drasko
commented
6 years ago I think at some point (maybe after 1.0) we should enable connectivity to external authorization and device management systems. We could add adapters for different authentication and device management system. This is important for bigger organizations with central user and device management systems. If some organization has already setup their IT infrastructure and they are managing everything centrally, we'll have to have good APIs with which they can do the integration.
I am OK with this, but what will be then the use of Mainflux system - if device management already exists? Pure messaging?
If I understand correctly, at the moment all of the clients connected to a channel can communicate between each other data and there is no restriction which data can be exchanged. For some use cases it is useful that some app is allowed to read only certain data from a device. For example: if the device is a weather station which measures temperature, air pressure and humidity a temperature monitoring app should be allowed to read. I think we should also add fine grained permissions on device property level.
This exists today. Whoever provisions the system takes care of this. Have in mind that device struct is here for device management purposes (holds the info about device). It is channel that is used for messaging.
In your example, in order for app to read only device temp, you would create a separate channel, on which device will post only temp and connect the app to this channel.
(Channel can be created even dynamically and if firmware supports it it can start posting new values only to adequate channels)
What about the use case when one data producer (device or an app) wants to share it's data with another consumer(app) in a controlled way and the producer and the consumer are not owned by the same user. There are some permissions which define which data from the producer can be read or processed by the consumer.
I think this is a good idea, and we had in mind possibility that one user can share his resources (devices, channels, apps) with other users. I think this can be achieved though organizations (i.e. user groups).
For me this feature would be nice to have post 1.0.
mijicd
I saw the issue #164 and that made me thinking about some enhancements of the new authentication and authorization service. So the next things are more like feature request.
I think at some point (maybe after 1.0) we should enable connectivity to external authorization and device management systems. We could add adapters for different authentication and device management system. This is important for bigger organizations with central user and device management systems. If some organization has already setup their IT infrastructure and they are managing everything centrally, we'll have to have good APIs with which they can do the integration.
If I understand correctly, at the moment all of the clients connected to a channel can communicate between each other data and there is no restriction which data can be exchanged. For some use cases it is useful that some app is allowed to read only certain data from a device. For example: if the device is a weather station which measures temperature, air pressure and humidity a temperature monitoring app should be allowed to read. I think we should also add fine grained permissions on device property level.
What about the use case when one data producer (device or an app) wants to share it's data with another consumer(app) in a controlled way and the producer and the consumer are not owned by the same user. There are some permissions which define which data from the producer can be read or processed by the consumer.
I understand at the moment that all the clients and the channel have to be owned by the same user so that they can share data, but in same cases it would be useful that some data can be shared between clients owned by different users. For example: In different parts of one city there are temperature sensors which are defined as separate devices and there is a single app which calculates the mean temperature in the whole city. The devices and the app are not owned by the same user.
I know that makes the whole authorization process much more complex, but there are some real use cases when this is needed.
What do you think about this?
Best Regards, Jovan