Hi all, The changes are committed in docker_integration branch https://github.com/apache/stratos/commit/29bf5f164ea6b77a34b876406cc2d3da95231109
*Created JIRAs * https://issues.apache.org/jira/browse/STRATOS-799 https://issues.apache.org/jira/browse/STRATOS-800 https://issues.apache.org/jira/browse/STRATOS-801 Wrote a blog post covering the changes. http://blog.lasindu.com/2014/09/apache-stratos-410-user-management-and.html On Sun, Sep 7, 2014 at 3:56 PM, Lasindu Charith <[email protected]> wrote: > Attached the permission model for Tenant User. > > > On Sun, Sep 7, 2014 at 3:55 PM, Lasindu Charith <[email protected]> wrote: > >> Hi all, >> >> Please find the progress below. >> >> Carbon User Management feature was installed in p2-profile gen since we >> are including user management functionality in Stratos 4.1.0. A user role >> called 'Tenant-User' will be created with the following permissions. Tenant >> user can view Autoscaling policies, Cartridge definitions, deployment >> policies, partition definitions, service definitions, subscriptions in the >> tenant space while only having the ability to add/remove subscriptions. >> >> >> [image: Inline image 1] >> >> stratos.manager, cloud.controller and autoscaler compont >> services/component.xmls were modified to include relevant permissions >> and AuthorizationActions to call particular service methods.The >> StratosAdmin REST API methods' @AuthorizationAction was changed to >> facilitate the above permission model. >> >> In the current implementation the stratos UI permissions and REST API >> permissions are handled separately. UI permissions are predefined for >> Stratos Admin and Tenant admin seperately in the acl.json file. The whole >> UI permission model needs to be changed to use carbon user management and >> permissions using Jaggery, which I will be looking into next. Will be >> including couple of REST API methods to create/delete/modify tenant users >> and roles. >> >> WIP : >> https://github.com/lasinducharith/stratos/commit/0f018ffb6d9ac33f67d568d7ff3d9688e8f45a43 >> >> Thanks, >> >> >> On Mon, Sep 1, 2014 at 5:07 PM, Lasindu Charith <[email protected]> wrote: >> >>> Hi Reka, >>> >>> >>> On Mon, Sep 1, 2014 at 4:50 PM, Reka Thirunavukkarasu <[email protected]> >>> wrote: >>> >>>> Hi Lasindu >>>> >>>> >>>> On Fri, Aug 29, 2014 at 2:09 PM, Lasindu Charith <[email protected]> >>>> wrote: >>>> >>>>> Hi devs, >>>>> >>>>> I'm in the process of extending the User Management and Permission >>>>> model for Stratos 4.1.0. >>>>> (See email discussions with following subjects : Role based access >>>>> and functionality for Stratos & Introducing tenant isolation in >>>>> policy/definition creation and usage). >>>>> >>>>> As discussed above, the proposed User/tenant Management will be as >>>>> following. >>>>> >>>>> 1. Mainly there are 3 users, Stratos Admin (Super Admin), Tenant >>>>> Admin and the Tenant User. >>>>> >>>>> Don't you need to have Super Admin users as well? So that we can give >>>> some role based access even to Multiple super admins. >>>> >>> >>> Yes, In the super tenant space, super tenant can have multiple >>> (super)tenant admins as well as (super)tenant users.This should work >>> similar to the way other tenant spaces work. In the initial step we are >>> planning to create pre defined user roles in Carbon, so that at the time of >>> user creation, tenant admins can select the user role. >>> >>>> >>>> >>>>> >>>>> 1. Tenant(admin) creation will be moved back to the Carbon UI and >>>>> tenant user creation will be done in new Stratos UI. Tenant user >>>>> will have a set of pre-defined roles to be assigned at the user >>>>> creation >>>>> time. >>>>> 2. Stratos Admin will mostly use the Carbon UI to create new >>>>> tenants and will also have his own super tenant space to create new >>>>> policies, definitions, users, subscribe to cartridges etc. IaaS >>>>> configuration will be done by the Stratos admin. >>>>> 3. A tenant admin will use the new UI to configure the tenant >>>>> space - this includes creation of policies, definitions and deploying >>>>> them, >>>>> adding tenant users and assigning them roles. >>>>> 4. A tenant user will use the new UI to create/deploy >>>>> applications (previously referred to as subscribe) which are visible >>>>> within >>>>> that tenant space. >>>>> >>>>> The existing permission model needs to be extended to support >>>>> tenant/user level separation and >>>>> REST API should provide role based access. Will update the thread with >>>>> progress. >>>>> >>>> >>>> Are you introducing any permissions specific to Super/Tenant >>>> admin/users in stratos? So that we can assign the users to relevant roles >>>> based on the permissions given. >>>> >>> >>> Yes, Only Super tenant can create/delete tenants, but any tenant admin >>> can deploy/edit/delete policies, cartridge definitions, partitions etc. So >>> there are specific permissions for super admin/tenant, tenant admin and >>> tenant user. These will ideally be user roles in carbon user management >>> model. >>> >>> >>>> >>>>> Suggestions and thoughts are welcome .. >>>>> >>>>> Thanks, >>>> Reka >>>> >>>>> >>>>> Thanks, >>>>> -- >>>>> *Lasindu Charith* >>>>> Software Engineer, WSO2 Inc. >>>>> Mobile: +94714427192 >>>>> Web: blog.lasindu.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Reka Thirunavukkarasu >>>> Senior Software Engineer, >>>> WSO2, Inc.:http://wso2.com, >>>> Mobile: +94776442007 >>>> >>>> >>>> >>> >>> Thanks, >>> -- >>> *Lasindu Charith* >>> Software Engineer, WSO2 Inc. >>> Mobile: +94714427192 >>> Web: blog.lasindu.com >>> >> >> >> >> -- >> *Lasindu Charith* >> Software Engineer, WSO2 Inc. >> Mobile: +94714427192 >> Web: blog.lasindu.com >> > > > > -- > *Lasindu Charith* > Software Engineer, WSO2 Inc. > Mobile: +94714427192 > Web: blog.lasindu.com > -- *Lasindu Charith* Software Engineer, WSO2 Inc. Mobile: +94714427192 Web: blog.lasindu.com
