Hi Himasha, User who create the resource will have permission in all actions for given resource. Other users will depend on their global permission on given resource type. Resource ownership concept in C5 model haven't been finalized yet. Will check on that as well.
Thanks. Waruna On Fri, Jan 12, 2018 at 7:21 AM, Himasha Guruge <[email protected]> wrote: > Hi Waruna, > > Have we decided which permissions will be allocated for a user by default > when creating a queue/topic? Are we going to consider ownership concept for > this, that was discussed in C5 permission model? [1] > > > [1] https://docs.google.com/document/d/1yosWL_kTxUWFukcoU7DtrtZd > RuiK0ghySs96u4lfUHU/edit#heading=h.81aqdsft1abw > > Thanks, > Himasha > > On Tue, Jan 9, 2018 at 12:07 AM, Waruna Jayaweera <[email protected]> > wrote: > >> Hi, >> Reattach the missing diagram . >> >> [image: Inline image 1] >> >> Thanks, >> Waruna >> >> On Tue, Jan 9, 2018 at 12:00 AM, Waruna Jayaweera <[email protected]> >> wrote: >> >>> Hi, >>> >>> Message broker requires authorization model to access control of >>> resources like Topics/Queues based on user groups . This is to provide the >>> initial design for $Subject. >>> Example use case would be as follows. We have three user groups ( >>> roles) A , B and manager and two topics T1 and T2. We need to restrict >>> users in group as below. >>> >>> 1. T1 can be subscribed by only A and publish by only B >>> 2. T2 can be subscribed by only B and publish by only A >>> 3. Manager users can subscribe and publish to any topic but only >>> subscribe queue. >>> >>> Following entities can be identified. >>> >>> *User groups:* A ,B and manager >>> *Resources *: T1 and T2 >>> *Resource Groups *: Topic, Queue >>> *Actions*: subscribe, publish,view etc. >>> *Permission*: resource+actions >>> >>> We can represent the permissions using binary form mappings with >>> resource and user group. These permissions can be defined per resource or >>> globally as well. >>> >>> *Per Resource* >>> >>> Resource >>> >>> User Group >>> >>> Actions >>> >>> Permission >>> >>> publish >>> >>> subscribe >>> >>> T1 >>> >>> A >>> >>> 0 >>> >>> 1 >>> >>> 01 >>> >>> T2 >>> >>> B >>> >>> 1 >>> >>> 0 >>> >>> 10 >>> >>> *Global Permission* >>> >>> Resource Type >>> >>> User Group >>> >>> Actions >>> >>> Permission >>> >>> publish >>> >>> subscribe >>> >>> Topic >>> >>> admin >>> >>> 1 >>> >>> 1 >>> >>> 11 >>> >>> Queue >>> >>> admin >>> >>> 1 >>> >>> 0 >>> >>> 10 >>> >>> >>> Permission will be stored in the database similarly as of [1]. Following >>> figure shows the proposed implementation for $subject. >>> >>> >>> >>> Connection handler can fetch the mb resource permissions mappings from >>> database and user groups information from underlying user store manager. >>> Authorized users can add permissions to groups using permission api. Each >>> resource can have own way of handling permission. As an example in >>> hierarchical topic scenario, if given user group has permission to top >>> level topic, will be granted the permission to lower level topic structure >>> as well. >>> >>> This is the initial design for permission model and We will schedule a >>> design review to further discussion .Your suggestions are highly >>> appreciated! >>> >>> [1] [Architecture] [APIM][C5] API Manager entities(APIs/Applications/Docs >>> etc..) permission model and group sharing. >>> >>> Thanks, >>> Waruna >>> >>> -- >>> Regards, >>> >>> Waruna Lakshitha Jayaweera >>> Senior Software Engineer >>> WSO2 Inc; http://wso2.com >>> phone: +94713255198 <+94%2071%20325%205198> >>> http://waruapz.blogspot.com/ >>> >>> >> >> >> -- >> Regards, >> >> Waruna Lakshitha Jayaweera >> Senior Software Engineer >> WSO2 Inc; http://wso2.com >> phone: +94713255198 <+94%2071%20325%205198> >> http://waruapz.blogspot.com/ >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Himasha Guruge > Senior Software Engineer > WS*O2* *Inc.* > Mobile: +94 777459299 <+94%2077%20745%209299> > [email protected] > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Regards, Waruna Lakshitha Jayaweera Senior Software Engineer WSO2 Inc; http://wso2.com phone: +94713255198 <+94%2071%20325%205198> http://waruapz.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
