[katello-devel] - On authorization

Ivan Nečas inecas at redhat.com
Tue Aug 16 13:34:49 UTC 2011 

On 08/16/2011 02:53 PM, Bryan Kearney wrote:
> On 08/16/2011 05:50 AM, Ivan Nečas wrote:
>> Hi all,
>>
>> I'm working on authorization for CLI and I would like to make some
>> discussion about it. The current state in UI is the following (correct
>> me, if there are some mistakes):
>>
>> The main unit for authorization is resource type (e.g. provider,
>> organization) + verb (create, update, delete, read,...). In UI, before
>> each request (in before_filter) there is check, whether
>> the user has permission on the given verb for the given resource type.
>> The resource type is derived directly from the controller. The verb is
>> translated from action name, the map for the translations is in
>> Role::ACTION_TO_VERB and Role::DEFAULT_VERBS respectively.
>
> This was the original plan... a simply applicatoin of type to and verb 
> However, I believe the work that Justin and Partha did brought the 
> level up. So.. we still have types and verbs, however things like 
> "creating an environment" would be governed by the ability to modify 
> the org.
>
>>
>> This brings few problems:
>>
>> 1. storing information about controller in the model - may lead to
>> problems, such as: we create new action, but forget to add translation
>> to Role model. To have it by the action would be better
>>
>> 2. the controller is tied to the resource - in API, we have
>> OrganizationController#providers action. In current state, it would
>> check permissions on organization resource. I think permissions on
>> provider resource should be checked instead. I agree that have resource
>> related actions in it's controller could be better, but it's quite
>> limiting sometimes.
>
> see above on this, I believe we are looking towards a smaller set of 
> coarse grained checks.
>
>>
>> 3. checking against one resource - we might want to check e.g. wheter
>> user has right to read organization and provider for
>> OrganizationController#providers. In current implementation we can't do
>> this.
>>
>>
>> Idea: Use meta-programming features in Ruby, to achieve annotations -
>> something, like this:
>>
>> OrganizizationController < Api::ApiController
>>
>> require_permission :providers, :read
>> require_permission :organization, :read
>> def providers
>> # ...
>> end
>>
>> end
>>
>> What do you think about this approach? I've done something similar
>> before, so there should not be problem with the implementation.
>
> I would be fine with this if it allows us the granularity we need.
>
>>
>> It could also detect, if some action is not mapped to resource+verb -
>> either on the start-up time or with some rake task.
>>
>
> -- bk
Ok, thanks for update info - my thoughts were based on the master 
branch, but there is a roles-ui branch I haven't notice before, where 
the situation is quite different. I will discuss with Justin the best 
approach. Anyway, the DSL can be compatible with the updated work as 
well, so the granularity would be preserved.

Ivan

-- 
Regards,

  Ivan Necas
  RHN Satellite Engineering
  Red Hat Czech s.r.o. Brno

More information about the katello-devel mailing list