Appreciate if someone can add my patch to the trunk... I will provide a patch with @SuperTenantService as a marker interface..
thanks, --Pradeep On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <[email protected]>wrote: > Yes.. I already created a JIRA task to track oauth authenticator > > --Pradeep > sent from my phone > On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <[email protected]> wrote: > >> Pradeep, >> >> Thanks for the reply. >> >> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <[email protected]>wrote: >> >>> >>> Hi Nirmal, >>> >>> Please find answers inline, >>> >>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <[email protected] >>> > wrote: >>> >>>> Hi Pradeep, >>>> >>>> Thanks for this contribution. I hope this will provide the basis for >>>> others to build Stratos REST API. >>>> >>>> Few questions inline. >>>> >>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando >>>> <[email protected]>wrote: >>>> >>>>> Hi Devs, >>>>> >>>>> >>>>> I came up with implemented the above feature and the patch can be >>>>> found at, [1] >>>>> >>>>> *How it works* >>>>> >>>>> - The web-app to Carbon runtime state exchange happens via OSGi >>>>> services >>>>> - The JAX-RS application is using Apache CXF as the REST engine >>>>> - Authentication and Authorization of incoming requests are handled >>>>> using two seperate JAX-RS providers registered against the service class >>>>> - Authentication/Authorization is closely integrated to the underlying >>>>> carbon authentication/authorizaiton framework >>>>> - I have defined two new annotation classes to capture method level >>>>> permission details >>>>> * @AuthorizationAction("PermissionString") - allows the admin >>>>> service writer to annotate a certain operation with permission string. >>>>> Request get authorized only if the invoking user has enough permissions >>>>> >>>> >>>> Where are these permissions stored? Can you explain how can someone >>>> compile this string? >>>> >>> >>> This is permission string related to carbon permission model. IIRC, this >>> is the same string that you use inside services.xml AuthorizationAction >>> element >>> >>> >>> >>>> >>>> >>>>> * @SuperTenantService (true|false) - only the super-tenant user >>>>> can access the service >>>>> >>>> >>>> false implies all the tenants including super-tenant can access this >>>> operation right? If so, can you please consider renaming this annotation? >>>> >>> >>> In the Carbon permission structure, super-tenant is special. Other way >>> around, that is super-tenant can perform tenant operations is implicit >>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is >>> not a super tenant service. - > any other tenant admin service. I'm ok to >>> change this annotation, two concerns, >>> >>> 1. I used the same jargon that is being used in services.xml. >>> <SuperTenantService>. Introducing another wording for the same thing might >>> be confusing. >>> 2. We don't really use @SuperTenantService(false) annotation. default is >>> false. >>> >>> May be we should change this to a marker annoation, - > >>> @SuperTenantService >>> >> >> +1, makes sense. So, if you want to restrict an operation only for super >> tenant access, you use @SuperTenantService annotation. >> >>> >>> >>>> >>>>> - During the deployment time, the authorization handler get injected >>>>> with service bean. It process all the authorization related annotation and >>>>> builds a information model. When a request comes in it verifies the >>>>> expected permission vs bearing permission. >>>>> >>>>> Can you please explain how someone can plug a new authorization >>>> handler? What classes to extend, what interfaces to implement etc.? >>>> >>> >>> They just have to implement jaxrs.ReauestHandler interface and declare >>> the bean in spring config file (cxf-servlet.xml) >>> >>> I did not came up with a authentication/authorization abstraction for >>> Stratos in implementation. >>> >> >> No problem. >> >> >>> It is too early IMHO. Once we have atleast one other >>> authentication/authorization module we can define the abstraction. >>> >> >> IMO we should go for OAuth2 based authentication/authorization model as >> soon as possible. >> >> We should ideally start building up a wiki page on this too. >> >>> >>> >>> >>>> >>>> >>>> >>>>> *Challenges/Approaches that did not work.* >>>>> >>>>> CXF project provides a AuthorizationFilter called >>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses >>>>> @RolesAllowed annotation to identify authorized users. However it does not >>>>> suit well for the Carbon authorization system. Hence I came up with my own >>>>> Annotation types, which closely resembles, params used in existing WS >>>>> admin >>>>> services. >>>>> >>>>> >>>>> *Authentication mechanism is pluggable * >>>>> >>>>> - Right now there is only one authenticator. It uses basic-auth to >>>>> authenticate incoming requests. It is possible to plug in other kinds of >>>>> authenticators. >>>>> >>>>> *How to write your new RESTful admin service* >>>>> >>>>> @POST >>>>> @Path("/tenant/create") >>>>> @Consumes("application/json") >>>>> @Produces("application/json") >>>>> >>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >>>>> @SuperTenantService(true) >>>>> public String addTenant(TenantInfoBean tenantInfoBean) { >>>>> >>>>> return success; >>>>> } >>>>> >>>>> *Sample Request from CURL* >>>>> >>>>> curl -X POST -H "Content-Type: application/json" -d >>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >>>>> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >>>>> https://localhost:9443/stratos/admin/tenant/create >>>>> >>>>> >>>>> *TODO* >>>>> * >>>>> * >>>>> This is more of the framework for implementing RESTful admin APIs. I >>>>> have implemented two Operations for the moment. We have to populate the >>>>> service bean with rest of the API. Its matter of porting existing code to >>>>> new service bean. What is more important is, to carefully design REST >>>>> endpoints. >>>>> >>>>> Unlike WS endpoints, we have to be careful with REST endpoint / where >>>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a >>>>> separate thread on the topic. >>>>> >>>>> I have applied the patches to the JIRA. Would be great if the code can >>>>> be committed to the main trunk. :) >>>>> >>>>> >>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90 >>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >>>>> >>>>> thanks, >>>>> --Pradeep >>>>> >>>> >>>> >>>> >>>> -- >>>> Best Regards, >>>> Nirmal >>>> >>>> C.S.Nirmal J. Fernando >>>> Senior Software Engineer, >>>> WSO2 Inc. >>>> >>>> Blog: http://nirmalfdo.blogspot.com/ >>>> >>> >>> >>> >>> thanks, >>> --Pradeep >>> >> >> >> >> -- >> Best Regards, >> Nirmal >> >> C.S.Nirmal J. Fernando >> Senior Software Engineer, >> WSO2 Inc. >> >> Blog: http://nirmalfdo.blogspot.com/ >> > -- Pradeep Fernando. http://pradeepfernando.blogspot.com/
