stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lasindu Charith <lasi...@wso2.com>
Subject Re: Stratos 4.1.0 User Management and Permission Model
Date Sun, 07 Sep 2014 10:26:26 GMT
Attached the permission model for Tenant User.


On Sun, Sep 7, 2014 at 3:55 PM, Lasindu Charith <lasindu@wso2.com> wrote:

> Hi all,
>
> Please find the progress below.
>
> Carbon User Management feature was installed in p2-profile gen since we
> are including user management functionality in Stratos 4.1.0. A user role
> called 'Tenant-User' will be created with the following permissions. Tenant
> user can view Autoscaling policies, Cartridge definitions, deployment
> policies, partition definitions, service definitions, subscriptions in the
> tenant space while only having the ability to add/remove subscriptions.
>
>
> [image: Inline image 1]
>
> stratos.manager, cloud.controller and autoscaler compont
> services/component.xmls were modified to include relevant permissions
> and AuthorizationActions to call particular service methods.The
> StratosAdmin REST API methods'  @AuthorizationAction was changed to
> facilitate the above permission model.
>
> In the current implementation the stratos UI permissions and REST API
> permissions are handled separately. UI permissions are predefined for
> Stratos Admin and Tenant admin seperately in the acl.json file. The whole
> UI permission model needs to be changed to use carbon user management and
> permissions using Jaggery, which I will be looking into next. Will be
> including couple of REST API methods to create/delete/modify tenant users
> and roles.
>
> WIP :
> https://github.com/lasinducharith/stratos/commit/0f018ffb6d9ac33f67d568d7ff3d9688e8f45a43
>
> Thanks,
>
>
> On Mon, Sep 1, 2014 at 5:07 PM, Lasindu Charith <lasindu@wso2.com> wrote:
>
>> Hi Reka,
>>
>>
>> On Mon, Sep 1, 2014 at 4:50 PM, Reka Thirunavukkarasu <reka@wso2.com>
>> wrote:
>>
>>> Hi Lasindu
>>>
>>>
>>> On Fri, Aug 29, 2014 at 2:09 PM, Lasindu Charith <lasindu@wso2.com>
>>> wrote:
>>>
>>>> Hi devs,
>>>>
>>>> I'm in the process of extending the User Management and Permission
>>>> model for Stratos 4.1.0.
>>>> (See email discussions with following subjects : Role based access and
>>>> functionality for Stratos & Introducing tenant isolation in
>>>> policy/definition creation and usage).
>>>>
>>>> As discussed above, the proposed User/tenant Management will be as
>>>> following.
>>>>
>>>>    1. Mainly there are 3 users, Stratos Admin (Super Admin), Tenant
>>>>    Admin and the Tenant User.
>>>>
>>>> Don't you need to have Super Admin users as well? So that we can give
>>> some role based access even to Multiple super admins.
>>>
>>
>> Yes, In the super tenant space, super tenant can have multiple
>> (super)tenant admins as well as (super)tenant users.This should work
>> similar to the way other tenant spaces work. In the initial step we are
>> planning to create pre defined user roles in Carbon, so that at the time of
>> user creation, tenant admins can select the user role.
>>
>>>
>>>
>>>>
>>>>    1. Tenant(admin) creation will be moved back to the Carbon UI and
>>>>    tenant user creation will be done in new Stratos UI. Tenant user
>>>>    will have a set of pre-defined roles to be assigned at the user creation
>>>>    time.
>>>>    2. Stratos Admin will mostly use the Carbon UI to create new
>>>>    tenants and will also have his own super tenant space to create new
>>>>    policies, definitions, users, subscribe to cartridges etc. IaaS
>>>>    configuration will be done by the Stratos admin.
>>>>    3. A tenant admin will use the new UI to configure the tenant space
>>>>    - this includes creation of policies, definitions and deploying them,
>>>>    adding tenant users and assigning them roles.
>>>>    4. A tenant user will use the  new UI to create/deploy applications
>>>>    (previously referred to as subscribe) which are visible within that tenant
>>>>    space.
>>>>
>>>> The existing permission model needs to be extended to support
>>>> tenant/user level separation and
>>>> REST API should provide role based access. Will update the thread with
>>>> progress.
>>>>
>>>
>>> Are you introducing any permissions specific to Super/Tenant admin/users
>>> in stratos? So that we can assign the users to relevant roles based on the
>>> permissions given.
>>>
>>
>> Yes, Only Super tenant can create/delete tenants, but any tenant admin
>> can deploy/edit/delete policies, cartridge definitions, partitions etc. So
>> there are specific permissions for super admin/tenant, tenant admin and
>> tenant user. These will ideally be user roles in carbon user management
>> model.
>>
>>
>>>
>>>> Suggestions and thoughts are welcome ..
>>>>
>>>> Thanks,
>>> Reka
>>>
>>>>
>>>> Thanks,
>>>> --
>>>> *Lasindu Charith*
>>>> Software Engineer, WSO2 Inc.
>>>> Mobile: +94714427192
>>>> Web: blog.lasindu.com
>>>>
>>>
>>>
>>>
>>> --
>>> Reka Thirunavukkarasu
>>> Senior Software Engineer,
>>> WSO2, Inc.:http://wso2.com,
>>> Mobile: +94776442007
>>>
>>>
>>>
>>
>> Thanks,
>> --
>> *Lasindu Charith*
>> Software Engineer, WSO2 Inc.
>> Mobile: +94714427192
>> Web: blog.lasindu.com
>>
>
>
>
> --
> *Lasindu Charith*
> Software Engineer, WSO2 Inc.
> Mobile: +94714427192
> Web: blog.lasindu.com
>



-- 
*Lasindu Charith*
Software Engineer, WSO2 Inc.
Mobile: +94714427192
Web: blog.lasindu.com

Mime
View raw message