[
https://issues.apache.org/jira/browse/FC-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15125416#comment-15125416
]
Shawn McKinney commented on FC-144:
-----------------------------------
The use case here is federated and multi-tenant login into openstack via
keystone.
1. User authenticated in keystone
2. User performs op for a specific tenant.
3. OpenStack Keystone activates a Group for the User, for that particular op.
4. That Group is mapped to a Role(s) inside the tenant's domain.
5. The Role(s) are activated into RBAC Session.
6. Session is 'trusted' because the authN happened earlier.
7. Session is anonymous (the userId is unknown to the tenant).
8. Session used in checkAccess method for authZ inside tenant domain.
wrt the physical data structures:
- Add a multi-occurring Role membership attribute to the Group object class.
This allows each Group to have many roles. It would also support a single Role
being associated with many Groups. The cardinality is many-to-many.
- This physical data format makes the Group->Role interrogation efficient,
requiring just a single 'read' of an object.
> Ability to assign groups to roles
> ---------------------------------
>
> Key: FC-144
> URL: https://issues.apache.org/jira/browse/FC-144
> Project: FORTRESS
> Issue Type: Improvement
> Affects Versions: 1.0.0-RC40
> Reporter: Florin Stingaciu
>
> We are currently working on performing an integration between Openstack
> Keystone and Fortress Core. We will use Fortress as the authorization backend
> for the rest of Openstack. We have managed to map most of the current
> functionality in Openstack within the Fortress schema except for the ability
> to assign roles to a group.
> I've spoken with [~smckinney], and he determined this improvement is a
> feasible addition to Fortress's feature set. After a number of back and
> forths, we have come up with the following requirements as API additions:
> * Session createSession (Group group, boolean isTrusted);
> * void assignGroup ( Group group, Role role );
> * List<Group> roleGroups ( Role role );
> * List<Role> groupRoles ( Group group );
> * the ability to use the above session with checkAccess(Session session,
> Permission perm)
> We also discussed temporal constrains for group to role assignment. Temporal
> constrains will not be utilized as this functionality has not been defined in
> Openstack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
