Hi, Just a suggestion on how we handle authorization in management console. Currently we have a static permission tree( even though the new permissions are added based on component.xml), It is better if we can click on a node and add a permission string. And we have the same permission view on all tenants. However we have the ability to define permissions programmatically(back-end support is there), though that is not visible in UI. If we can do the UI changes, that would be a huge advantage when defining granular permissions.
thank you. On Wed, Dec 12, 2012 at 9:28 PM, Afkham Azeez <[email protected]> wrote: > For starters, we don't have to change all components to use the new API, > but we can gradually migrate those components. There was a customer > requirement to be able to add new permissions from their webapp, and read > them when necessary. We don't have a simple API to do that AFAIK. So, it > would be nice to introduce such an API, and then gradually migrate our > existing components to use that where applicable. > > Azeez > > > On Thu, Dec 13, 2012 at 10:53 AM, Asela Pathberiya <[email protected]> wrote: > >> >> >> On Mon, Dec 10, 2012 at 11:44 AM, Afkham Azeez <[email protected]> wrote: >> >>> Right now the way to create or read permissions is not straightforward. >>> The APIs are really twisted. The fact that the permissions are stored in >>> the Registry is an implementation detail. Users should not be calling >>> Registry APIs to deal with permissions. We have users interested >>> in programmatically creating their permissions. Ideally, it would be great >>> to have a simple API like the following: >> >> >> +1 for simple API like this. >> >> But It is better, if we have some more clarifications.. >> >> Currently all carbon components use AuthorizationManager API for doing >> RBAC. You have meant to use new API (PermissionsUtil) rather than using >> AuthorizationManager Or else changing the API of AuthorizationManager to >> be simple as this Or else providing a new API for other applications to >> use. >> >> AFAIK currently also, we do not want to do the registry API call to >> add, remove, check permission (RBAC model). We can just >> use AuthorizationManager API to configure permissions. Permissions are >> store in UM database. But we have mapped the Carbon UI permission in to the >> registry resources. You can use remote-user-mgt component for doing >> authorization operation [1] using web service also. It exposes >> authorization manager API as a web service. But AuthorizationManager API >> seems to be not clear. I guess, It has been written, thinking about the >> Carbon UI. Also It is not good API to use by any applications to do RBAC. >> >> Also we have hoped to write some new feature [2] to configure RBAC for >> any applications. This component exposes web service API and uses same UM >> database schema to persist the permissions. Therefore any application can >> use this web service to do their RBAC. >> >> I guess, as a start, it would be better, if we can make the API of new >> feature to be simpler as what you have shared here. Then it can be used by >> other applications. And this can be done with out much effect. But if we >> are changing all existing carbon component to use this API, i think, it >> would be some time consuming effect, may be for C5. >> >> [1] >> https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.0.0/components/remote-usermgt >> [2] >> https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.0.0/components/identity/org.wso2.carbon.identity.authorization.core/ >> >> Thanks, >> Asela. >> >> >>> public final class PermissionsUtil { >>> >>> >>> public void createPermission(String permissionKey, List<UserRole> roles); >>> >>> public void addRolesToPermission(String permissionKey, List<UserRole> >>> roles); >>> >>> public void removeRolesFromPermission(String permissionKey, >>> List<UserRole> roles); >>> >>> public void deletePermission(String permissionKey); >>> >>> public List<UserRole> getRolesWithPermission(String permissionKey); >>> >>> public Permission getPermission(String permissionKey); >>> >>> } >>> >>> >>> public class Permission { >>> >>> private String permissionKey; >>> private List<UserRole> userRoles; >>> >>> } >>> >>> >>> Can somebody own this task? >>> >>> -- >>> *Afkham Azeez* >>> Director of Architecture; WSO2, Inc.; http://wso2.com >>> Member; Apache Software Foundation; http://www.apache.org/ >>> * <http://www.apache.org/>** >>> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>> * >>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>> * >>> * >>> *Lean . Enterprise . Middleware* >>> >>> >> > > > -- > *Afkham Azeez* > Director of Architecture; WSO2, Inc.; http://wso2.com > Member; Apache Software Foundation; http://www.apache.org/ > * <http://www.apache.org/>** > email: **[email protected]* <[email protected]>* cell: +94 77 3320919 > blog: **http://blog.afkham.org* <http://blog.afkham.org>* > twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> > * > linked-in: **http://lk.linkedin.com/in/afkhamazeez* > * > * > *Lean . Enterprise . Middleware* > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Manjula Rathnayaka Software Engineer WSO2, Inc. Mobile:+94 77 743 1987
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
