felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carsten Ziegeler <cziege...@apache.org>
Subject [RT] Adding authorization to the web console?
Date Tue, 06 Aug 2013 11:39:31 GMT
Hi,

while the current web console is a great tool and has many great plugins,
it comes with a problem: if someone has access to the console this means
full access including performing any changes. However many use cases are
reading/introspecting the system and seeing if something is wrong.

So apart from the authentication support we have, I think we should add
support for authorization. I'm wondering how we should do that?

Simplest approach would be to distinguish between two privileges "read" and
"write" (or however we name them) and plugins can find out whether the
current user has these privileges and act accordingly. I'm wondering if we
need more fine grained privileges or more flexible ones, like granting
someone to modify configurations but not to change bundle states?

Apart from adding the notion of a user and finding out the privileges, this
would also mean to adjust all plugins to use this information. If this new
security feature is enabled (by default it would be off to have compatible
behaviour to today), the web console could simply block all POST requests
if the user does not have the "write" privilege and a plugin needs a way to
override this. (In some cases a POST is used for testing like for the event
admin plugin, so this might be fine etc.)

WDYT?

Regards
Carsten
-- 
Carsten Ziegeler
cziegeler@apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message