On Thu, Dec 13, 2012 at 11:44 AM, Manjula Rathnayake <manju...@wso2.com>wrote:
> Hi, > > Just a suggestion on how we handle authorization in management console. > Currently we have a static permission tree( even though the new > permissions are added based on component.xml), It is better if we can click > on a node and add a permission string. And we have the same permission view > on all tenants. However we have the ability to define permissions > programmatically(back-end support is there), though that is not visible in > UI. If we can do the UI changes, that would be a huge advantage when > defining granular permissions. > Programmatically adding permissions is not straightforward. You need to call registry APIs & insert resources into a particular collection and do some other stuff. We need clean APIs. > > thank you. > > > > > > On Wed, Dec 12, 2012 at 9:28 PM, Afkham Azeez <az...@wso2.com> wrote: > >> For starters, we don't have to change all components to use the new API, >> but we can gradually migrate those components. There was a customer >> requirement to be able to add new permissions from their webapp, and read >> them when necessary. We don't have a simple API to do that AFAIK. So, it >> would be nice to introduce such an API, and then gradually migrate our >> existing components to use that where applicable. >> >> Azeez >> >> >> On Thu, Dec 13, 2012 at 10:53 AM, Asela Pathberiya <as...@wso2.com>wrote: >> >>> >>> >>> On Mon, Dec 10, 2012 at 11:44 AM, Afkham Azeez <az...@wso2.com> wrote: >>> >>>> Right now the way to create or read permissions is not straightforward. >>>> The APIs are really twisted. The fact that the permissions are stored in >>>> the Registry is an implementation detail. Users should not be calling >>>> Registry APIs to deal with permissions. We have users interested >>>> in programmatically creating their permissions. Ideally, it would be great >>>> to have a simple API like the following: >>> >>> >>> +1 for simple API like this. >>> >>> But It is better, if we have some more clarifications.. >>> >>> Currently all carbon components use AuthorizationManager API for doing >>> RBAC. You have meant to use new API (PermissionsUtil) rather than using >>> AuthorizationManager Or else changing the API of AuthorizationManager to >>> be simple as this Or else providing a new API for other applications to >>> use. >>> >>> AFAIK currently also, we do not want to do the registry API call to >>> add, remove, check permission (RBAC model). We can just >>> use AuthorizationManager API to configure permissions. Permissions are >>> store in UM database. But we have mapped the Carbon UI permission in to the >>> registry resources. You can use remote-user-mgt component for doing >>> authorization operation [1] using web service also. It exposes >>> authorization manager API as a web service. But AuthorizationManager API >>> seems to be not clear. I guess, It has been written, thinking about the >>> Carbon UI. Also It is not good API to use by any applications to do RBAC. >>> >>> Also we have hoped to write some new feature [2] to configure RBAC for >>> any applications. This component exposes web service API and uses same UM >>> database schema to persist the permissions. Therefore any application can >>> use this web service to do their RBAC. >>> >>> I guess, as a start, it would be better, if we can make the API of new >>> feature to be simpler as what you have shared here. Then it can be used by >>> other applications. And this can be done with out much effect. But if we >>> are changing all existing carbon component to use this API, i think, it >>> would be some time consuming effect, may be for C5. >>> >>> [1] >>> https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.0.0/components/remote-usermgt >>> [2] >>> https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.0.0/components/identity/org.wso2.carbon.identity.authorization.core/ >>> >>> Thanks, >>> Asela. >>> >>> >>>> public final class PermissionsUtil { >>>> >>>> >>>> public void createPermission(String permissionKey, List<UserRole> >>>> roles); >>>> >>>> public void addRolesToPermission(String permissionKey, List<UserRole> >>>> roles); >>>> >>>> public void removeRolesFromPermission(String permissionKey, >>>> List<UserRole> roles); >>>> >>>> public void deletePermission(String permissionKey); >>>> >>>> public List<UserRole> getRolesWithPermission(String permissionKey); >>>> >>>> public Permission getPermission(String permissionKey); >>>> >>>> } >>>> >>>> >>>> public class Permission { >>>> >>>> private String permissionKey; >>>> private List<UserRole> userRoles; >>>> >>>> } >>>> >>>> >>>> Can somebody own this task? >>>> >>>> -- >>>> *Afkham Azeez* >>>> Director of Architecture; WSO2, Inc.; http://wso2.com >>>> Member; Apache Software Foundation; http://www.apache.org/ >>>> * <http://www.apache.org/>** >>>> email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919 >>>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>>> twitter: >>>> **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>>> * >>>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>>> * >>>> * >>>> *Lean . Enterprise . Middleware* >>>> >>>> >>> >> >> >> -- >> *Afkham Azeez* >> Director of Architecture; WSO2, Inc.; http://wso2.com >> Member; Apache Software Foundation; http://www.apache.org/ >> * <http://www.apache.org/>** >> email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919 >> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >> * >> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >> * >> * >> *Lean . Enterprise . Middleware* >> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Manjula Rathnayaka > Software Engineer > WSO2, Inc. > Mobile:+94 77 743 1987 > -- *Afkham Azeez* Director of Architecture; WSO2, Inc.; http://wso2.com Member; Apache Software Foundation; http://www.apache.org/ * <http://www.apache.org/>** email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919 blog: **http://blog.afkham.org* <http://blog.afkham.org>* twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> * linked-in: **http://lk.linkedin.com/in/afkhamazeez* * * *Lean . Enterprise . Middleware*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev