directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FC-111) Enhance ARBAC Coverage
Date Fri, 06 May 2016 15:24:13 GMT

     [ https://issues.apache.org/jira/browse/FC-111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny updated FC-111:
---------------------------------
    Fix Version/s:     (was: 1.0.0)
                   1.0.1

> Enhance ARBAC Coverage
> ----------------------
>
>                 Key: FC-111
>                 URL: https://issues.apache.org/jira/browse/FC-111
>             Project: FORTRESS
>          Issue Type: New Feature
>    Affects Versions: 1.0.0-RC42
>            Reporter: Shawn McKinney
>             Fix For: 1.0.1
>
>   Original Estimate: 40h
>  Remaining Estimate: 40h
>
> Administrative Role-Based Access Control, or ARBAC gives the capability to control authorization
on the Fortress Core APIs themselves.  To enable fortress to perform these checks, a session
must be set on the manager function before usage.  For example:
> this.adminMgr.setAdmin( SecUtils.getSession( this ) );
> setting a fortress session onto a manager impl enforces arbac checking on subsequent
apis calls:
> 1. makes sure that the caller has the permission to call the method
> 2. (in some cases) enforces the caller is entitled to perform the function for a given
organization.
> This enhancement is to expand the coverage for #2.  Currently the ou checks performed
on these calls:
> assign and deassignUser
> grant and revokePermission
> Needs to be added for:
> add, update, delete and findUser
> add, update, delete, and findPermissions
> resetPassword, unlockAccount
> The additional checks will require hooks to be inserted inside the manager flow before
the actual dao is invoked.  The exception to this rule is for the search of users and permissions
which will require additional search filters to be inserted into the query.
> for user functions enforce the caller has admin role with matching userou.
> for perm functions enforce the caller has admin role with matching permou.
> This enhancement will require additional test routines as well to verify the additional
constraints checks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message