felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carsten Ziegeler <cziege...@apache.org>
Subject Re: [RT] Adding authorization to the web console?
Date Wed, 07 Aug 2013 10:13:14 GMT
Maybe instead of privileges we should speak about roles - this would be
aligned with the OSGi UserAdmin spec; I think we can't use the speak but we
can at least use the same concepts.

Carsten


2013/8/6 Carsten Ziegeler <cziegeler@apache.org>

> Hi,
>
> while the current web console is a great tool and has many great plugins,
> it comes with a problem: if someone has access to the console this means
> full access including performing any changes. However many use cases are
> reading/introspecting the system and seeing if something is wrong.
>
> So apart from the authentication support we have, I think we should add
> support for authorization. I'm wondering how we should do that?
>
> Simplest approach would be to distinguish between two privileges "read"
> and "write" (or however we name them) and plugins can find out whether the
> current user has these privileges and act accordingly. I'm wondering if we
> need more fine grained privileges or more flexible ones, like granting
> someone to modify configurations but not to change bundle states?
>
> Apart from adding the notion of a user and finding out the privileges,
> this would also mean to adjust all plugins to use this information. If this
> new security feature is enabled (by default it would be off to have
> compatible behaviour to today), the web console could simply block all POST
> requests if the user does not have the "write" privilege and a plugin needs
> a way to override this. (In some cases a POST is used for testing like for
> the event admin plugin, so this might be fine etc.)
>
> WDYT?
>
> Regards
> Carsten
> --
> Carsten Ziegeler
> cziegeler@apache.org
>



-- 
Carsten Ziegeler
cziegeler@apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message