Thanks Darshana. So if I s/Group/Role/ in my code, it will sill work the same. In that case is it worth to implement a new concept called Group?
On Tue, May 24, 2016 at 12:35 PM, Darshana Gunawardana <[email protected]> wrote: > Hi Manu, > > On Tue, May 24, 2016 at 9:03 PM, Manuranga Perera <[email protected]> wrote: > >> Hi Darshana, >> Can you please explain about the difference between Group and Role. In >> the permission meeting Sanjiva said they are different but I don't see it >> from the code. >> >> From semantic point of view >> User has both getGroups and getRoles >> Both Group and Role has getUsers >> > > If we check from the Permission perspective, Permission have direct > mapping with Roles only. In other words Users\Groups get necessary > privileges only via Roles its assigned to. > > You can find this behaviour in the code from the Role bean which have > getPermissions() method [1] where Groups doesn't have such method. > > Basically, > > Group is a collection of users. > > Role is a collection of permissions. > > IdentityStore is managing, > > Users > > Groups > > User-Group mapping > > AuthorizationStore is managing, > > Roles > > Permissions > > Role-Permission mapping > > Role-Group mapping > > Role-User mapping > > If we take "User bean"[2], it should have all necessary methods needed to > done on a "User" and User bean internally make use of relevant store > methods to produce its result. > > [1] > https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/Role.java#L83 > [2] > https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/User.java > > Thanks, > >> >> From implementation point of view >> getGroup code in IdentityStore is almost identical to getRole code in >> AuthorizationStore >> >> >> On Tue, May 24, 2016 at 2:35 AM, Darshana Gunawardana <[email protected]> >> wrote: >> >>> Hi Jayanga, >>> >>> Almost all APIs need to provide entryID and the relevant storeID. For >>> example, >>> >>> - IdentityStore has getUserAttributeValues(String userID, String >>> userStoreId); >>> - IdentityStore has getUsersOfGroup(String groupID, String >>> userStoreId) >>> - AuthorizationStore has getGroupsOfRole(String roleId, String >>> authorizationStoreId); >>> >>> If we take getUserAttributeValues()as an example, the API consumer >>> should have, >>> I. retrieve relevant User object before calling getUserAttributeValues() >>> method >>> II. extract userID and userStoreId from the User object >>> III. pass those values to getUserAttributeValues() method >>> >>> Wouldn't it be more convenient for developers and more cleaner the API, >>> if the API accept the entry object directly rather than entryID and storeID >>> seperately? >>> >>> Thanks, >>> >>> On Wed, May 4, 2016 at 12:45 PM, Omindu Rathnaweera <[email protected]> >>> wrote: >>> >>>> The following snippet shows how authentication and authorization can be >>>> done using the user APIs. We use a similar approach in jaas as well [1][2]. >>>> >>>> NameCallback usernameCallback = new NameCallback("username"); >>>>> PasswordCallback passwordCallback = new PasswordCallback("password", >>>>> false); >>>>> usernameCallback.setName("admin"); >>>>> passwordCallback.setPassword(new char[]{'a', 'd', 'm', 'i', 'n'}; >>>>> Callback[] callbacks = {usernameCallback, passwordCallback}; >>>>> try { >>>>> //Authentication >>>>> AuthenticationContext authenticationContext = CarbonSecurityDataHolder >>>>> .getInstance().getCarbonRealmService() >>>>> .getCredentialStore().authenticate(callbacks); >>>>> user = authenticationContext.getUser(); >>>>> //Authorization >>>>> user.isAuthorized(new Permission(carbonPermission.getName(), >>>>> carbonPermission.getActions())); >>>>> } catch (AuthenticationFailure authenticationFailure) { >>>>> throw new LoginException("Authentication failure."); >>>>> } >>>> >>>> >>>> [1] - >>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/modules/UsernamePasswordLoginModule.java#L108-L114 >>>> [2] - >>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/CarbonPrincipal.java#L76-L82 >>>> >>>> Regards, >>>> Omindu. >>>> >>>> On Tue, May 3, 2016 at 7:40 PM, Kishanthan Thangarajah < >>>> [email protected]> wrote: >>>> >>>>> Can you provide a code sample on how the user authorization is done >>>>> (the flow) based on the above explanation? >>>>> >>>>> On Tue, May 3, 2016 at 2:31 PM, Jayanga Kaushalya <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Kishanthan, >>>>>> >>>>>> Respective store ids are available through the respective beans. For >>>>>> example User bean has the identity store id and the credential store id. >>>>>> To >>>>>> call an API which requires a store id, you needs to have the respective >>>>>> bean first. For example by authenticating an user via calling >>>>>> authenticate >>>>>> method will return an User bean with it's identity store id and the >>>>>> credential store id. Or otherwise by calling getUser(username) method you >>>>>> can get the User bean. Most of the operations which requires an store id >>>>>> can be directly called from the bean it self. For example >>>>>> isUserAuthorized >>>>>> can be called like User.isAuthorized(Permission). >>>>>> >>>>>> Thanks! >>>>>> >>>>>> *Jayanga Kaushalya* >>>>>> Software Engineer >>>>>> Mobile: +94777860160 >>>>>> WSO2 Inc. | http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> On Tue, May 3, 2016 at 11:56 AM, Kishanthan Thangarajah < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Most of the API methods we could see that we need to pass the >>>>>>> identityStoreId like below. >>>>>>> >>>>>>> public boolean isUserAuthorized(String userId, Permission permission, >>>>>>> String identityStoreId) >>>>>>> >>>>>>> How do we identify this store-id before calling? >>>>>>> >>>>>>> On Sat, Apr 30, 2016 at 10:12 PM, Jayanga Kaushalya < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Darshana, >>>>>>>> >>>>>>>> Yes, those links are correct. We have changed the package name from >>>>>>>> org.wso2.carbon.security to org.wso2.carbon.security.caas since that >>>>>>>> is the >>>>>>>> name we are going to use in future. