Hi Manu, That's not right... What user can do (authorization) is decided based on the permissions attached to roles that user inherits... A user inherits roles by a direct role assignment or from a group that user belongs to...
Thanks & regards, -Prabath On Tue, May 24, 2016 at 12:49 PM, Manuranga Perera <[email protected]> wrote: > Thanks Darshana. > So if I s/Group/Role/ in my code, it will sill work the same. In that > case is it worth to implement a new concept called Group? > > On Tue, May 24, 2016 at 12:35 PM, Darshana Gunawardana <[email protected]> > wrote: > >> Hi Manu, >> >> On Tue, May 24, 2016 at 9:03 PM, Manuranga Perera <[email protected]> wrote: >> >>> Hi Darshana, >>> Can you please explain about the difference between Group and Role. In >>> the permission meeting Sanjiva said they are different but I don't see it >>> from the code. >>> >>> From semantic point of view >>> User has both getGroups and getRoles >>> Both Group and Role has getUsers >>> >> >> If we check from the Permission perspective, Permission have direct >> mapping with Roles only. In other words Users\Groups get necessary >> privileges only via Roles its assigned to. >> >> You can find this behaviour in the code from the Role bean which have >> getPermissions() method [1] where Groups doesn't have such method. >> >> Basically, >> > Group is a collection of users. >> > Role is a collection of permissions. >> >> IdentityStore is managing, >> > Users >> > Groups >> > User-Group mapping >> >> AuthorizationStore is managing, >> > Roles >> > Permissions >> > Role-Permission mapping >> > Role-Group mapping >> > Role-User mapping >> >> If we take "User bean"[2], it should have all necessary methods needed >> to done on a "User" and User bean internally make use of relevant store >> methods to produce its result. >> >> [1] >> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/Role.java#L83 >> [2] >> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/User.java >> >> Thanks, >> >>> >>> From implementation point of view >>> getGroup code in IdentityStore is almost identical to getRole code >>> in AuthorizationStore >>> >>> >>> On Tue, May 24, 2016 at 2:35 AM, Darshana Gunawardana <[email protected] >>> > wrote: >>> >>>> Hi Jayanga, >>>> >>>> Almost all APIs need to provide entryID and the relevant storeID. For >>>> example, >>>> >>>> - IdentityStore has getUserAttributeValues(String userID, String >>>> userStoreId); >>>> - IdentityStore has getUsersOfGroup(String groupID, String >>>> userStoreId) >>>> - AuthorizationStore has getGroupsOfRole(String roleId, String >>>> authorizationStoreId); >>>> >>>> If we take getUserAttributeValues()as an example, the API consumer >>>> should have, >>>> I. retrieve relevant User object before calling >>>> getUserAttributeValues() method >>>> II. extract userID and userStoreId from the User object >>>> III. pass those values to getUserAttributeValues() method >>>> >>>> Wouldn't it be more convenient for developers and more cleaner the API, >>>> if the API accept the entry object directly rather than entryID and storeID >>>> seperately? >>>> >>>> Thanks, >>>> >>>> On Wed, May 4, 2016 at 12:45 PM, Omindu Rathnaweera <[email protected]> >>>> wrote: >>>> >>>>> The following snippet shows how authentication and authorization can >>>>> be done using the user APIs. We use a similar approach in jaas as well >>>>> [1][2]. >>>>> >>>>> NameCallback usernameCallback = new NameCallback("username"); >>>>>> PasswordCallback passwordCallback = new PasswordCallback("password", >>>>>> false); >>>>>> usernameCallback.setName("admin"); >>>>>> passwordCallback.setPassword(new char[]{'a', 'd', 'm', 'i', 'n'}; >>>>>> Callback[] callbacks = {usernameCallback, passwordCallback}; >>>>>> try { >>>>>> //Authentication >>>>>> AuthenticationContext authenticationContext = >>>>>> CarbonSecurityDataHolder.getInstance().getCarbonRealmService() >>>>>> .getCredentialStore().authenticate(callbacks); >>>>>> user = authenticationContext.getUser(); >>>>>> //Authorization >>>>>> user.isAuthorized(new Permission(carbonPermission.getName(), >>>>>> carbonPermission.getActions())); >>>>>> } catch (AuthenticationFailure authenticationFailure) { >>>>>> throw new LoginException("Authentication failure."); >>>>>> } >>>>> >>>>> >>>>> [1] - >>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/modules/UsernamePasswordLoginModule.java#L108-L114 >>>>> [2] - >>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/CarbonPrincipal.java#L76-L82 >>>>> >>>>> Regards, >>>>> Omindu. >>>>> >>>>> On Tue, May 3, 2016 at 7:40 PM, Kishanthan Thangarajah < >>>>> [email protected]> wrote: >>>>> >>>>>> Can you provide a code sample on how the user authorization is done >>>>>> (the flow) based on the above explanation? >>>>>> >>>>>> On Tue, May 3, 2016 at 2:31 PM, Jayanga Kaushalya <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Kishanthan, >>>>>>> >>>>>>> Respective store ids are available through the respective beans. For >>>>>>> example User bean has the identity store id and the credential store >>>>>>> id. To >>>>>>> call an API which requires a store id, you needs to have the respective >>>>>>> bean first. For example by authenticating an user via calling >>>>>>> authenticate >>>>>>> method will return an User bean with it's identity store id and the >>>>>>> credential store id. Or otherwise by calling getUser(username) method >>>>>>> you >>>>>>> can get the User bean. Most of the operations which requires an store id >>>>>>> can be directly called from the bean it self. For example >>>>>>> isUserAuthorized >>>>>>> can be called like User.isAuthorized(Permission). >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> *Jayanga Kaushalya* >>>>>>> Software Engineer >>>>>>> Mobile: +94777860160 >>>>>>> WSO2 Inc. | http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> On Tue, May 3, 2016 at 11:56 AM, Kishanthan Thangarajah < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Most of the API methods we could see that we need