[
https://issues.apache.org/jira/browse/CONNECTORS-792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13802734#comment-13802734
]
Karl Wright commented on CONNECTORS-792:
----------------------------------------
Basically, instead of one authority, SharePoint Claim Space is designed to
allow multiple authorities to provide authorization for one repository. For
example, a SharePoint user might provide native SharePoint groups, while an
Active Directory user might provide Active Directory - linked SharePoint
groups. A Facebook user might provide Facebook groups.
The same user name is not necessarily applicable to all of these; it would be
inappropriate to send a Facebook user to an Active Directory authority, etc.
This model requires multiple authorization domains, and multiple authorities
per repository connection. So what I see here is a broader picture where there
several structural changes to how authorities work:
(1) Incoming users to the authority service have an attached authorization
domain name, and there can be multiple domain/user pairs in each request. This
has been previous proposed elsewhere; it is time now to make this official.
(2) Each domain selects for N authorities and their prerequisite mappers. So if
a request contains two authorization domains, two entirely different sets of
authorities are fired off as a result: one set associated with one domain, and
the other set with the other domain. Each mapper and authority receives one
user name, as before. (This implies a schema change so that a domain name can
be entered for each authority.)
(3) Each repository connection may use an authority connection from each of
multiple domains. The best way to model this is to create a new high-level
entity we'll call an "authorization group". Instead of optionally pointing at
an authority connection, repository connections point at an authorization
group. Authority connections also point at an authorization group, in such a
way that no two authority connections that share the same authorization domain
name can also share the same authorization group. (This requirement could be
dropped in the future if it seems burdensome and unnecessary.)
This basic change requires changes to the schema, to the UI, to the REST API,
and to the documentation.
> Authorization model needs domains and multiple authorities per repository
> connection
> ------------------------------------------------------------------------------------
>
> Key: CONNECTORS-792
> URL: https://issues.apache.org/jira/browse/CONNECTORS-792
> Project: ManifoldCF
> Issue Type: Improvement
> Components: Authority Service, Framework crawler agent
> Affects Versions: ManifoldCF 1.5
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.5
>
>
> The authorization model needs to be able to handle multiple, independent,
> forms of identity, and the access tokens from these needs to be amalgamated
> in order to support federated repositories like SharePoint with Claim Space
> Auth.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