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> *Jayanga Kaushalya* >>>>>>>> Software Engineer >>>>>>>> Mobile: +94777860160 >>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> On Sat, Apr 30, 2016 at 6:49 PM, Darshana Gunawardana < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> I assume these should be the correct links. @Jayanga please >>>>>>>>> correct me if I'm wrong. >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/service/RealmService.java >>>>>>>>> [2] >>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>> [3] >>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/AuthorizationStore.java >>>>>>>>> [4] >>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/CredentialStore.java >>>>>>>>> [5] >>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/IdentityStore.java >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Darshana >>>>>>>>> >>>>>>>>> On Fri, Apr 29, 2016 at 11:36 PM, Kishanthan Thangarajah < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Can you send the correct git-hub links to these API's? Provided >>>>>>>>>> links are either wrong or packages/modules have been renamed. >>>>>>>>>> >>>>>>>>>> On Fri, Apr 29, 2016 at 6:35 PM, Jayanga Kaushalya < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> User core related authentication and authorization operations >>>>>>>>>>> can be accessed through RealmService. Bellow diagram explains the >>>>>>>>>>> brief >>>>>>>>>>> outlook of the Realm service and respective stores. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *RealmService* >>>>>>>>>>> >>>>>>>>>>> Realm service is the User Core API which is exposed to external >>>>>>>>>>> users. Each store can be accessed through the realm service. API is >>>>>>>>>>> available in [1] >>>>>>>>>>> >>>>>>>>>>> *CarbonRealmServiceImpl* >>>>>>>>>>> >>>>>>>>>>> Implementation of the realm service. API is available in [2] >>>>>>>>>>> >>>>>>>>>>> *IdentityStore* >>>>>>>>>>> >>>>>>>>>>> Identity store contains all identity management related read >>>>>>>>>>> only operations. All CRUD operations related to identity management >>>>>>>>>>> will be >>>>>>>>>>> available through extended version of the user core and which will >>>>>>>>>>> be >>>>>>>>>>> available through carbon identity repository. >>>>>>>>>>> API details are available in the [5]. >>>>>>>>>>> >>>>>>>>>>> *CredentialStore* >>>>>>>>>>> >>>>>>>>>>> Credential store contains all credential management related read >>>>>>>>>>> only operations. All CRUD operations related to the credential >>>>>>>>>>> management >>>>>>>>>>> will be available through extended version of the user core and >>>>>>>>>>> which will >>>>>>>>>>> be available through carbon identity repository. >>>>>>>>>>> API details are available in the [4] >>>>>>>>>>> >>>>>>>>>>> *AuthorizationStore* >>>>>>>>>>> >>>>>>>>>>> All authorization related CRUD operations will be available >>>>>>>>>>> through the authorization store. API details are available in the >>>>>>>>>>> [3] >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/service/RealmService.java >>>>>>>>>>> >>>>>>>>>>> [2] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>>> [3] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/AuthorizationStore.java >>>>>>>>>>> [4] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/CredentialStore.java >>>>>>>>>>> [5] >>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/IdentityStore.java >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>>> Software Engineer >>>>>>>>>>> Mobile: +94777860160 >>>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>>> Associate Technical Lead, >>>>>>>>>> Platform Technologies Team, >>>>>>>>>> WSO2, Inc. >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> Mobile - +94773426635 >>>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> >>>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>> >>>>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>>> Middleware >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Kishanthan Thangarajah* >>>>>>> Associate Technical Lead, >>>>>>> Platform Technologies Team, >>>>>>> WSO2, Inc. >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> Mobile - +94773426635 >>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>> <http://kishanthan.wordpress.com>* >>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>> <http://twitter.com/kishanthan>* >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Kishanthan Thangarajah* >>>>> Associate Technical Lead, >>>>> Platform Technologies Team, >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile - +94773426635 >>>>> Blog - *http://kishanthan.wordpress.com >>>>> <http://kishanthan.wordpress.com>* >>>>> Twitter - *http://twitter.com/kishanthan >>>>> <http://twitter.com/kishanthan>* >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Omindu Rathnaweera >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94 771 197 211 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Senior Software Engineer >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: [email protected] <[email protected]>* >>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> With regards, >> *Manu*ranga Perera. >> >> phone : 071 7 70 20 50 >> mail : [email protected] >> > > > > -- > Regards, > > > *Darshana Gunawardana*Senior Software Engineer > WSO2 Inc.; http://wso2.com > > *E-mail: [email protected] <[email protected]>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
