search

eBay / YiDB

Apache License 2.0
42 stars 32 forks source link

ACL based access #4

Open sergiiF opened 9 years ago

sergiiF commented 9 years ago

Hi, Is there any description how to setup YiDB in a 'production like' style (if possible)? To have REST API/Console with an authorization, role based access, etc. Thanks in advance!

zhihzhang commented 9 years ago

Hi, sergiiF

For now, we don't have ACL control in YiDB. Actually we have ACL logic in ebay version, but we are not ready to open source it as there are some legal issues. I hope you can understand it. Please let me know if you need any help. Thanks.

Thanks & Regards Al Zhang

sergiiF commented 9 years ago

Yep I understand it :) But. Do you have any roadmap to provide some other ACL version as open source? Or may be you do have some architecture view how it should look like?

The reason I'm asking is that YiDB solution looks really scalable, solid and flexible. We'd like to use it in production. But certainly without ACL CMS is not appropriate for using in PROD. We are also ready to put efforts to participate in developing.

zhihzhang commented 9 years ago

Sure. What kind of ACL do you need? Basic authentication Create/Update/Delete ACL Read ACL Also what ACL level you need? Metaclass level or entity level? I will summarize a document about how we use ACL in ebay. Also I will provide some example code if we could not open source it in time. Please stay tuned.

Thanks & Regards Al Zhang

RalphSu commented 9 years ago

@sergiiF

Just for your reference, there is open source project ico-topo(https://github.com/icloudobject/ico-topo) which is intent to be a data center CMDB option. The ACL is in planned and will be provided soon, the ACL solution ico-topo is to provide role-based access at class and object level.

zhihzhang commented 9 years ago

Hi, Sergiif

ACL opensource is not ready yet. I want to provide some info first to unblock your development. For now, Yidb in ebay is using token-based acl. For your reference, keystone could be used as a token-based system. We pass token in request header and use the token to Authentication and Authorization. You could add your own code in Yidb resource files to provide metaclass level ACL. Yidb resources are put under cms-web-resource/com.ebay.cloud.cms.entmgr.entity.impl. To provide entity level ACL, there is an interface called com.ebay.cloud.cms.entmgr.entity.IEntityOperationCallback, it's an callback used for entity level ACL check. It's used in method EntityServiceValidator.checkACLInternal(). You can implement your own logic to check entity level ACL. Please let me know if you have any questions.

Thanks & Regards Al Zhang

sergiiF commented 9 years ago

Hi, Keystone ase source for token-based authentication and authorization look good. Probably this could be the fastest way to get YiDB with a proper ACL protection. Also it could provide 'for free' integration with LDAP, and other keystone features.