felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ferry Huberts <maili...@hupie.com>
Subject Re: [RT] Adding authorization to the web console?
Date Tue, 06 Aug 2013 11:44:08 GMT
It might worth it to look at the pluggable privilege system that Drupal
has. IMHO it works very well, and fits quite well with OSGi plugin
architecture.

Also, once you talk about authorisation, you immediately also need to
think about SSL/TLS connections.

my 2 cents

On 06/08/13 13:39, Carsten Ziegeler wrote:
> Hi,
> 
> while the current web console is a great tool and has many great plugins,
> it comes with a problem: if someone has access to the console this means
> full access including performing any changes. However many use cases are
> reading/introspecting the system and seeing if something is wrong.
> 
> So apart from the authentication support we have, I think we should add
> support for authorization. I'm wondering how we should do that?
> 
> Simplest approach would be to distinguish between two privileges "read" and
> "write" (or however we name them) and plugins can find out whether the
> current user has these privileges and act accordingly. I'm wondering if we
> need more fine grained privileges or more flexible ones, like granting
> someone to modify configurations but not to change bundle states?
> 
> Apart from adding the notion of a user and finding out the privileges, this
> would also mean to adjust all plugins to use this information. If this new
> security feature is enabled (by default it would be off to have compatible
> behaviour to today), the web console could simply block all POST requests
> if the user does not have the "write" privilege and a plugin needs a way to
> override this. (In some cases a POST is used for testing like for the event
> admin plugin, so this might be fine etc.)
> 
> WDYT?
> 
> Regards
> Carsten
> 

-- 
Ferry Huberts

Mime
View raw message