directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleksandr Bodriagov (Polystar)" <oleksandr.bodria...@polystar.com>
Subject Re: Apache Fortress REST API state and session object
Date Sun, 03 May 2015 21:13:09 GMT
Great, thank you! Now I have a clear picture and everything seems logical.

/Oleksandr



On 3/5/2015 17:45 , "Shawn McKinney" <smckinney@apache.org> wrote:

>
>> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar)
>><oleksandr.bodriagov@polystar.com> wrote:
>> 
>>  didn¹t know that there are administrator level functions in API. I
>> couldn¹t find this information in documentation.
>> 
>
>Right now the best source for documentation on what the APIs do is the
>javadoc:
>
>https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/d
>irectory/fortress/core/package-summary.html
>
>Check out the APIs on accessmgr (rbac policy enforcement), adminmgr (rbac
>policy provisioning), reviewmgr (rbac policy review), and delaccessMgr
>(arbac policy enforcement), deladminmgr (arbac policy provisioning,
>delreviewmgr (arbac policy review).
>
>Think of delegated administration as rbac for rbac.  It is used solely
>for the purposes of controlling administrative access to the fortress
>apis.  
>
>> 
>> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar)
>><oleksandr.bodriagov@polystar.com> wrote:
>> 
>> So, if I got it right, there are functions in the REST API that only
>> administrators can invoke (receive a valid answer). My particular use
>>case
>> can be solved using these functions. There is an administrator level
>> function ³userPerms² that gives the same output as rbacPerms. A
>> fortress-rest-super-user (user Alice) using a request to ³userPerms² can
>> check permissions for the user Bob. To do this, a
>>fortress-rest-super-user
>> should get his own session object first. Then he creates a FortRequest
>> with his session, user entity for Bob, context, and sends it to
>> ³userPerms². Is it how it works?
>
>You don’t have to use the administrator’s session to invoke the APIs.  If
>it is passed, the service will ensure the admin has the permission to
>invoke the service.  If it is not passed that particular (arbac) check
>will be skipped. 
>
>But the short answer is ‘yes’, you may interrogate the user’s permissions
>using the review mgr apis.
>
>> 
>> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar)
>><oleksandr.bodriagov@polystar.com> wrote:
>> 
>> Is userAuthzed an administrator level function that gives the same
>> information as rbacAuthZ?
>
>Keep in mind that userPerms and rbacPerms are not equivalent.  userPerms
>returns ALL permissions that a user has according to their role
>assignments.  rbacPerms returns all permissions that user has according
>to their role activations.  So rbacPerms will be a subset of userPerms.
>
>Shawn
>smckinney@apache.org

Mime
View raw message