Task #343
closed
Authorization Policies - design and default implementation
Added by Radek Tomiška about 7 years ago.
Updated about 7 years ago.
Category:
Authentication / Authorization
Description
Design and implement authorization model:
- design: https://proj.bcvsolutions.eu/ngidm/doku.php?id=roztridit:autorizacni_model
- AuthorizationPolicityEvaluator interface - plugable evaluator:
- relation to entity type (e.g. evaluator for identity)
- provide partial criteria query (exists clause), which could be used in search queries (e.g. return identities, which i can read) - suppose 'read' authorization policy only
- evaluate authorization policies on given entity - returns set of basic authorities (e.g. read, delete, write, start, cancel - what i can do with given entity)
- evaluators can be defined in modules
- more evaluator for one entity type will be joined by "and"
- could be disabled (e.g. core evaluator for identities could be disabled and new evaluator can be used)
- evaluator configuration - properties (e.g. tree type, node, role catalogue ...) - will be used as input properties for evaluation
- new entity AuthorizationPolicy:
- relation to role, evaluator ...
- [optional] configurable from FE - in default implementation could be prefedefined polocies and agenda could be added in the next release
- % Done changed from 0 to 70
All features from descriptions are implemented, Test, doc remain.
- Status changed from New to In Progress
- % Done changed from 70 to 80
I've added unit, integration test and documentation https://proj.bcvsolutions.eu/ngidm/doku.php?id=roztridit:autorizacni_model#implementace.
I've found some issues, what need to be done before ticket could be reviewed:
- update erd diagram
- add referential integrity to new IdmAuthorizationPolicy entity
- find only valid configured authorization policies => valid contracts and assigned roles by logged identity - add appropriate integration test
- default logged identity policies configuration
- secure authorization policy agenda itself
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondřej Kopr
- % Done changed from 80 to 90
- Assignee changed from Ondřej Kopr to Radek Tomiška
- % Done changed from 90 to 100
Check functionality on FE and execute basic process - ok,
try create role without persimision read in rest - ok,
try some disabled permision - ok,
read documentation - in documentation I haven't seen mention about permision order, but this is so clearly.
Some minnor issues:
- when choose Entity type in new permission (IdmRole) pick some Evaluator type (only for role - RoleWriteNewOnlyEvaluator) for this entity and choose another entity type, in evaluator is still evaluator for IdmRole. This isn't to be solved now,
- 403 error: use case: i have user with permission for role create. Create new role and after create i'm redirect to new created role, but i dont have permission for read this role, get error 403 and i see all detail (read only), it is indispensable to solve now?
I check so many combination with diffrent permission, authorization policies is awesome, I'm looking forward to it and someone will join to identity agenda :D.
Thank you. This task can close.
- Status changed from Needs feedback to Closed
I've fixed minor issues above and hidden sub roles editation in FE by consultation with Zdeněk (will be enabled after subroles redesign).
Also available in: Atom
PDF
