[katello-devel] - On authorization

Ivan Nečas inecas at redhat.com
Tue Aug 16 09:50:37 UTC 2011


Hi all,

I'm working on authorization for CLI and I would like to make some 
discussion about it. The current state in UI is the following (correct 
me, if there are some mistakes):

The main unit for authorization is resource type (e.g. provider, 
organization) + verb (create, update, delete, read,...). In UI, before 
each request (in before_filter) there is check, whether
the user has permission on the given verb for the given resource type. 
The resource type is derived directly from the controller. The verb is 
translated from action name, the map for the translations is in 
Role::ACTION_TO_VERB and Role::DEFAULT_VERBS respectively.

This brings few problems:

1. storing information about controller in the model - may lead to 
problems, such as: we create new action, but forget to add translation 
to Role model. To have it by the action would be better

2. the controller is tied to the resource - in API, we have 
OrganizationController#providers action. In current state, it would 
check permissions on organization resource. I think permissions on 
provider resource should be checked instead. I agree that have resource 
related actions in it's controller could be better, but it's quite 
limiting sometimes.

3. checking against one resource - we might want to check e.g. wheter 
user has right to read organization and provider for 
OrganizationController#providers. In current implementation we can't do 
this.


Idea: Use meta-programming features in Ruby, to achieve annotations - 
something, like this:

   OrganizizationController < Api::ApiController

     require_permission :providers, :read
     require_permission :organization, :read
     def providers
        # ...
     end

   end

What do you think about this approach? I've done something similar 
before, so there should not be problem with the implementation.

It could also detect, if some action is not mapped to resource+verb - 
either on the start-up time or with some rake task.

Ivan.




More information about the katello-devel mailing list