[katello-devel] - On authorization

Partha Aji paji at redhat.com
Wed Aug 17 02:53:18 UTC 2011 


----- Original Message -----
> From: "Partha Aji" <paji at redhat.com>
> To: "Ivan Nečas" <inecas at redhat.com>
> Cc: katello-devel at redhat.com
> Sent: Tuesday, August 16, 2011 10:43:28 PM
> Subject: Re: [katello-devel] - On authorization
> ----- Original Message -----
> > From: "Ivan Nečas" <inecas at redhat.com>
> > To: "Bryan Kearney" <bkearney at redhat.com>
> > Cc: katello-devel at redhat.com
> > Sent: Tuesday, August 16, 2011 11:42:33 AM
> > Subject: Re: [katello-devel] - On authorization
> > On 08/16/2011 04:43 PM, Bryan Kearney wrote:
> > > On 08/16/2011 09:34 AM, Ivan Nečas wrote:
> > >> On 08/16/2011 02:53 PM, Bryan Kearney wrote:
> > >>> On 08/16/2011 05:50 AM, Ivan Nečas wrote:
> > >>>> Hi all,
> > >>>>
> > >>>> I'm working on authorization for CLI and I would like to make
> > >>>> some
> > >>>> discussion about it. The current state in UI is the following
> > >>>> (correct
> > >>>> me, if there are some mistakes):
> > >>>>
> > >>>> The main unit for authorization is resource type (e.g.
> > >>>> provider,
> > >>>> organization) + verb (create, update, delete, read,...). In UI,
> > >>>> before
> > >>>> each request (in before_filter) there is check, whether
> > >>>> the user has permission on the given verb for the given
> > >>>> resource
> > >>>> type.
> > >>>> The resource type is derived directly from the controller. The
> > >>>> verb is
> > >>>> translated from action name, the map for the translations is in
> > >>>> Role::ACTION_TO_VERB and Role::DEFAULT_VERBS respectively.
> > >>>
> > >>> This was the original plan... a simply applicatoin of type to
> > >>> and
> > >>> verb
> > >>> However, I believe the work that Justin and Partha did brought
> > >>> the
> > >>> level up. So.. we still have types and verbs, however things
> > >>> like
> > >>> "creating an environment" would be governed by the ability to
> > >>> modify
> > >>> the org.
> > >>>
> > >>>>
> > >>>> This brings few problems:
> > >>>>
> > >>>> 1. storing information about controller in the model - may lead
> > >>>> to
> > >>>> problems, such as: we create new action, but forget to add
> > >>>> translation
> > >>>> to Role model. To have it by the action would be better
> > >>>>
> > >>>> 2. the controller is tied to the resource - in API, we have
> > >>>> OrganizationController#providers action. In current state, it
> > >>>> would
> > >>>> check permissions on organization resource. I think permissions
> > >>>> on
> > >>>> provider resource should be checked instead. I agree that have
> > >>>> resource
> > >>>> related actions in it's controller could be better, but it's
> > >>>> quite
> > >>>> limiting sometimes.
> > >>>
> > >>> see above on this, I believe we are looking towards a smaller
> > >>> set
> > >>> of
> > >>> coarse grained checks.
> > >>>
> > >>>>
> > >>>> 3. checking against one resource - we might want to check e.g.
> > >>>> wheter
> > >>>> user has right to read organization and provider for
> > >>>> OrganizationController#providers. In current implementation we
> > >>>> can't do
> > >>>> this.
> > >>>>
> > >>>>
> > >>>> Idea: Use meta-programming features in Ruby, to achieve
> > >>>> annotations -
> > >>>> something, like this:
> > >>>>
> > >>>> OrganizizationController < Api::ApiController
> > >>>>
> > >>>> require_permission :providers, :read
> > >>>> require_permission :organization, :read
> > >>>> def providers
> > >>>> # ...
> > >>>> end
> > >>>>
> > >>>> end
> > >>>>
> > >>>> What do you think about this approach? I've done something
> > >>>> similar
> > >>>> before, so there should not be problem with the implementation.
> > >>>
> > >>> I would be fine with this if it allows us the granularity we
> > >>> need.
> > >>>
> > >>>>
> > >>>> It could also detect, if some action is not mapped to
> > >>>> resource+verb -
> > >>>> either on the start-up time or with some rake task.
> > >>>>
> > >>>
> > >>> -- bk
> > >> Ok, thanks for update info - my thoughts were based on the master
> > >> branch, but there is a roles-ui branch I haven't notice before,
> > >> where
> > >> the situation is quite different. I will discuss with Justin the
> > >> best
> > >> approach. Anyway, the DSL can be compatible with the updated work
> > >> as
> > >> well, so the granularity would be preserved.
> > >>
> > >> Ivan
> > >>
> > > Putting my schedule cap on. Simple is good :)
> > >
> > > --bk
> > >
> >
> > Ok, I've put a possible solution to origin/roles-cli. The only think
> > it
> > needs in the controller is
> >
> > include ActionAuthRules
> >
> > and before given action:
> >
> > add_auth_rule(:providers, :read, :organizations)
> > add_auth_rule(:providers) { Provider.any_readable?(@organization) }
> > def providers
> > # ...
> > end
> >
> > You can add more rules - all rules must satisfy to be authorized.
> > You can use block, or allowed_to?-like arguments for each rule.
> >
> > Any objections to this approach?
> >
> > -- Ivan
> >
> >
> > _______________________________________________
> > katello-devel mailing list
> > katello-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/katello-devel
> 
> 
> Your approach sound interesting but I don't see your branch in
> katello.git.
> Check if you have pushed your changes on to the remote branch and let
> me know..
> 
> Partha
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel

Also if you looked at the roles-ui branch. One of the ideas is to actually loading an object 
before you ask if its readable by the user. look at the rules method of
http://git.fedorahosted.org/git/?p=katello.git;a=blob;f=src/app/controllers/providers_controller.rb;h=9c0c32d19d55c32e7bbe9705566c8847566df0a0;hb=roles-ui
 
  read_test = lambda{@provider.readable?}

The read_test assumes that the provider instance is loaded before asking if its readable by the current user. 
And that instance gets loaded in find_provider filter call. What I am trying to ask/suggest is that
the rules check must happen after the find_provider call happens (I don't know if thats is possible with your approach).
May be its no biggie. May be we can do something like

add_auth_rule(:providers,:read) { p = Provider.find(params[:id]); p.readable?}

Anyway let me know once you push your branch..

Partha

More information about the katello-devel mailing list