[katello-devel] - On authorization
Ivan Nečas
inecas at redhat.com
Tue Aug 16 09:50:37 UTC 2011
Hi all,
I'm working on authorization for CLI and I would like to make some
discussion about it. The current state in UI is the following (correct
me, if there are some mistakes):
The main unit for authorization is resource type (e.g. provider,
organization) + verb (create, update, delete, read,...). In UI, before
each request (in before_filter) there is check, whether
the user has permission on the given verb for the given resource type.
The resource type is derived directly from the controller. The verb is
translated from action name, the map for the translations is in
Role::ACTION_TO_VERB and Role::DEFAULT_VERBS respectively.
This brings few problems:
1. storing information about controller in the model - may lead to
problems, such as: we create new action, but forget to add translation
to Role model. To have it by the action would be better
2. the controller is tied to the resource - in API, we have
OrganizationController#providers action. In current state, it would
check permissions on organization resource. I think permissions on
provider resource should be checked instead. I agree that have resource
related actions in it's controller could be better, but it's quite
limiting sometimes.
3. checking against one resource - we might want to check e.g. wheter
user has right to read organization and provider for
OrganizationController#providers. In current implementation we can't do
this.
Idea: Use meta-programming features in Ruby, to achieve annotations -
something, like this:
OrganizizationController < Api::ApiController
require_permission :providers, :read
require_permission :organization, :read
def providers
# ...
end
end
What do you think about this approach? I've done something similar
before, so there should not be problem with the implementation.
It could also detect, if some action is not mapped to resource+verb -
either on the start-up time or with some rake task.
Ivan.
More information about the katello-devel
mailing list