I'll commit the patch. thanks.
On Thu, Oct 24, 2013 at 10:57 AM, Pradeep Fernando <[email protected]>wrote: > Hi, > > gentle reminder.. > > --Pradeep > > > On Tue, Oct 8, 2013 at 11:27 AM, Pradeep Fernando <[email protected]>wrote: > >> Appreciate if someone can add my patch to the trunk... I will provide a >> patch with @SuperTenantService as a marker interface.. >> >> thanks, >> --Pradeep >> >> >> On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <[email protected]>wrote: >> >>> Yes.. I already created a JIRA task to track oauth authenticator >>> >>> --Pradeep >>> sent from my phone >>> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <[email protected]> >>> wrote: >>> >>>> Pradeep, >>>> >>>> Thanks for the reply. >>>> >>>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando >>>> <[email protected]>wrote: >>>> >>>>> >>>>> Hi Nirmal, >>>>> >>>>> Please find answers inline, >>>>> >>>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Pradeep, >>>>>> >>>>>> Thanks for this contribution. I hope this will provide the basis for >>>>>> others to build Stratos REST API. >>>>>> >>>>>> Few questions inline. >>>>>> >>>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Devs, >>>>>>> >>>>>>> >>>>>>> I came up with implemented the above feature and the patch can be >>>>>>> found at, [1] >>>>>>> >>>>>>> *How it works* >>>>>>> >>>>>>> - The web-app to Carbon runtime state exchange happens via OSGi >>>>>>> services >>>>>>> - The JAX-RS application is using Apache CXF as the REST engine >>>>>>> - Authentication and Authorization of incoming requests are handled >>>>>>> using two seperate JAX-RS providers registered against the service class >>>>>>> - Authentication/Authorization is closely integrated to the >>>>>>> underlying carbon authentication/authorizaiton framework >>>>>>> - I have defined two new annotation classes to capture method level >>>>>>> permission details >>>>>>> * @AuthorizationAction("PermissionString") - allows the admin >>>>>>> service writer to annotate a certain operation with permission string. >>>>>>> Request get authorized only if the invoking user has enough permissions >>>>>>> >>>>>> >>>>>> Where are these permissions stored? Can you explain how can someone >>>>>> compile this string? >>>>>> >>>>> >>>>> This is permission string related to carbon permission model. IIRC, >>>>> this is the same string that you use inside services.xml >>>>> AuthorizationAction element >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> * @SuperTenantService (true|false) - only the super-tenant >>>>>>> user can access the service >>>>>>> >>>>>> >>>>>> false implies all the tenants including super-tenant can access this >>>>>> operation right? If so, can you please consider renaming this annotation? >>>>>> >>>>> >>>>> In the Carbon permission structure, super-tenant is special. Other way >>>>> around, that is super-tenant can perform tenant operations is implicit >>>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it >>>>> is >>>>> not a super tenant service. - > any other tenant admin service. I'm ok to >>>>> change this annotation, two concerns, >>>>> >>>>> 1. I used the same jargon that is being used in services.xml. >>>>> <SuperTenantService>. Introducing another wording for the same thing might >>>>> be confusing. >>>>> 2. We don't really use @SuperTenantService(false) annotation. default >>>>> is false. >>>>> >>>>> May be we should change this to a marker annoation, - > >>>>> @SuperTenantService >>>>> >>>> >>>> +1, makes sense. So, if you want to restrict an operation only for >>>> super tenant access, you use @SuperTenantService annotation. >>>> >>>>> >>>>> >>>>>> >>>>>>> - During the deployment time, the authorization handler get injected >>>>>>> with service bean. It process all the authorization related annotation >>>>>>> and >>>>>>> builds a information model. When a request comes in it verifies the >>>>>>> expected permission vs bearing permission. >>>>>>> >>>>>>> Can you please explain how someone can plug