https://dev.entrouvert.org/https://dev.entrouvert.org/favicon.ico?15861920342014-08-12T14:24:38ZRedmine Entr’ouvertAuthentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=186962014-08-12T14:24:38ZBenjamin Dauvergne
<ul><li><strong>Patch proposed</strong> mis à <i>Non</i></li></ul><p>Discussion on authorization in authentic restarted thanks to current tickets <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: "Liberty" is an obsolete term (Fermé)" href="https://dev.entrouvert.org/issues/5261">#5261</a> and #4775:</p>
<p>First my idea for an authorization framework datamodel:</p>
<pre>
Action = (Slug)
Permission = (Action, Object) # ex. ('login', SAML provider#01)
Role = (Name, Slug, [Permission])
UserRoleMapping = (User, Role)
GroupRoleMapping = (Group, Role)
</pre>
<p>Maybe we should restrain from defining any kind of data model and just try to create an API that allow service providers to know when they can allow login or not.</p>
Some grand goal for any authorization framework:
<ul>
<li>be as simple as possible for getting a working implementation fast, but allow extensions,</li>
<li>provide a hierarchical role model with inheritance</li>
<li>long term: allow to import authorization model from service provider locally, maybe not natively but by allowing multiple authorization backend to be loaded at the same time and answer to authorization requests:
<ul>
<li>a backend could for example synchronize a list of distant roles so that all management can be done in authentic without having to manually recreate the role mode on its side (roles from w.c.s.), </li>
<li>reversely roles defined in authentic could be given some context and be replicated to the service provider when they are local to it.</li>
</ul></li>
</ul>
I will start here a list of authorization that we could ask to this system:
<ul>
<li>login on service provider #04 to user/group #05</li>
<li>add attribute 'xyz' with value 'abc' to user/group #07 on service provider #02</li>
<li>manage users in group 'Administrators of service provider #05'</li>
</ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=251262015-03-06T14:33:15ZBenjamin Dauvergne
<ul><li><strong>Priorité</strong> changé de <i>Normal</i> à <i>Bas</i></li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=251422015-03-06T14:34:16ZBenjamin Dauvergne
<ul><li><strong>Lié à</strong> <i><a class="issue tracker-1 status-5 priority-5 priority-high2 closed" href="/issues/6143">Bug #6143</a>: /manage : we should allow a superadmin activate is_admin</i> ajouté</li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=251442015-03-06T14:35:21ZBenjamin Dauvergne
<ul><li><strong>Lié à</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/5541">Development #5541</a>: Add a page to manage providers</i> ajouté</li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=251502015-03-06T14:39:07ZBenjamin Dauvergne
<ul><li><strong>Sujet</strong> changé de <i>Authentic2 administration based on RBAC</i> à <i>Improve the manager based on RBAC</i></li><li><strong>Assigné à</strong> changé de <i>Mikaël Ates</i> à <i>Benjamin Dauvergne</i></li><li><strong>Priorité</strong> changé de <i>Bas</i> à <i>Haut</i></li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=251512015-03-06T14:39:21ZBenjamin Dauvergne
<ul><li><strong>Lié à</strong> <i><a class="issue tracker-1 status-6 priority-4 priority-default closed" href="/issues/5658">Bug #5658</a>: Review permission checking in the manager</i> ajouté</li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=252762015-03-06T15:37:40ZBenjamin Dauvergne
<ul><li><strong>Version cible</strong> changé de <i>future</i> à <i>2.1.12</i></li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=258282015-03-17T15:58:45ZBenjamin Dauvergne
<ul><li><strong>Version cible</strong> changé de <i>2.1.12</i> à <i>2.1.13</i></li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=260462015-03-23T15:31:48ZBenjamin Dauvergne
<ul><li><strong>Version cible</strong> changé de <i>2.1.13</i> à <i>2.2.0</i></li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=285422015-05-18T23:06:48ZBenjamin Dauvergne
<ul><li><strong>Statut</strong> changé de <i>Nouveau</i> à <i>Résolu (à déployer)</i></li><li><strong>% réalisé</strong> changé de <i>0</i> à <i>100</i></li></ul><p>Appliqué par commit <a class="changeset" title="manager: rewrite manager using RBAC for authorization and limiting view of models Also add page ..." href="https://dev.entrouvert.org/projects/authentic/repository/authentic2/revisions/25ad9166a1a0367c659e858346db7f9b8b7fa3f3">authentic2|25ad9166a1a0367c659e858346db7f9b8b7fa3f3</a>.</p> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=427322016-02-23T11:58:00ZBenjamin Dauvergne
<ul><li><strong>Statut</strong> changé de <i>Résolu (à déployer)</i> à <i>Solution déployée</i></li></ul> Authentic 2 - Development #751: Improve the manager based on RBAChttps://dev.entrouvert.org/issues/751?journal_id=928972017-12-06T14:28:16ZBenjamin Dauvergne
<ul><li><strong>Statut</strong> changé de <i>Solution déployée</i> à <i>Fermé</i></li></ul>