Hello, Wanted to notify the community of upcoming change the RoleConstraint entity to support generic attributes.
First, a bit of history. The RoleConstraint was added to support this enhancement a few years back: FC-116 - Need the ability to get user specific attributes for fine grained access determinations - https://issues.apache.org/jira/browse/FC-116 Now, we are adding generic ABAC use cases, as described by this article: https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/ We need a way to store attributes on user’s role assignment. First, I went with user properties, per this JIRA enhancement: FC-235 - Add support for runtime constraints to be placed on activated roles - https://issues.apache.org/jira/browse/FC-235 While that works, it’s not ideally suited for all of the use cases. That got me looking at using the RoleConstraints previously added. So, as part of this ticket: FC-239 - Some additional methods to manage role constraints. - https://issues.apache.org/jira/browse/FC-239 I am adding RoleConstraint type USER: public enum RCType { FILTER, USER, <— this is new OTHER } Which will piggyback on the existing entity, repurposing some of its fields: String id; <— not used, left blank RCType type <- ‘USER' String value <- contains the attribute’s value String paSetName; <- contains the attribute’s (key) name Here is sample of RAW data, as it will be stored in the ftRC LDAP attribute: washers$type$USER$locale$north$ washers$type$USER$locale$south$ In this case, the user, has two roleconstraints placed on their role assignment to ‘washers’. As can be seen, it uses a delimiter for each attr. But nothing has changed to the overall format of the field. Only the semantics of what the fields are used for. This new code passes all regression tests for roleconstraints added to support the original permission assignment sets, using ‘FILTER’ type. I will add new tests to ensure that it works for roleconstraints of type ‘USER’, and checking into trunk in the next day or so. Please let me know if you have any questions or concerns. --Shawn