a new authorization >>>>>> handler? What classes to extend, what interfaces to implement etc.? >>>>>> >>>>> >>>>> They just have to implement jaxrs.ReauestHandler interface and declare >>>>> the bean in spring config file (cxf-servlet.xml) >>>>> >>>>> I did not came up with a authentication/authorization abstraction for >>>>> Stratos in implementation. >>>>> >>>> >>>> No problem. >>>> >>>> >>>>> It is too early IMHO. Once we have atleast one other >>>>> authentication/authorization module we can define the abstraction. >>>>> >>>> >>>> IMO we should go for OAuth2 based authentication/authorization model as >>>> soon as possible. >>>> >>>> We should ideally start building up a wiki page on this too. >>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> *Challenges/Approaches that did not work.* >>>>>>> >>>>>>> CXF project provides a AuthorizationFilter called >>>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It >>>>>>> uses >>>>>>> @RolesAllowed annotation to identify authorized users. However it does >>>>>>> not >>>>>>> suit well for the Carbon authorization system. Hence I came up with my >>>>>>> own >>>>>>> Annotation types, which closely resembles, params used in existing WS >>>>>>> admin >>>>>>> services. >>>>>>> >>>>>>> >>>>>>> *Authentication mechanism is pluggable * >>>>>>> >>>>>>> - Right now there is only one authenticator. It uses basic-auth to >>>>>>> authenticate incoming requests. It is possible to plug in other kinds of >>>>>>> authenticators. >>>>>>> >>>>>>> *How to write your new RESTful admin service* >>>>>>> >>>>>>> @POST >>>>>>> @Path("/tenant/create") >>>>>>> @Consumes("application/json") >>>>>>> @Produces("application/json") >>>>>>> >>>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >>>>>>> @SuperTenantService(true) >>>>>>> public String addTenant(TenantInfoBean tenantInfoBean) { >>>>>>> >>>>>>> return success; >>>>>>> } >>>>>>> >>>>>>> *Sample Request from CURL* >>>>>>> >>>>>>> curl -X POST -H "Content-Type: application/json" -d >>>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >>>>>>> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >>>>>>> https://localhost:9443/stratos/admin/tenant/create >>>>>>> >>>>>>> >>>>>>> *TODO* >>>>>>> * >>>>>>> * >>>>>>> This is more of the framework for implementing RESTful admin APIs. I >>>>>>> have implemented two Operations for the moment. We have to populate the >>>>>>> service bean with rest of the API. Its matter of porting existing code >>>>>>> to >>>>>>> new service bean. What is more important is, to carefully design REST >>>>>>> endpoints. >>>>>>> >>>>>>> Unlike WS endpoints, we have to be careful with REST endpoint / >>>>>>> where the parameter goes in endpoint / HTTP method used / etc. I will >>>>>>> spawn >>>>>>> a separate thread on the topic. >>>>>>> >>>>>>> I have applied the patches to the JIRA. Would be great if the code >>>>>>> can be committed to the main trunk. :) >>>>>>> >>>>>>> >>>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90 >>>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >>>>>>> >>>>>>> thanks, >>>>>>> --Pradeep >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Best Regards, >>>>>> Nirmal >>>>>> >>>>>> C.S.Nirmal J. Fernando >>>>>> Senior Software Engineer, >>>>>> WSO2 Inc. >>>>>> >>>>>> Blog: http://nirmalfdo.blogspot.com/ >>>>>> >>>>> >>>>> >>>>> >>>>> thanks, >>>>> --Pradeep >>>>> >>>> >>>> >>>> >>>> -- >>>> Best Regards, >>>> Nirmal >>>> >>>> C.S.Nirmal J. Fernando >>>> Senior Software Engineer, >>>> WSO2 Inc. >>>> >>>> Blog: http://nirmalfdo.blogspot.com/ >>>> >>> >> >> >> -- >> Pradeep Fernando. >> http://pradeepfernando.blogspot.com/ >> > > > > -- > Pradeep Fernando. > http://pradeepfernando.blogspot.com/ > -- -- Lahiru Sandaruwan Software Engineer, Platform Technologies, WSO2 Inc., http://wso2.com lean.enterprise.middleware email: [email protected] cell: (+94) 773 325 954 blog: http://lahiruwrites.blogspot.com/ twitter: http://twitter.com/lahirus linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
