Hi, gentle reminder..
--Pradeep On Tue, Oct 8, 2013 at 11:27 AM, Pradeep Fernando <[email protected]>wrote: > Appreciate if someone can add my patch to the trunk... I will provide a > patch with @SuperTenantService as a marker interface.. > > thanks, > --Pradeep > > > On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <[email protected]>wrote: > >> Yes.. I already created a JIRA task to track oauth authenticator >> >> --Pradeep >> sent from my phone >> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <[email protected]> >> wrote: >> >>> Pradeep, >>> >>> Thanks for the reply. >>> >>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando >>> <[email protected]>wrote: >>> >>>> >>>> Hi Nirmal, >>>> >>>> Please find answers inline, >>>> >>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando < >>>> [email protected]> wrote: >>>> >>>>> Hi Pradeep, >>>>> >>>>> Thanks for this contribution. I hope this will provide the basis for >>>>> others to build Stratos REST API. >>>>> >>>>> Few questions inline. >>>>> >>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <[email protected] >>>>> > wrote: >>>>> >>>>>> Hi Devs, >>>>>> >>>>>> >>>>>> I came up with implemented the above feature and the patch can be >>>>>> found at, [1] >>>>>> >>>>>> *How it works* >>>>>> >>>>>> - The web-app to Carbon runtime state exchange happens via OSGi >>>>>> services >>>>>> - The JAX-RS application is using Apache CXF as the REST engine >>>>>> - Authentication and Authorization of incoming requests are handled >>>>>> using two seperate JAX-RS providers registered against the service class >>>>>> - Authentication/Authorization is closely integrated to the >>>>>> underlying carbon authentication/authorizaiton framework >>>>>> - I have defined two new annotation classes to capture method level >>>>>> permission details >>>>>> * @AuthorizationAction("PermissionString") - allows the admin >>>>>> service writer to annotate a certain operation with permission string. >>>>>> Request get authorized only if the invoking user has enough permissions >>>>>> >>>>> >>>>> Where are these permissions stored? Can you explain how can someone >>>>> compile this string? >>>>> >>>> >>>> This is permission string related to carbon permission model. IIRC, >>>> this is the same string that you use inside services.xml >>>> AuthorizationAction element >>>> >>>> >>>> >>>>> >>>>> >>>>>> * @SuperTenantService (true|false) - only the super-tenant user >>>>>> can access the service >>>>>> >>>>> >>>>> false implies all the tenants including super-tenant can access this >>>>> operation right? If so, can you please consider renaming this annotation? >>>>> >>>> >>>> In the Carbon permission structure, super-tenant is special. Other way >>>> around, that is super-tenant can perform tenant operations is implicit >>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is >>>> not a super tenant service. - > any other tenant admin service. I'm ok to >>>> change this annotation, two concerns, >>>> >>>> 1. I used the same jargon that is being used in services.xml. >>>> <SuperTenantService>. Introducing another wording for the same thing might >>>> be confusing. >>>> 2. We don't really use @SuperTenantService(false) annotation. default >>>> is false. >>>> >>>> May be we should change this to a marker annoation, - > >>>> @SuperTenantService >>>> >>> >>> +1, makes sense. So, if you want to restrict an operation only for super >>> tenant access, you use @SuperTenantService annotation. >>> >>>> >>>> >>>>> >>>>>> - During the deployment time, the authorization handler get injected >>>>>> with service bean. It process all the authorization related annotation >>>>>> and >>>>>> builds a information model. When a request comes in it verifies the >>>>>> expected permission vs bearing permission. >>>>>> >>>>>> Can you please explain how someone can plug a new authorization >>>>> handler? What classes to extend, what interfaces to implement etc.? >>>>> >>>> >>>> They just have to implement jaxrs.ReauestHandler interface and declare >>>> the bean in spring config file (cxf-servlet.xml) >>>> >>>> I did not came up with a authentication/authorization abstraction for >>>> Stratos in implementation. >>>> >>> >>> No problem. >>> >>> >>>> It is too early IMHO. Once we have atleast one other >>>> authentication/authorization module we can define the abstraction. >>>> >>> >>> IMO we should go for OAuth2 based authentication/authorization model as >>> soon as possible. >>> >>> We should ideally start building up a wiki page on this too. >>> >>>> >>>> >>>> >>>>> >>>>> >>>>> >>>>>> *Challenges/Approaches that did not work.* >>>>>> >>>>>> CXF project provides a AuthorizationFilter called >>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It >>>>>> uses >>>>>> @RolesAllowed annotation to identify authorized users. However it does >>>>>> not >>>>>> suit well for the Carbon authorization system. Hence I came up with my >>>>>> own >>>>>> Annotation types, which closely resembles, params used in existing WS >>>>>> admin >>>>>> services. >>>>>> >>>>>> >>>>>> *Authentication mechanism is pluggable * >>>>>> >>>>>> - Right now there is only one authenticator. It uses basic-auth to >>>>>> authenticate incoming requests. It is possible to plug in other kinds of >>>>>> authenticators. >>>>>> >>>>>> *How to write your new RESTful admin service* >>>>>> >>>>>> @POST >>>>>> @Path("/tenant/create") >>>>>> @Consumes("application/json") >>>>>> @Produces("application/json") >>>>>> >>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >>>>>> @SuperTenantService(true) >>>>>> public String addTenant(TenantInfoBean tenantInfoBean) { >>>>>> >>>>>> return success; >>>>>> } >>>>>> >>>>>> *Sample Request from CURL* >>>>>> >>>>>> curl -X POST -H "Content-Type: application/json" -d >>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >>>>>> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >>>>>> https://localhost:9443/stratos/admin/tenant/create >>>>>> >>>>>> >>>>>> *TODO* >>>>>> * >>>>>> * >>>>>> This is more of the framework for implementing RESTful admin APIs. I >>>>>> have implemented two Operations for the moment. We have to populate the >>>>>> service bean with rest of the API. Its matter of porting existing code to >>>>>> new service bean. What is more important is, to carefully design REST >>>>>> endpoints. >>>>>> >>>>>> Unlike WS endpoints, we have to be careful with REST endpoint / where >>>>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a >>>>>> separate thread on the topic. >>>>>> >>>>>> I have applied the patches to the JIRA. Would be great if the code >>>>>> can be committed to the main trunk. :) >>>>>> >>>>>> >>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90 >>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >>>>>> >>>>>> thanks, >>>>>> --Pradeep >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Best Regards, >>>>> Nirmal >>>>> >>>>> C.S.Nirmal J. Fernando >>>>> Senior Software Engineer, >>>>> WSO2 Inc. >>>>> >>>>> Blog: http://nirmalfdo.blogspot.com/ >>>>> >>>> >>>> >>>> >>>> thanks, >>>> --Pradeep >>>> >>> >>> >>> >>> -- >>> Best Regards, >>> Nirmal >>> >>> C.S.Nirmal J. Fernando >>> Senior Software Engineer, >>> WSO2 Inc. >>> >>> Blog: http://nirmalfdo.blogspot.com/ >>> >> > > > -- > Pradeep Fernando. > http://pradeepfernando.blogspot.com/ > -- Pradeep Fernando. http://pradeepfernando.blogspot.com/
