >> - IdentityStore has getUserAttributeValues(String userID, String >> userStoreId); >> - IdentityStore has getUsersOfGroup(String groupID, String userStoreId >> ) >> - AuthorizationStore has getGroupsOfRole(String roleId, String >> authorizationStoreId); >> >> If we take getUserAttributeValues()as an example, the API consumer should >> have, >> I. retrieve relevant User object before calling getUserAttributeValues() >> method >> II. extract userID and userStoreId from the User object >> III. pass those values to getUserAttributeValues() method >> >> Wouldn't it be more convenient for developers and more cleaner the API, >> if the API accept the entry object directly rather than entryID and storeID >> seperately? >> >> Thanks, >> >> On Wed, May 4, 2016 at 12:45 PM, Omindu Rathnaweera <[email protected]> >> wrote: >> >>> The following snippet shows how authentication and authorization can be >>> done using the user APIs. We use a similar approach in jaas as well [1][2]. >>> >>> NameCallback usernameCallback = new NameCallback("username"); >>>> PasswordCallback passwordCallback = new PasswordCallback("password", >>>> false); >>>> usernameCallback.setName("admin"); >>>> passwordCallback.setPassword(new char[]{'a', 'd', 'm', 'i', 'n'}; >>>> Callback[] callbacks = {usernameCallback, passwordCallback}; >>>> try { >>>> //Authentication >>>> AuthenticationContext authenticationContext = CarbonSecurityDataHolder. >>>> getInstance().getCarbonRealmService() >>>> .getCredentialStore().authenticate(callbacks); >>>> user = authenticationContext.getUser(); >>>> //Authorization >>>> user.isAuthorized(new Permission(carbonPermission.getName(), >>>> carbonPermission.getActions())); >>>> } catch (AuthenticationFailure authenticationFailure) { >>>> throw new LoginException("Authentication failure."); >>>> } >>> >>> >>> [1] - >>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/modules/UsernamePasswordLoginModule.java#L108-L114 >>> [2] - >>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/CarbonPrincipal.java#L76-L82 >>> >>> Regards, >>> Omindu. >>> >>> On Tue, May 3, 2016 at 7:40 PM, Kishanthan Thangarajah < >>> [email protected]> wrote: >>> >>>> Can you provide a code sample on how the user authorization is done >>>> (the flow) based on the above explanation? >>>> >>>> On Tue, May 3, 2016 at 2:31 PM, Jayanga Kaushalya <[email protected]> >>>> wrote: >>>> >>>>> Hi Kishanthan, >>>>> >>>>> Respective store ids are available through the respective beans. For >>>>> example User bean has the identity store id and the credential store id. >>>>> To >>>>> call an API which requires a store id, you needs to have the respective >>>>> bean first. For example by authenticating an user via calling authenticate >>>>> method will return an User bean with it's identity store id and the >>>>> credential store id. Or otherwise by calling getUser(username) method you >>>>> can get the User bean. Most of the operations which requires an store id >>>>> can be directly called from the bean it self. For example isUserAuthorized >>>>> can be called like User.isAuthorized(Permission). >>>>> >>>>> Thanks! >>>>> >>>>> *Jayanga Kaushalya* >>>>> Software Engineer >>>>> Mobile: +94777860160 >>>>> WSO2 Inc. | http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> On Tue, May 3, 2016 at 11:56 AM, Kishanthan Thangarajah < >>>>> [email protected]> wrote: >>>>> >>>>>> Most of the API methods we could see that we need to pass the >>>>>> identityStoreId like below. >>>>>> >>>>>> public boolean isUserAuthorized(String userId, Permission permission, >>>>>> String identityStoreId) >>>>>> >>>>>> How do we identify this store-id before calling? >>>>>> >>>>>> On Sat, Apr 30, 2016 at 10:12 PM, Jayanga Kaushalya < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Darshana, >>>>>>> >>>>>>> Yes, those links are correct. We have changed the package name from >>>>>>> org.wso2.carbon.security to org.wso2.carbon.security.caas since that is >>>>>>> the >>>>>>> name we are going to use in future. