stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nirmal Fernando <nirmal070...@gmail.com>
Subject Re: Stratos 4.1.0 User Management and Permission Model
Date Mon, 15 Sep 2014 06:04:27 GMT
Great work Lasindu!! Will test and give you some feedback.

On Mon, Sep 15, 2014 at 10:44 AM, Lasindu Charith <lasindu@wso2.com> wrote:

> Hi all,
>
> The changes are committed in docker_integration branch
> https://github.com/apache/stratos/commit/29bf5f164ea6b77a34b876406cc2d3da95231109
>
> *Created JIRAs *
> https://issues.apache.org/jira/browse/STRATOS-799
> https://issues.apache.org/jira/browse/STRATOS-800
> https://issues.apache.org/jira/browse/STRATOS-801
>
> Wrote a blog post covering the changes.
> http://blog.lasindu.com/2014/09/apache-stratos-410-user-management-and.html
>
>
> On Sun, Sep 7, 2014 at 3:56 PM, Lasindu Charith <lasindu@wso2.com> wrote:
>
>> Attached the permission model for Tenant User.
>>
>>
>> On Sun, Sep 7, 2014 at 3:55 PM, Lasindu Charith <lasindu@wso2.com> wrote:
>>
>>> Hi all,
>>>
>>> Please find the progress below.
>>>
>>> Carbon User Management feature was installed in p2-profile gen since we
>>> are including user management functionality in Stratos 4.1.0. A user role
>>> called 'Tenant-User' will be created with the following permissions. Tenant
>>> user can view Autoscaling policies, Cartridge definitions, deployment
>>> policies, partition definitions, service definitions, subscriptions in the
>>> tenant space while only having the ability to add/remove subscriptions.
>>>
>>>
>>> [image: Inline image 1]
>>>
>>> stratos.manager, cloud.controller and autoscaler compont
>>> services/component.xmls were modified to include relevant permissions
>>> and AuthorizationActions to call particular service methods.The
>>> StratosAdmin REST API methods'  @AuthorizationAction was changed to
>>> facilitate the above permission model.
>>>
>>> In the current implementation the stratos UI permissions and REST API
>>> permissions are handled separately. UI permissions are predefined for
>>> Stratos Admin and Tenant admin seperately in the acl.json file. The whole
>>> UI permission model needs to be changed to use carbon user management and
>>> permissions using Jaggery, which I will be looking into next. Will be
>>> including couple of REST API methods to create/delete/modify tenant users
>>> and roles.
>>>
>>> WIP :
>>> https://github.com/lasinducharith/stratos/commit/0f018ffb6d9ac33f67d568d7ff3d9688e8f45a43
>>>
>>> Thanks,
>>>
>>>
>>> On Mon, Sep 1, 2014 at 5:07 PM, Lasindu Charith <lasindu@wso2.com>
>>> wrote:
>>>
>>>> Hi Reka,
>>>>
>>>>
>>>> On Mon, Sep 1, 2014 at 4:50 PM, Reka Thirunavukkarasu <reka@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Lasindu
>>>>>
>>>>>
>>>>> On Fri, Aug 29, 2014 at 2:09 PM, Lasindu Charith <lasindu@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi devs,
>>>>>>
>>>>>> I'm in the process of extending the User Management and Permission
>>>>>> model for Stratos 4.1.0.
>>>>>> (See email discussions with following subjects : Role based access
>>>>>> and functionality for Stratos & Introducing tenant isolation
in
>>>>>> policy/definition creation and usage).
>>>>>>
>>>>>> As discussed above, the proposed User/tenant Management will be as
>>>>>> following.
>>>>>>
>>>>>>    1. Mainly there are 3 users, Stratos Admin (Super Admin), Tenant
>>>>>>    Admin and the Tenant User.
>>>>>>
>>>>>> Don't you need to have Super Admin users as well? So that we can
give
>>>>> some role based access even to Multiple super admins.
>>>>>
>>>>
>>>> Yes, In the super tenant space, super tenant can have multiple
>>>> (super)tenant admins as well as (super)tenant users.This should work
>>>> similar to the way other tenant spaces work. In the initial step we are
>>>> planning to create pre defined user roles in Carbon, so that at the time
of
>>>> user creation, tenant admins can select the user role.
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>    1. Tenant(admin) creation will be moved back to the Carbon UI
and
>>>>>>    tenant user creation will be done in new Stratos UI. Tenant user
>>>>>>    will have a set of pre-defined roles to be assigned at the user
creation
>>>>>>    time.
>>>>>>    2. Stratos Admin will mostly use the Carbon UI to create new
>>>>>>    tenants and will also have his own super tenant space to create
new
>>>>>>    policies, definitions, users, subscribe to cartridges etc. IaaS
>>>>>>    configuration will be done by the Stratos admin.
>>>>>>    3. A tenant admin will use the new UI to configure the tenant
>>>>>>    space - this includes creation of policies, definitions and deploying
them,
>>>>>>    adding tenant users and assigning them roles.
>>>>>>    4. A tenant user will use the  new UI to create/deploy
>>>>>>    applications (previously referred to as subscribe) which are visible
within
>>>>>>    that tenant space.
>>>>>>
>>>>>> The existing permission model needs to be extended to support
>>>>>> tenant/user level separation and
>>>>>> REST API should provide role based access. Will update the thread
>>>>>> with progress.
>>>>>>
>>>>>
>>>>> Are you introducing any permissions specific to Super/Tenant
>>>>> admin/users in stratos? So that we can assign the users to relevant roles
>>>>> based on the permissions given.
>>>>>
>>>>
>>>> Yes, Only Super tenant can create/delete tenants, but any tenant admin
>>>> can deploy/edit/delete policies, cartridge definitions, partitions etc. So
>>>> there are specific permissions for super admin/tenant, tenant admin and
>>>> tenant user. These will ideally be user roles in carbon user management
>>>> model.
>>>>
>>>>
>>>>>
>>>>>> Suggestions and thoughts are welcome ..
>>>>>>
>>>>>> Thanks,
>>>>> Reka
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> --
>>>>>> *Lasindu Charith*
>>>>>> Software Engineer, WSO2 Inc.
>>>>>> Mobile: +94714427192
>>>>>> Web: blog.lasindu.com
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Reka Thirunavukkarasu
>>>>> Senior Software Engineer,
>>>>> WSO2, Inc.:http://wso2.com,
>>>>> Mobile: +94776442007
>>>>>
>>>>>
>>>>>
>>>>
>>>> Thanks,
>>>> --
>>>> *Lasindu Charith*
>>>> Software Engineer, WSO2 Inc.
>>>> Mobile: +94714427192
>>>> Web: blog.lasindu.com
>>>>
>>>
>>>
>>>
>>> --
>>> *Lasindu Charith*
>>> Software Engineer, WSO2 Inc.
>>> Mobile: +94714427192
>>> Web: blog.lasindu.com
>>>
>>
>>
>>
>> --
>> *Lasindu Charith*
>> Software Engineer, WSO2 Inc.
>> Mobile: +94714427192
>> Web: blog.lasindu.com
>>
>
>
>
> --
> *Lasindu Charith*
> Software Engineer, WSO2 Inc.
> Mobile: +94714427192
> Web: blog.lasindu.com
>



-- 
Best Regards,
Nirmal

Nirmal Fernando.
PPMC Member & Committer of Apache Stratos,
Senior Software Engineer, WSO2 Inc.

Blog: http://nirmalfdo.blogspot.com/

Mime
View raw message