directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject New RoleConstraint Types for ABAC
Date Thu, 23 Aug 2018 15:14:24 GMT
Hello,

Wanted to notify the community of upcoming change the RoleConstraint entity to support generic
attributes.

First, a bit of history.  The RoleConstraint was added to support this enhancement a few years
back:

FC-116 - Need the ability to get user specific attributes for fine grained access determinations
 - https://issues.apache.org/jira/browse/FC-116

Now, we are adding generic ABAC use cases, as described by this article:
https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/

We need a way to store attributes on user’s role assignment.  First, I went with user properties,
per this JIRA enhancement:

FC-235 - Add support for runtime constraints to be placed on activated roles
 - https://issues.apache.org/jira/browse/FC-235

While that works, it’s not ideally suited for all of the use cases.  That got me looking
at using the RoleConstraints previously added.

So, as part of this ticket:
FC-239 - Some additional methods to manage role constraints.
 - https://issues.apache.org/jira/browse/FC-239

I am adding RoleConstraint type USER:

    public enum RCType
    {
        FILTER,
        USER,  <— this is new
        OTHER
    }

Which will piggyback on the existing entity, repurposing some of its fields:
String id;        <— not used, left blank
RCType type       <- ‘USER'
String value      <- contains the attribute’s value
String paSetName; <- contains the attribute’s (key) name

Here is sample of RAW data, as it will be stored in the ftRC LDAP attribute:
washers$type$USER$locale$north$
washers$type$USER$locale$south$

In this case, the user, has two roleconstraints placed on their role assignment to ‘washers’.
 As can be seen, it uses a delimiter for each attr.  But nothing has changed to the overall
format of the field.  Only the semantics of what the fields are used for.

This new code passes all regression tests for roleconstraints added to support the original
permission assignment sets, using ‘FILTER’ type.  

I will add new tests to ensure that it works for roleconstraints of type ‘USER’, and checking
into trunk in the next day or so.

Please let me know if you have any questions or concerns.

--Shawn
Mime
View raw message