Commit is ecef467e8e8e1cc0c3633825650a75fc28987710. Thanks.
On Thu, Oct 24, 2013 at 11:00 AM, Lahiru Sandaruwan <[email protected]>wrote: > I'll commit the patch. > > thanks. > > > On Thu, Oct 24, 2013 at 10:57 AM, Pradeep Fernando <[email protected]>wrote: > >> Hi, >> >> gentle reminder.. >> >> --Pradeep >> >> >> On Tue, Oct 8, 2013 at 11:27 AM, Pradeep Fernando <[email protected]>wrote: >> >>> Appreciate if someone can add my patch to the trunk... I will provide a >>> patch with @SuperTenantService as a marker interface.. >>> >>> thanks, >>> --Pradeep >>> >>> >>> On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <[email protected]>wrote: >>> >>>> Yes.. I already created a JIRA task to track oauth authenticator >>>> >>>> --Pradeep >>>> sent from my phone >>>> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <[email protected]> >>>> wrote: >>>> >>>>> Pradeep, >>>>> >>>>> Thanks for the reply. >>>>> >>>>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <[email protected] >>>>> > wrote: >>>>> >>>>>> >>>>>> Hi Nirmal, >>>>>> >>>>>> Please find answers inline, >>>>>> >>>>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Pradeep, >>>>>>> >>>>>>> Thanks for this contribution. I hope this will provide the basis for >>>>>>> others to build Stratos REST API. >>>>>>> >>>>>>> Few questions inline. >>>>>>> >>>>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Devs, >>>>>>>> >>>>>>>> >>>>>>>> I came up with implemented the above feature and the patch can be >>>>>>>> found at, [1] >>>>>>>> >>>>>>>> *How it works* >>>>>>>> >>>>>>>> - The web-app to Carbon runtime state exchange happens via OSGi >>>>>>>> services >>>>>>>> - The JAX-RS application is using Apache CXF as the REST engine >>>>>>>> - Authentication and Authorization of incoming requests are handled >>>>>>>> using two seperate JAX-RS providers registered against the service >>>>>>>> class >>>>>>>> - Authentication/Authorization is closely integrated to the >>>>>>>> underlying carbon authentication/authorizaiton framework >>>>>>>> - I have defined two new annotation classes to capture method level >>>>>>>> permission details >>>>>>>> * @AuthorizationAction("PermissionString") - allows the admin >>>>>>>> service writer to annotate a certain operation with permission string. >>>>>>>> Request get authorized only if the invoking user has enough permissions >>>>>>>> >>>>>>> >>>>>>> Where are these permissions stored? Can you explain how can someone >>>>>>> compile this string? >>>>>>> >>>>>> >>>>>> This is permission string related to carbon permission model. IIRC, >>>>>> this is the same string that you use inside services.xml >>>>>> AuthorizationAction element >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> * @SuperTenantService (true|false) - only the super-tenant >>>>>>>> user can access the service >>>>>>>> >>>>>>> >>>>>>> false implies all the tenants including super-tenant can access this >>>>>>> operation right? If so, can you please consider renaming this >>>>>>> annotation? >>>>>>> >>>>>> >>>>>> In the Carbon permission structure, super-tenant is special. Other >>>>>> way around, that is super-tenant can perform tenant operations is >>>>>> implicit >>>>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it >>>>>> is >>>>>> not a super tenant service. - > any other tenant admin service. I'm ok to >>>>>> change this annotation, two concerns, >>>>>> >>>>>> 1. I used the same jargon that is being used in services.xml. >>>>>> <SuperTenantService>. Introducing another wording for the same thing >>>>>> might >>>>>> be confusing. >>>>>> 2. We don't really use @SuperTenantService(false) annotation. default >>>>>> is false. >>>>>> >>>>>> May be we should change this to a marker annoation, - > >>>>>> @SuperTenantService >>>>>> >>>>> >>>>> +1, makes sense. So, if you want to restrict an operation only for >>>>> super tenant access, you use @SuperTenantService annotation. >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>>> - During the deployment time, the authorization handler get >>>>>>>> injected with service bean. It process all the authorization related >>>>>>>> annotation and builds a information model. When a request comes in it >>>>>>>> verifies the expected permission vs bearing permission. >>>>>>>> >>>>>>>> Can you please explain how someone can plug a new authorization >>>>>>> handler? What classes to extend, what interfaces to implement