Pradeep, Thanks for the reply.
On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <[email protected]>wrote: > > Hi Nirmal, > > Please find answers inline, > > On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando > <[email protected]>wrote: > >> Hi Pradeep, >> >> Thanks for this contribution. I hope this will provide the basis for >> others to build Stratos REST API. >> >> Few questions inline. >> >> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <[email protected]>wrote: >> >>> Hi Devs, >>> >>> >>> I came up with implemented the above feature and the patch can be found >>> at, [1] >>> >>> *How it works* >>> >>> - The web-app to Carbon runtime state exchange happens via OSGi services >>> - The JAX-RS application is using Apache CXF as the REST engine >>> - Authentication and Authorization of incoming requests are handled >>> using two seperate JAX-RS providers registered against the service class >>> - Authentication/Authorization is closely integrated to the underlying >>> carbon authentication/authorizaiton framework >>> - I have defined two new annotation classes to capture method level >>> permission details >>> * @AuthorizationAction("PermissionString") - allows the admin >>> service writer to annotate a certain operation with permission string. >>> Request get authorized only if the invoking user has enough permissions >>> >> >> Where are these permissions stored? Can you explain how can someone >> compile this string? >> > > This is permission string related to carbon permission model. IIRC, this > is the same string that you use inside services.xml AuthorizationAction > element > > > >> >> >>> * @SuperTenantService (true|false) - only the super-tenant user >>> can access the service >>> >> >> false implies all the tenants including super-tenant can access this >> operation right? If so, can you please consider renaming this annotation? >> > > In the Carbon permission structure, super-tenant is special. Other way > around, that is super-tenant can perform tenant operations is implicit > IMHO. In that sense, when we say, @SuperTenantService(false) it means it is > not a super tenant service. - > any other tenant admin service. I'm ok to > change this annotation, two concerns, > > 1. I used the same jargon that is being used in services.xml. > <SuperTenantService>. Introducing another wording for the same thing might > be confusing. > 2. We don't really use @SuperTenantService(false) annotation. default is > false. > > May be we should change this to a marker annoation, - > @SuperTenantService > +1, makes sense. So, if you want to restrict an operation only for super tenant access, you use @SuperTenantService annotation. > > >> >>> - During the deployment time, the authorization handler get injected >>> with service bean. It process all the authorization related annotation and >>> builds a information model. When a request comes in it verifies the >>> expected permission vs bearing permission. >>> >>> Can you please explain how someone can plug a new authorization handler? >> What classes to extend, what interfaces to implement etc.? >> > > They just have to implement jaxrs.ReauestHandler interface and declare the > bean in spring config file (cxf-servlet.xml) > > I did not came up with a authentication/authorization abstraction for > Stratos in implementation. > No problem. > It is too early IMHO. Once we have atleast one other > authentication/authorization module we can define the abstraction. > IMO we should go for OAuth2 based authentication/authorization model as soon as possible. We should ideally start building up a wiki page on this too. > > > >> >> >> >>> *Challenges/Approaches that did not work.* >>> >>> CXF project provides a AuthorizationFilter called >>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses >>> @RolesAllowed annotation to identify authorized users. However it does not >>> suit well for the Carbon authorization system. Hence I came up with my own >>> Annotation types, which closely resembles, params used in existing WS admin >>> services. >>> >>> >>> *Authentication mechanism is pluggable * >>> >>> - Right now there is only one authenticator. It uses basic-auth to >>> authenticate incoming requests. It is possible to plug in other kinds of >>> authenticators. >>> >>> *How to write your new RESTful admin service* >>> >>> @POST >>> @Path("/tenant/create") >>> @Consumes("application/json") >>> @Produces("application/json") >>> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >>> @SuperTenantService(true) >>> public String addTenant(TenantInfoBean tenantInfoBean) { >>> >>> return success; >>> } >>> >>> *Sample Request from CURL* >>> >>> curl -X POST -H "Content-Type: application/json" -d >>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >>> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >>> https://localhost:9443/stratos/admin/tenant/create >>> >>> >>> *TODO* >>> * >>> * >>> This is more of the framework for implementing RESTful admin APIs. I >>> have implemented two Operations for the moment. We have to populate the >>> service bean with rest of the API. Its matter of porting existing code to >>> new service bean. What is more important is, to carefully design REST >>> endpoints. >>> >>> Unlike WS endpoints, we have to be careful with REST endpoint / where >>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a >>> separate thread on the topic. >>> >>> I have applied the patches to the JIRA. Would be great if the code can >>> be committed to the main trunk. :) >>> >>> >>> [1] https://issues.apache.org/jira/browse/STRATOS-90 >>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >>> >>> thanks, >>> --Pradeep >>> >> >> >> >> -- >> Best Regards, >> Nirmal >> >> C.S.Nirmal J. Fernando >> Senior Software Engineer, >> WSO2 Inc. >> >> Blog: http://nirmalfdo.blogspot.com/ >> > > > > thanks, > --Pradeep > -- Best Regards, Nirmal C.S.Nirmal J. Fernando Senior Software Engineer, WSO2 Inc. Blog: http://nirmalfdo.blogspot.com/
