shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex opn <opn...@gmail.com>
Subject Re: Permissions on specific Objects
Date Wed, 21 Nov 2012 20:23:06 GMT
No need to say pardon for a good explanation! Thanks. I thought about
something similar and that makes it pretty clear for me : )




On Wed, Nov 21, 2012 at 5:03 PM, Jared Bunting
<jared.bunting@peachjean.com>wrote:

> Basically, yes.  The resource that we are protecting is called a
> "KnowledgeBase".  Each KnowledgeBase is owned by a particular user.
> The owner has the ability to share that KB with any other user - giving
> them read, write, or admin permissions.  So this information is all
> stored in a relational database.  Something like this (this is just to
> convey the idea..I'd have to go look at our code and schema to make
> sure it's fully functional):
>
> KB[name, owner]
> kb1, jared
> kb2, alex
>
> KBDelegations[kbName,rights,delegate]
> kb1, read, alex
> kb2, admin, jared
>
> So the doGetAuthorizationInfo in our realm will do SQL queries against
> these tables, and build up the permission list dynamically (pardon the
> pseudocode):
>
> for kbName in (SELECT name from KB where owner=userName)
>   addPermission("knowledgebase:" + kbName + ":delete")
>   addPermission("knowledgebase:" + kbName + ":query")
>   addPermission("knowledgebase:" + kbName + ":ingest")
>   addPermission("knowledgebase:" + kbName + ":configure")
>
> for kbName, rights in (SELECT kbName, rights from KB where
> delegate=userName)
>   if("admin".equals(rights))
>     addPermission("knowledgebase:" + kbName + ":delete")
>     addPermission("knowledgebase:" + kbName + ":query")
>     addPermission("knowledgebase:" + kbName + ":ingest")
>     addPermission("knowledgebase:" + kbName + ":configure")
>   else if("read").equals(rights))
>     addPermission("knowledgebase:" + kbName + ":query")
>   else if("write").equals(rights))
>     addPermission("knowledgebase:" + kbName + ":query")
>     addPermission("knowledgebase:" + kbName + ":ingest")
>
> Obviously, we use caching so that every permission query isn't hitting
> the database, but this is the general gist of it.  We have a domain
> model (knowledgebases, owners, delegates) and we map it to permissions
> that certain functionality in our codebase requires (there's actually a
> good number more permissions that get added, but I think this conveys
> the idea).
>
> -Jared
>
> On Wed 21 Nov 2012 01:50:42 AM CST, Alex opn wrote:
> > Jared, what do you mean by "generated from our domain model"? Do you
> > mean that you don't have the permissions saved in the database and
> > instead generate them at login / startup? I have to decide soon which
> > way to go for my application and so I'm interested in the possible
> > approaches.
>
>
>

Mime
View raw message