etc.? >>>>>>> >>>>>> >>>>>> They just have to implement jaxrs.ReauestHandler interface and >>>>>> declare the bean in spring config file (cxf-servlet.xml) >>>>>> >>>>>> I did not came up with a authentication/authorization abstraction for >>>>>> Stratos in implementation. >>>>>> >>>>> >>>>> No problem. >>>>> >>>>> >>>>>> It is too early IMHO. Once we have atleast one other >>>>>> authentication/authorization module we can define the abstraction. >>>>>> >>>>> >>>>> IMO we should go for OAuth2 based authentication/authorization model >>>>> as soon as possible. >>>>> >>>>> We should ideally start building up a wiki page on this too. >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> *Challenges/Approaches that did not work.* >>>>>>>> >>>>>>>> CXF project provides a AuthorizationFilter called >>>>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It >>>>>>>> uses >>>>>>>> @RolesAllowed annotation to identify authorized users. However it does >>>>>>>> not >>>>>>>> suit well for the Carbon authorization system. Hence I came up with my >>>>>>>> own >>>>>>>> Annotation types, which closely resembles, params used in existing WS >>>>>>>> admin >>>>>>>> services. >>>>>>>> >>>>>>>> >>>>>>>> *Authentication mechanism is pluggable * >>>>>>>> >>>>>>>> - Right now there is only one authenticator. It uses basic-auth to >>>>>>>> authenticate incoming requests. It is possible to plug in other kinds >>>>>>>> of >>>>>>>> authenticators. >>>>>>>> >>>>>>>> *How to write your new RESTful admin service* >>>>>>>> >>>>>>>> @POST >>>>>>>> @Path("/tenant/create") >>>>>>>> @Consumes("application/json") >>>>>>>> @Produces("application/json") >>>>>>>> >>>>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >>>>>>>> @SuperTenantService(true) >>>>>>>> public String addTenant(TenantInfoBean tenantInfoBean) { >>>>>>>> >>>>>>>> return success; >>>>>>>> } >>>>>>>> >>>>>>>> *Sample Request from CURL* >>>>>>>> >>>>>>>> curl -X POST -H "Content-Type: application/json" -d >>>>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >>>>>>>> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >>>>>>>> https://localhost:9443/stratos/admin/tenant/create >>>>>>>> >>>>>>>> >>>>>>>> *TODO* >>>>>>>> * >>>>>>>> * >>>>>>>> This is more of the framework for implementing RESTful admin APIs. >>>>>>>> I have implemented two Operations for the moment. We have to populate >>>>>>>> the >>>>>>>> service bean with rest of the API. Its matter of porting existing code >>>>>>>> to >>>>>>>> new service bean. What is more important is, to carefully design REST >>>>>>>> endpoints. >>>>>>>> >>>>>>>> Unlike WS endpoints, we have to be careful with REST endpoint / >>>>>>>> where the parameter goes in endpoint / HTTP method used / etc. I will >>>>>>>> spawn >>>>>>>> a separate thread on the topic. >>>>>>>> >>>>>>>> I have applied the patches to the JIRA. Would be great if the code >>>>>>>> can be committed to the main trunk. :) >>>>>>>> >>>>>>>> >>>>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90 >>>>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >>>>>>>> >>>>>>>> thanks, >>>>>>>> --Pradeep >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Best Regards, >>>>>>> Nirmal >>>>>>> >>>>>>> C.S.Nirmal J. Fernando >>>>>>> Senior Software Engineer, >>>>>>> WSO2 Inc. >>>>>>> >>>>>>> Blog: http://nirmalfdo.blogspot.com/ >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> thanks, >>>>>> --Pradeep >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Best Regards, >>>>> Nirmal >>>>> >>>>> C.S.Nirmal J. Fernando >>>>> Senior Software Engineer, >>>>> WSO2 Inc. >>>>> >>>>> Blog: http://nirmalfdo.blogspot.com/ >>>>> >>>> >>> >>> >>> -- >>> Pradeep Fernando. >>> http://pradeepfernando.blogspot.com/ >>> >> >> >> >> -- >> Pradeep Fernando. >> http://pradeepfernando.blogspot.com/ >> > > > > -- > -- > Lahiru Sandaruwan > Software Engineer, > Platform Technologies, > WSO2 Inc., http://wso2.com > lean.enterprise.middleware > > email: [email protected] cell: (+94) 773 325 954 > blog: http://lahiruwrites.blogspot.com/ > twitter: http://twitter.com/lahirus > linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146 > > -- -- Lahiru Sandaruwan Software Engineer, Platform Technologies, WSO2 Inc., http://wso2.com lean.enterprise.middleware email: [email protected] cell: (+94) 773 325 954 blog: http://lahiruwrites.blogspot.com/ twitter: http://twitter.com/lahirus linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
