Hi shawn, How about the compability with previous version? If it is not compatible, is there a way for migrate it? Thanks.
On Thu, Aug 23, 2018, 22:14 Shawn McKinney <[email protected]> wrote: > Hello, > > Wanted to notify the community of upcoming change the RoleConstraint > entity to support generic attributes. > > First, a bit of history. The RoleConstraint was added to support this > enhancement a few years back: > > FC-116 - Need the ability to get user specific attributes for fine grained > access determinations > - https://issues.apache.org/jira/browse/FC-116 > > Now, we are adding generic ABAC use cases, as described by this article: > > https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/ > > We need a way to store attributes on user’s role assignment. First, I > went with user properties, per this JIRA enhancement: > > FC-235 - Add support for runtime constraints to be placed on activated > roles > - https://issues.apache.org/jira/browse/FC-235 > > While that works, it’s not ideally suited for all of the use cases. That > got me looking at using the RoleConstraints previously added. > > So, as part of this ticket: > FC-239 - Some additional methods to manage role constraints. > - https://issues.apache.org/jira/browse/FC-239 > > I am adding RoleConstraint type USER: > > public enum RCType > { > FILTER, > USER, <— this is new > OTHER > } > > Which will piggyback on the existing entity, repurposing some of its > fields: > String id; <— not used, left blank > RCType type <- ‘USER' > String value <- contains the attribute’s value > String paSetName; <- contains the attribute’s (key) name > > Here is sample of RAW data, as it will be stored in the ftRC LDAP > attribute: > washers$type$USER$locale$north$ > washers$type$USER$locale$south$ > > In this case, the user, has two roleconstraints placed on their role > assignment to ‘washers’. As can be seen, it uses a delimiter for each > attr. But nothing has changed to the overall format of the field. Only > the semantics of what the fields are used for. > > This new code passes all regression tests for roleconstraints added to > support the original permission assignment sets, using ‘FILTER’ type. > > I will add new tests to ensure that it works for roleconstraints of type > ‘USER’, and checking into trunk in the next day or so. > > Please let me know if you have any questions or concerns. > > --Shawn
