Task #343
closed
Authorization Policies - design and default implementation
100%
Description
- design: https://proj.bcvsolutions.eu/ngidm/doku.php?id=roztridit:autorizacni_model
- AuthorizationPolicityEvaluator interface - plugable evaluator:
- relation to entity type (e.g. evaluator for identity)
- provide partial criteria query (exists clause), which could be used in search queries (e.g. return identities, which i can read) - suppose 'read' authorization policy only
- evaluate authorization policies on given entity - returns set of basic authorities (e.g. read, delete, write, start, cancel - what i can do with given entity)
- evaluators can be defined in modules
- more evaluator for one entity type will be joined by "and"
- could be disabled (e.g. core evaluator for identities could be disabled and new evaluator can be used)
- evaluator configuration - properties (e.g. tree type, node, role catalogue ...) - will be used as input properties for evaluation
- new entity AuthorizationPolicy:
- relation to role, evaluator ...
- [optional] configurable from FE - in default implementation could be prefedefined polocies and agenda could be added in the next release
Updated by Radek Tomiška about 7 years ago
- % Done changed from 0 to 70
All features from descriptions are implemented, Test, doc remain.
Updated by Radek Tomiška about 7 years ago
- Status changed from New to In Progress
- % Done changed from 70 to 80
I've added unit, integration test and documentation https://proj.bcvsolutions.eu/ngidm/doku.php?id=roztridit:autorizacni_model#implementace.
I've found some issues, what need to be done before ticket could be reviewed:
- update erd diagram
- add referential integrity to new IdmAuthorizationPolicy entity
- find only valid configured authorization policies => valid contracts and assigned roles by logged identity - add appropriate integration test
- default logged identity policies configuration
- secure authorization policy agenda itself
Updated by Radek Tomiška about 7 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondřej Kopr
- % Done changed from 80 to 90
All founded issues are implemented. Tests and doc were added: https://proj.bcvsolutions.eu/ngidm/doku.php?id=roztridit:autorizacni_model#czechidm_7_-_authorization_policies
Authorization policies are implemented on Role and AuthorizationPolicy agendas. Other agendas (another tabs on role, Identity etc.) will be implemented in another tickets.
Could you make a review and test, please?
Updated by Ondřej Kopr about 7 years ago
- Assignee changed from Ondřej Kopr to Radek Tomiška
- % Done changed from 90 to 100
Check functionality on FE and execute basic process - ok,
try create role without persimision read in rest - ok,
try some disabled permision - ok,
read documentation - in documentation I haven't seen mention about permision order, but this is so clearly.
- when choose Entity type in new permission (IdmRole) pick some Evaluator type (only for role - RoleWriteNewOnlyEvaluator) for this entity and choose another entity type, in evaluator is still evaluator for IdmRole. This isn't to be solved now,
- 403 error: use case: i have user with permission for role create. Create new role and after create i'm redirect to new created role, but i dont have permission for read this role, get error 403 and i see all detail (read only), it is indispensable to solve now?
I check so many combination with diffrent permission, authorization policies is awesome, I'm looking forward to it and someone will join to identity agenda :D.
Thank you. This task can close.
Updated by Radek Tomiška about 7 years ago
- Status changed from Needs feedback to Closed
I've fixed minor issues above and hidden sub roles editation in FE by consultation with Zdeněk (will be enabled after subroles redesign).