That model has limitations.. with that model how do we assign a set of roles to a group of users...? (not by individual user)
Also - a group has it's own metadata too - like - the email address... Thanks & regards, -Prabath On Tue, May 24, 2016 at 1:17 PM, Manuranga Perera <[email protected]> wrote: > Hi Prabath, > > Yes, I missed a point. Following code will break, > > Group devTeam = ...; > devTeam.updateRoles(Collections.singletonList(adminRole)); > > But why do we really need this. In C4 world we would have made the devTeam > a role as well and directly assign permission to it ? I assume that's how > 'team' concept was implemented in C4 AppFac. Why change if it worked? > > On Tue, May 24, 2016 at 4:03 PM, Prabath Siriwardana <[email protected]> > wrote: > >> Hi Manu, >> >> That's not right... What user can do (authorization) is decided based on >> the permissions attached to roles that user inherits... A user inherits >> roles by a direct role assignment or from a group that user belongs to... >> >> Thanks & regards, >> -Prabath >> >> On Tue, May 24, 2016 at 12:49 PM, Manuranga Perera <[email protected]> wrote: >> >>> Thanks Darshana. >>> So if I s/Group/Role/ in my code, it will sill work the same. In that >>> case is it worth to implement a new concept called Group? >>> >>> On Tue, May 24, 2016 at 12:35 PM, Darshana Gunawardana < >>> [email protected]> wrote: >>> >>>> Hi Manu, >>>> >>>> On Tue, May 24, 2016 at 9:03 PM, Manuranga Perera <[email protected]> >>>> wrote: >>>> >>>>> Hi Darshana, >>>>> Can you please explain about the difference between Group and Role. In >>>>> the permission meeting Sanjiva said they are different but I don't see it >>>>> from the code. >>>>> >>>>> From semantic point of view >>>>> User has both getGroups and getRoles >>>>> Both Group and Role has getUsers >>>>> >>>> >>>> If we check from the Permission perspective, Permission have direct >>>> mapping with Roles only. In other words Users\Groups get necessary >>>> privileges only via Roles its assigned to. >>>> >>>> You can find this behaviour in the code from the Role bean which have >>>> getPermissions() method [1] where Groups doesn't have such method. >>>> >>>> Basically, >>>> > Group is a collection of users. >>>> > Role is a collection of permissions. >>>> >>>> IdentityStore is managing, >>>> > Users >>>> > Groups >>>> > User-Group mapping >>>> >>>> AuthorizationStore is managing, >>>> > Roles >>>> > Permissions >>>> > Role-Permission mapping >>>> > Role-Group mapping >>>> > Role-User mapping >>>> >>>> If we take "User bean"[2], it should have all necessary methods needed >>>> to done on a "User" and User bean internally make use of relevant store >>>> methods to produce its result. >>>> >>>> [1] >>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/Role.java#L83 >>>> [2] >>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/bean/User.java >>>> >>>> Thanks, >>>> >>>>> >>>>> From implementation point of view >>>>> getGroup code in IdentityStore is almost identical to getRole code >>>>> in AuthorizationStore >>>>> >>>>> >>>>> On Tue, May 24, 2016 at 2:35 AM, Darshana Gunawardana < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Jayanga, >>>>>> >>>>>> Almost all APIs need to provide entryID and the relevant storeID. For >>>>>> example, >>>>>> >>>>>> - IdentityStore has getUserAttributeValues(String userID, String >>>>>> userStoreId); >>>>>> - IdentityStore has getUsersOfGroup(String groupID, String >>>>>> userStoreId) >>>>>> - AuthorizationStore has getGroupsOfRole(String roleId, String >>>>>> authorizationStoreId); >>>>>> >>>>>> If we take getUserAttributeValues()as an example, the API consumer >>>>>> should have, >>>>>> I. retrieve relevant User object before calling >>>>>> getUserAttributeValues() method >>>>>> II. extract userID and userStoreId from the User object >>>>>> III. pass those values to getUserAttributeValues() method >>>>>> >>>>>> Wouldn't it be more convenient for developers and more cleaner the >>>>>> API, if the API accept the entry object directly rather than entryID and >>>>>> storeID seperately? