stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lasindu Charith <>
Subject Re: Stratos 4.1.0 User Management and Permission Model
Date Sun, 07 Sep 2014 10:25:10 GMT
Hi all,

Please find the progress below.

Carbon User Management feature was installed in p2-profile gen since we are
including user management functionality in Stratos 4.1.0. A user role
called 'Tenant-User' will be created with the following permissions. Tenant
user can view Autoscaling policies, Cartridge definitions, deployment
policies, partition definitions, service definitions, subscriptions in the
tenant space while only having the ability to add/remove subscriptions.

[image: Inline image 1]

stratos.manager, cloud.controller and autoscaler compont
services/component.xmls were modified to include relevant permissions
and AuthorizationActions to call particular service methods.The
StratosAdmin REST API methods'  @AuthorizationAction was changed to
facilitate the above permission model.

In the current implementation the stratos UI permissions and REST API
permissions are handled separately. UI permissions are predefined for
Stratos Admin and Tenant admin seperately in the acl.json file. The whole
UI permission model needs to be changed to use carbon user management and
permissions using Jaggery, which I will be looking into next. Will be
including couple of REST API methods to create/delete/modify tenant users
and roles.



On Mon, Sep 1, 2014 at 5:07 PM, Lasindu Charith <> wrote:

> Hi Reka,
> On Mon, Sep 1, 2014 at 4:50 PM, Reka Thirunavukkarasu <>
> wrote:
>> Hi Lasindu
>> On Fri, Aug 29, 2014 at 2:09 PM, Lasindu Charith <>
>> wrote:
>>> Hi devs,
>>> I'm in the process of extending the User Management and Permission model
>>> for Stratos 4.1.0.
>>> (See email discussions with following subjects : Role based access and
>>> functionality for Stratos & Introducing tenant isolation in
>>> policy/definition creation and usage).
>>> As discussed above, the proposed User/tenant Management will be as
>>> following.
>>>    1. Mainly there are 3 users, Stratos Admin (Super Admin), Tenant
>>>    Admin and the Tenant User.
>>> Don't you need to have Super Admin users as well? So that we can give
>> some role based access even to Multiple super admins.
> Yes, In the super tenant space, super tenant can have multiple
> (super)tenant admins as well as (super)tenant users.This should work
> similar to the way other tenant spaces work. In the initial step we are
> planning to create pre defined user roles in Carbon, so that at the time of
> user creation, tenant admins can select the user role.
>>>    1. Tenant(admin) creation will be moved back to the Carbon UI and
>>>    tenant user creation will be done in new Stratos UI. Tenant user
>>>    will have a set of pre-defined roles to be assigned at the user creation
>>>    time.
>>>    2. Stratos Admin will mostly use the Carbon UI to create new tenants
>>>    and will also have his own super tenant space to create new policies,
>>>    definitions, users, subscribe to cartridges etc. IaaS configuration will be
>>>    done by the Stratos admin.
>>>    3. A tenant admin will use the new UI to configure the tenant space
>>>    - this includes creation of policies, definitions and deploying them,
>>>    adding tenant users and assigning them roles.
>>>    4. A tenant user will use the  new UI to create/deploy applications
>>>    (previously referred to as subscribe) which are visible within that tenant
>>>    space.
>>> The existing permission model needs to be extended to support
>>> tenant/user level separation and
>>> REST API should provide role based access. Will update the thread with
>>> progress.
>> Are you introducing any permissions specific to Super/Tenant admin/users
>> in stratos? So that we can assign the users to relevant roles based on the
>> permissions given.
> Yes, Only Super tenant can create/delete tenants, but any tenant admin can
> deploy/edit/delete policies, cartridge definitions, partitions etc. So
> there are specific permissions for super admin/tenant, tenant admin and
> tenant user. These will ideally be user roles in carbon user management
> model.
>>> Suggestions and thoughts are welcome ..
>>> Thanks,
>> Reka
>>> Thanks,
>>> --
>>> *Lasindu Charith*
>>> Software Engineer, WSO2 Inc.
>>> Mobile: +94714427192
>>> Web:
>> --
>> Reka Thirunavukkarasu
>> Senior Software Engineer,
>> WSO2, Inc.:,
>> Mobile: +94776442007
> Thanks,
> --
> *Lasindu Charith*
> Software Engineer, WSO2 Inc.
> Mobile: +94714427192
> Web:

*Lasindu Charith*
Software Engineer, WSO2 Inc.
Mobile: +94714427192

View raw message