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> *Jayanga Kaushalya* >>>>>>> Software Engineer >>>>>>> Mobile: +94777860160 >>>>>>> WSO2 Inc. | http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> On Sat, Apr 30, 2016 at 6:49 PM, Darshana Gunawardana < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> I assume these should be the correct links. @Jayanga please correct >>>>>>>> me if I'm wrong. >>>>>>>> >>>>>>>> [1] >>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/service/RealmService.java >>>>>>>> [2] >>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/common/CarbonRealmServiceImpl.java >>>>>>>> [3] >>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/AuthorizationStore.java >>>>>>>> [4] >>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/CredentialStore.java >>>>>>>> [5] >>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/IdentityStore.java >>>>>>>> >>>>>>>> Regards, >>>>>>>> Darshana >>>>>>>> >>>>>>>> On Fri, Apr 29, 2016 at 11:36 PM, Kishanthan Thangarajah < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Can you send the correct git-hub links to these API's? Provided >>>>>>>>> links are either wrong or packages/modules have been renamed. >>>>>>>>> >>>>>>>>> On Fri, Apr 29, 2016 at 6:35 PM, Jayanga Kaushalya < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> User core related authentication and authorization operations can >>>>>>>>>> be accessed through RealmService. Bellow diagram explains the brief >>>>>>>>>> outlook >>>>>>>>>> of the Realm service and respective stores. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *RealmService* >>>>>>>>>> >>>>>>>>>> Realm service is the User Core API which is exposed to external >>>>>>>>>> users. Each store can be accessed through the realm service. API is >>>>>>>>>> available in [1] >>>>>>>>>> >>>>>>>>>> *CarbonRealmServiceImpl* >>>>>>>>>> >>>>>>>>>> Implementation of the realm service. API is available in [2] >>>>>>>>>> >>>>>>>>>> *IdentityStore* >>>>>>>>>> >>>>>>>>>> Identity store contains all identity management related read only >>>>>>>>>> operations. All CRUD operations related to identity management will >>>>>>>>>> be >>>>>>>>>> available through extended version of the user core and which will be >>>>>>>>>> available through carbon identity repository. >>>>>>>>>> API details are available in the [5]. >>>>>>>>>> >>>>>>>>>> *CredentialStore* >>>>>>>>>> >>>>>>>>>> Credential store contains all credential management related read >>>>>>>>>> only operations. All CRUD operations related to the credential >>>>>>>>>> management >>>>>>>>>> will be available through extended version of the user core and >>>>>>>>>> which will >>>>>>>>>> be available through carbon identity repository. >>>>>>>>>> API details are available in the [4] >>>>>>>>>> >>>>>>>>>> *AuthorizationStore* >>>>>>>>>> >>>>>>>>>> All authorization related CRUD operations will be available >>>>>>>>>> through the authorization store. API details are available in the [3] >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/service/RealmService.java >>>>>>>>>> >>>>>>>>>> [2] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>> [3] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/AuthorizationStore.java >>>>>>>>>> [4] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/CredentialStore.java >>>>>>>>>> [5] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/IdentityStore.java >>>>>>>>>> >>>>>>>>> >>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>> Software Engineer >>>>>>>>>> Mobile: +94777860160 >>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>> Associate Technical Lead, >>>>>>>>> Platform Technologies Team, >>>>>>>>> WSO2, Inc. >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile - +94773426635 >>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> >>>>>>>> >>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> >>>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>> Middleware >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Kishanthan Thangarajah* >>>>>> Associate Technical Lead, >>>>>> Platform Technologies Team, >>>>>> WSO2, Inc. >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile - +94773426635 >>>>>> Blog - *http://kishanthan.wordpress.com >>>>>> <http://kishanthan.wordpress.com>* >>>>>> Twitter - *http://twitter.com/kishanthan >>>>>> <http://twitter.com/kishanthan>* >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Kishanthan Thangarajah* >>>> Associate Technical Lead, >>>> Platform Technologies Team, >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - +94773426635 >>>> Blog - *http://kishanthan.wordpress.com >>>> <http://kishanthan.wordpress.com>* >>>> Twitter - *http://twitter.com/kishanthan >>>> <http://twitter.com/kishanthan>* >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Omindu Rathnaweera >>> Software Engineer, WSO2 Inc. >>> Mobile: +94 771 197 211 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Senior Software Engineer >> WSO2 Inc.; http://wso2.com >> >> *E-mail: [email protected] <[email protected]>* >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : [email protected] > -- Regards, *Darshana Gunawardana*Senior Software Engineer WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
