No need to say pardon for a good explanation! Thanks. I thought about something similar and that makes it pretty clear for me : )
On Wed, Nov 21, 2012 at 5:03 PM, Jared Bunting <[email protected]>wrote: > Basically, yes. The resource that we are protecting is called a > "KnowledgeBase". Each KnowledgeBase is owned by a particular user. > The owner has the ability to share that KB with any other user - giving > them read, write, or admin permissions. So this information is all > stored in a relational database. Something like this (this is just to > convey the idea..I'd have to go look at our code and schema to make > sure it's fully functional): > > KB[name, owner] > kb1, jared > kb2, alex > > KBDelegations[kbName,rights,delegate] > kb1, read, alex > kb2, admin, jared > > So the doGetAuthorizationInfo in our realm will do SQL queries against > these tables, and build up the permission list dynamically (pardon the > pseudocode): > > for kbName in (SELECT name from KB where owner=userName) > addPermission("knowledgebase:" + kbName + ":delete") > addPermission("knowledgebase:" + kbName + ":query") > addPermission("knowledgebase:" + kbName + ":ingest") > addPermission("knowledgebase:" + kbName + ":configure") > > for kbName, rights in (SELECT kbName, rights from KB where > delegate=userName) > if("admin".equals(rights)) > addPermission("knowledgebase:" + kbName + ":delete") > addPermission("knowledgebase:" + kbName + ":query") > addPermission("knowledgebase:" + kbName + ":ingest") > addPermission("knowledgebase:" + kbName + ":configure") > else if("read").equals(rights)) > addPermission("knowledgebase:" + kbName + ":query") > else if("write").equals(rights)) > addPermission("knowledgebase:" + kbName + ":query") > addPermission("knowledgebase:" + kbName + ":ingest") > > Obviously, we use caching so that every permission query isn't hitting > the database, but this is the general gist of it. We have a domain > model (knowledgebases, owners, delegates) and we map it to permissions > that certain functionality in our codebase requires (there's actually a > good number more permissions that get added, but I think this conveys > the idea). > > -Jared > > On Wed 21 Nov 2012 01:50:42 AM CST, Alex opn wrote: > > Jared, what do you mean by "generated from our domain model"? Do you > > mean that you don't have the permissions saved in the database and > > instead generate them at login / startup? I have to decide soon which > > way to go for my application and so I'm interested in the possible > > approaches. > > >
