directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yudhi Karunia Surtan <brainmaster...@gmail.com>
Subject Re: New RoleConstraint Types for ABAC
Date Thu, 23 Aug 2018 15:22:41 GMT
Hi shawn,

How about the compability with previous version?
If it is not compatible, is there a way for migrate it?
Thanks.

On Thu, Aug 23, 2018, 22:14 Shawn McKinney <smckinney@apache.org> wrote:

> Hello,
>
> Wanted to notify the community of upcoming change the RoleConstraint
> entity to support generic attributes.
>
> First, a bit of history.  The RoleConstraint was added to support this
> enhancement a few years back:
>
> FC-116 - Need the ability to get user specific attributes for fine grained
> access determinations
>  - https://issues.apache.org/jira/browse/FC-116
>
> Now, we are adding generic ABAC use cases, as described by this article:
>
> https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/
>
> We need a way to store attributes on user’s role assignment.  First, I
> went with user properties, per this JIRA enhancement:
>
> FC-235 - Add support for runtime constraints to be placed on activated
> roles
>  - https://issues.apache.org/jira/browse/FC-235
>
> While that works, it’s not ideally suited for all of the use cases.  That
> got me looking at using the RoleConstraints previously added.
>
> So, as part of this ticket:
> FC-239 - Some additional methods to manage role constraints.
>  - https://issues.apache.org/jira/browse/FC-239
>
> I am adding RoleConstraint type USER:
>
>     public enum RCType
>     {
>         FILTER,
>         USER,  <— this is new
>         OTHER
>     }
>
> Which will piggyback on the existing entity, repurposing some of its
> fields:
> String id;        <— not used, left blank
> RCType type       <- ‘USER'
> String value      <- contains the attribute’s value
> String paSetName; <- contains the attribute’s (key) name
>
> Here is sample of RAW data, as it will be stored in the ftRC LDAP
> attribute:
> washers$type$USER$locale$north$
> washers$type$USER$locale$south$
>
> In this case, the user, has two roleconstraints placed on their role
> assignment to ‘washers’.  As can be seen, it uses a delimiter for each
> attr.  But nothing has changed to the overall format of the field.  Only
> the semantics of what the fields are used for.
>
> This new code passes all regression tests for roleconstraints added to
> support the original permission assignment sets, using ‘FILTER’ type.
>
> I will add new tests to ensure that it works for roleconstraints of type
> ‘USER’, and checking into trunk in the next day or so.
>
> Please let me know if you have any questions or concerns.
>
> --Shawn

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message