Hi, Reattach the missing diagram . [image: Inline image 1]
Thanks, Waruna On Tue, Jan 9, 2018 at 12:00 AM, Waruna Jayaweera <[email protected]> wrote: > Hi, > > Message broker requires authorization model to access control of resources > like Topics/Queues based on user groups . This is to provide the initial > design for $Subject. > Example use case would be as follows. We have three user groups ( roles) > A , B and manager and two topics T1 and T2. We need to restrict users in > group as below. > > 1. T1 can be subscribed by only A and publish by only B > 2. T2 can be subscribed by only B and publish by only A > 3. Manager users can subscribe and publish to any topic but only > subscribe queue. > > Following entities can be identified. > > *User groups:* A ,B and manager > *Resources *: T1 and T2 > *Resource Groups *: Topic, Queue > *Actions*: subscribe, publish,view etc. > *Permission*: resource+actions > > We can represent the permissions using binary form mappings with resource > and user group. These permissions can be defined per resource or globally > as well. > > *Per Resource* > > Resource > > User Group > > Actions > > Permission > > publish > > subscribe > > T1 > > A > > 0 > > 1 > > 01 > > T2 > > B > > 1 > > 0 > > 10 > > *Global Permission* > > Resource Type > > User Group > > Actions > > Permission > > publish > > subscribe > > Topic > > admin > > 1 > > 1 > > 11 > > Queue > > admin > > 1 > > 0 > > 10 > > > Permission will be stored in the database similarly as of [1]. Following > figure shows the proposed implementation for $subject. > > > > Connection handler can fetch the mb resource permissions mappings from > database and user groups information from underlying user store manager. > Authorized users can add permissions to groups using permission api. Each > resource can have own way of handling permission. As an example in > hierarchical topic scenario, if given user group has permission to top > level topic, will be granted the permission to lower level topic structure > as well. > > This is the initial design for permission model and We will schedule a > design review to further discussion .Your suggestions are highly > appreciated! > > [1] [Architecture] [APIM][C5] API Manager entities(APIs/Applications/Docs > etc..) permission model and group sharing. > > Thanks, > Waruna > > -- > Regards, > > Waruna Lakshitha Jayaweera > Senior Software Engineer > WSO2 Inc; http://wso2.com > phone: +94713255198 <+94%2071%20325%205198> > http://waruapz.blogspot.com/ > > -- Regards, Waruna Lakshitha Jayaweera Senior Software Engineer WSO2 Inc; http://wso2.com phone: +94713255198 http://waruapz.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