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> On Wed, May 4, 2016 at 12:45 PM, Omindu Rathnaweera <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> The following snippet shows how authentication and authorization can >>>>>>> be done using the user APIs. We use a similar approach in jaas as well >>>>>>> [1][2]. >>>>>>> >>>>>>> NameCallback usernameCallback = new NameCallback("username"); >>>>>>>> PasswordCallback passwordCallback = new PasswordCallback("password", >>>>>>>> false); >>>>>>>> usernameCallback.setName("admin"); >>>>>>>> passwordCallback.setPassword(new char[]{'a', 'd', 'm', 'i', 'n'}; >>>>>>>> Callback[] callbacks = {usernameCallback, passwordCallback}; >>>>>>>> try { >>>>>>>> //Authentication >>>>>>>> AuthenticationContext authenticationContext = >>>>>>>> CarbonSecurityDataHolder.getInstance().getCarbonRealmService() >>>>>>>> .getCredentialStore().authenticate(callbacks); >>>>>>>> user = authenticationContext.getUser(); >>>>>>>> //Authorization >>>>>>>> user.isAuthorized(new Permission(carbonPermission.getName(), >>>>>>>> carbonPermission.getActions())); >>>>>>>> } catch (AuthenticationFailure authenticationFailure) { >>>>>>>> throw new LoginException("Authentication failure."); >>>>>>>> } >>>>>>> >>>>>>> >>>>>>> [1] - >>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/modules/UsernamePasswordLoginModule.java#L108-L114 >>>>>>> [2] - >>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/jaas/CarbonPrincipal.java#L76-L82 >>>>>>> >>>>>>> Regards, >>>>>>> Omindu. >>>>>>> >>>>>>> On Tue, May 3, 2016 at 7:40 PM, Kishanthan Thangarajah < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Can you provide a code sample on how the user authorization is done >>>>>>>> (the flow) based on the above explanation? >>>>>>>> >>>>>>>> On Tue, May 3, 2016 at 2:31 PM, Jayanga Kaushalya < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Kishanthan, >>>>>>>>> >>>>>>>>> Respective store ids are available through the respective beans. >>>>>>>>> For example User bean has the identity store id and the credential >>>>>>>>> store >>>>>>>>> id. To call an API which requires a store id, you needs to have the >>>>>>>>> respective bean first. For example by authenticating an user via >>>>>>>>> calling >>>>>>>>> authenticate method will return an User bean with it's identity store >>>>>>>>> id >>>>>>>>> and the credential store id. Or otherwise by calling getUser(username) >>>>>>>>> method you can get the User bean. Most of the operations which >>>>>>>>> requires an >>>>>>>>> store id can be directly called from the bean it self. For example >>>>>>>>> isUserAuthorized can be called like User.isAuthorized(Permission). >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>>> *Jayanga Kaushalya* >>>>>>>>> Software Engineer >>>>>>>>> Mobile: +94777860160 >>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> On Tue, May 3, 2016 at 11:56 AM, Kishanthan Thangarajah < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Most of the API methods we could see that we need to pass the >>>>>>>>>> identityStoreId like below. >>>>>>>>>> >>>>>>>>>> public boolean isUserAuthorized(String userId, Permission >>>>>>>>>> permission, String identityStoreId) >>>>>>>>>> >>>>>>>>>> How do we identify this store-id before calling? >>>>>>>>>> >>>>>>>>>> On Sat, Apr 30, 2016 at 10:12 PM, Jayanga Kaushalya < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Darshana, >>>>>>>>>>> >>>>>>>>>>> Yes, those links are correct. We have changed the package name >>>>>>>>>>> from org.wso2.carbon.security to org.wso2.carbon.security.caas >>>>>>>>>>> since that >>>>>>>>>>> is the name we are going to use in future. >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> >>>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>>> Software Engineer >>>>>>>>>>> Mobile: +94777860160 >>>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> On Sat, Apr 30, 2016 at 6:49 PM, Darshana Gunawardana < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> I assume these should be the correct links. @Jayanga please >>>>>>>>>>>> correct me if I'm wrong. >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/service/RealmService.java >>>>>>>>>>>> [2] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>>>> [3] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/AuthorizationStore.java >>>>>>>>>>>> [4] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/CredentialStore.java >>>>>>>>>>>> [5] >>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security.caas/src/main/java/org/wso2/carbon/security/caas/user/core/store/IdentityStore.java >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Darshana >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Apr 29, 2016 at 11:36 PM, Kishanthan Thangarajah < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Can you send the correct git-hub links to these API's? >>>>>>>>>>>>> Provided links are either wrong or packages/modules have been >>>>>>>>>>>>> renamed. >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Apr 29, 2016 at 6:35 PM, Jayanga Kaushalya < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> User core related authentication and authorization operations >>>>>>>>>>>>>> can be accessed through RealmService. Bellow diagram explains >>>>>>>>>>>>>> the brief >>>>>>>>>>>>>> outlook of the Realm service and respective stores. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> *RealmService* >>>>>>>>>>>>>> >>>>>>>>>>>>>> Realm service is the User Core API which is exposed to >>>>>>>>>>>>>> external users. Each store can be accessed through the realm >>>>>>>>>>>>>> service. API >>>>>>>>>>>>>> is available in [1] >>>>>>>>>>>>>> >>>>>>>>>>>>>> *CarbonRealmServiceImpl* >>>>>>>>>>>>>> >>>>>>>>>>>>>> Implementation of the realm service. API is available in [2] >>>>>>>>>>>>>> >>>>>>>>>>>>>> *IdentityStore* >>>>>>>>>>>>>> >>>>>>>>>>>>>> Identity store contains all identity management related read >>>>>>>>>>>>>> only operations. All CRUD operations related to identity >>>>>>>>>>>>>> management will be >>>>>>>>>>>>>> available through extended version of the user core and which >>>>>>>>>>>>>> will be >>>>>>>>>>>>>> available through carbon identity repository. >>>>>>>>>>>>>> API details are available in the [5]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *CredentialStore* >>>>>>>>>>>>>> >>>>>>>>>>>>>> Credential store contains all credential management related >>>>>>>>>>>>>> read only operations. All CRUD operations related to the >>>>>>>>>>>>>> credential >>>>>>>>>>>>>> management will be available through extended version of the >>>>>>>>>>>>>> user core and >>>>>>>>>>>>>> which will be available through carbon identity repository. >>>>>>>>>>>>>> API details are available in the [4] >>>>>>>>>>>>>> >>>>>>>>>>>>>> *AuthorizationStore* >>>>>>>>>>>>>> >>>>>>>>>>>>>> All authorization related CRUD operations will be available >>>>>>>>>>>>>> through the authorization store. API details are available in >>>>>>>>>>>>>> the [3] >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] >>>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/service/RealmService.java >>>>>>>>>>>>>> >>>>>>>>>>>>>> [2] >>>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/common/CarbonRealmServiceImpl.java >>>>>>>>>>>>>> [3] >>>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/AuthorizationStore.java >>>>>>>>>>>>>> [4] >>>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/CredentialStore.java >>>>>>>>>>>>>> [5] >>>>>>>>>>>>>> https://github.com/wso2/carbon-security/blob/master/components/org.wso2.carbon.security/src/main/java/org/wso2/carbon/security/user/core/store/IdentityStore.java >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> *Jayanga Kaushalya* >>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>> Mobile: +94777860160 >>>>>>>>>>>>>> WSO2 Inc. | http://wso2.com >>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>>>>>> Associate Technical Lead, >>>>>>>>>>>>> Platform Technologies Team, >>>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>> >>>>>>>>>>>>> Mobile - +94773426635 >>>>>>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Regards, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>> >>>>>>>>>>>> *E-mail: [email protected] <[email protected]>* >>>>>>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . >>>>>>>>>>>> Middleware >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Kishanthan Thangarajah* >>>>>>>>>> Associate Technical Lead, >>>>>>>>>> Platform Technologies Team, >>>>>>>>>> WSO2, Inc. >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> Mobile - +94773426635 >>>>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Kishanthan Thangarajah* >>>>>>>> Associate Technical Lead, >>>>>>>> Platform Technologies Team, >>>>>>>> WSO2, Inc. >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile - +94773426635 >>>>>>>> Blog - *http://kishanthan.wordpress.com >>>>>>>> <http://kishanthan.wordpress.com>* >>>>>>>> Twitter - *http://twitter.com/kishanthan >>>>>>>> <http://twitter.com/kishanthan>* >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Omindu Rathnaweera >>>>>>> Software Engineer, WSO2 Inc. >>>>>>> Mobile: +94 771 197 211 >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> >>>>>> >>>>>> *Darshana Gunawardana*Senior Software Engineer >>>>>> WSO2 Inc.; http://wso2.com >>>>>> >>>>>> *E-mail: [email protected] <[email protected]>* >>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> With regards, >>>>> *Manu*ranga Perera. >>>>> >>>>> phone : 071 7 70 20 50 >>>>> mail : [email protected] >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Senior Software Engineer >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: [email protected] <[email protected]>* >>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>> >>> >>> >>> >>> -- >>> With regards, >>> *Manu*ranga Perera. >>> >>> phone : 071 7 70 20 50 >>> mail : [email protected] >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://facilelogin.com >> > > > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : [email protected] > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