to pass the >>>>>>>> identityStoreId like below. >>>>>>>> >>>>>>>> public boolean isUserAuthorized(String userId, Permission >>>>>>>> permission, String identityStoreId) >>>>>>>> >>>>>>>> How do we identify this store-id before calling? >>>>>>>> >>>>>>>> On Sat, Apr 30, 2016 at 10:12 PM, Jayanga Kaushalya < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Darshana, >>>>>>>>> >>>>>>>>> Yes, those links are correct. We have changed the package name >>>>>>>>> from org.wso2.carbon.security to org.wso2.carbon.security.caas since >>>>>>>>> that >>>>>>>>> is the name we are going to use in future. >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>>> *Jayanga Kaushalya* >>>>>>>>> Software Engineer >>>>>>>>> Mobile: +94777860160 >>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> On Sat, Apr 30, 2016 at 6:49 PM, Darshana Gunawardana < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> I assume these should be the correct links. @Jayanga please >>>>>>>>>> correct me if I'm wrong. >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/service/RealmService.java >>>>>>>>>> [2] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>> [3] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/AuthorizationStore.java >>>>>>>>>> [4] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/CredentialStore.java >>>>>>>>>> [5] >>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/IdentityStore.java >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Darshana >>>>>>>>>> >>>>>>>>>> On Fri, Apr 29, 2016 at 11:36 PM, Kishanthan Thangarajah < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Can you send the correct git-hub links to these API's? Provided >>>>>>>>>>> links are either wrong or packages/modules have been renamed. >>>>>>>>>>> >>>>>>>>>>> On Fri, Apr 29, 2016 at 6:35 PM, Jayanga Kaushalya < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> User core related authentication and authorization operations >>>>>>>>>>>> can be accessed through RealmService. Bellow diagram explains the >>>>>>>>>>>> brief >>>>>>>>>>>> outlook of the Realm service and respective stores. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *RealmService* >>>>>>>>>>>> >>>>>>>>>>>> Realm service is the User Core API which is exposed to external >>>>>>>>>>>> users. Each store can be accessed through the realm service. API is >>>>>>>>>>>> available in [1] >>>>>>>>>>>> >>>>>>>>>>>> *CarbonRealmServiceImpl* >>>>>>>>>>>> >>>>>>>>>>>> Implementation of the realm service. API is available in [2] >>>>>>>>>>>> >>>>>>>>>>>> *IdentityStore* >>>>>>>>>>>> >>>>>>>>>>>> Identity store contains all identity management related read >>>>>>>>>>>> only operations. All CRUD operations related to identity >>>>>>>>>>>> management will be >>>>>>>>>>>> available through extended version of the user core and which will >>>>>>>>>>>> be >>>>>>>>>>>> available through carbon identity repository. >>>>>>>>>>>> API details are available in the [5]. >>>>>>>>>>>> >>>>>>>>>>>> *CredentialStore* >>>>>>>>>>>> >>>>>>>>>>>> Credential store contains all credential management related >>>>>>>>>>>> read only operations. All CRUD operations related to the credential >>>>>>>>>>>> management will be available through extended version of the user >>>>>>>>>>>> core and >>>>>>>>>>>> which will be available through carbon identity repository. >>>>>>>>>>>> API details are available in the [4] >>>>>>>>>>>> >>>>>>>>>>>> *AuthorizationStore* >>>>>>>>>>>> >>>>>>>>>>>> All authorization related CRUD operations will be available >>>>>>>>>>>> through the authorization store. API details are available in the >>>>>>>>>>>> [3] >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/service/RealmService.java >>>>>>>>>>>> >>>>>>>>>>>> [2] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>>>> [3] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/AuthorizationStore.java >>>>>>>>>>>> [4] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/CredentialStore.java >>>>>>>>>>>> [5] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/IdentityStore.java >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>>>> Software Engineer >>>>>>>>>>>> Mobile: +94777860160 >>>>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>>>> Associate Technical Lead, >>>>>>>>>>> Platform Technologies Team, >>>>>>>>>>> WSO2, Inc. >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> Mobile - +94773426635 >>>>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>> >>>>>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>>>> Middleware >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Kishanthan Thangarajah* >>>>>>>> Associate Technical Lead, >>>>>>>> Platform Technologies Team, >>>>>>>> WSO2, Inc. >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile - +94773426635 >>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Kishanthan Thangarajah* >>>>>> Associate Technical Lead, >>>>>> Platform Technologies Team, >>>>>> WSO2, Inc. >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile - +94773426635 >>>>>> Blog - *http://kishanthan.wordpress.com >>>>>> <http://kishanthan.wordpress.com>* >>>>>> Twitter - *http://twitter.com/kishanthan >>>>>> <http://twitter.com/kishanthan>* >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Omindu Rathnaweera >>>>> Software Engineer, WSO2 Inc. >>>>> Mobile: +94 771 197 211 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Senior Software Engineer >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: [email protected] <[email protected]>* >>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> With regards, >>> *Manu*ranga Perera. >>> >>> phone : 071 7 70 20 50 >>> mail : [email protected] >>> >> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Senior Software Engineer >> WSO2 Inc.; http://wso2.com >> >> *E-mail: [email protected] <[email protected]>* >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >> > > > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : [email protected] > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
