rudimk
commented
9 years ago For mobile clients, we could look at client apps using an embedded JSON database, like EJDB. In that case, one has two options:
- Server clients use Redis to store policy documents, and mobile clients use an embedded JSON store instead;
- Both use embedded JSON stores.
The good part about the second option is consistency; also, unlike a Redis instance which should be monitored, an embedded JSON store like EJDB is like SQLite - drop it into your code, and that's the end of it.
All in all, I'm rather stoked about this particular method in implementing role-based AC. It does look like it will do the trick.
shreyas-satish
jace
Abstract
This is an early design proposal for an authorization system for lastuser.
Functionally, the architecture should be
So, the key idea is, we use Lastuser as a 'policy' manager. It allows you to create and manage users, groups, organizations and their permissions. And we store these permissions in a 'policy' document (we will dive deeper into policies, as we analyze scenarios). A policy is simply a JSON document that details who (groups or individual users) can perform what actions on which resources.
A client application on the other hand (eg: Funnel, Jobs) exposes an API, that details which instances are currently running, which resources (eg talks, job_postings) are available and what actions are possible. It regularly polls lastuser and stores the latest policy (on redis). When we have someone (on a client app) trying to access a resource, we run a check on the user's permissions. The way we do that is, we retrieve the policy document, filter it down to a set that is relevant to the 'current user' and assess if the user should be allowed or denied access.
Scenario 1
We want to manage the access rights to the Funnel for Droidcon '14. So, we start by creating an organization - 'HasGeek' and a group - 'Droidcon14', on lastuser. Let's say, the event's funnel is supposed to have a few event admins, a panel, speakers and viewers. A simple use case would be, for the admins on the Droidcon14 group to have access to the DroidCon14 Funnel (but only to Droidcon14).
Let's create permissions for the admins. We do this by creating a role called 'Admin'. Here's how we would set the permisssions (in a simple UI with text boxes and drop-downs):
Now, let's add some users. We can either search for existing users or add new ones. Let's 'Add' some of them to the group 'Droidcon14' and assign the role 'Admin'. Our policy document for the 'HasGeek' organization would be automatically generated would look like this:
The client application (Funnel in this case) polls lastuser every 30 seconds, and pulls down the latest policy document, and persists the document on its local Redis cluster.
When a user tries to access a resource on the Droidcon14 Funnel, we retrieve the policy from redis, search for the user in the Droidcon14 group and parse their roles. Then, we either allow or deny access to the user.
Scenario 2:
We want to create track-level admins on Droidcon14.
Let's create a role for the 'Wearables' track - 'WearablesAdmin'.
Here's how we set the permissions:
Now, we assign the role to a bunch of users similar to how we did in Scenario 1. Here's the policy document we end up with:
We then process the request to access a resource, similar to Scenario 1.
References
This spec is heavily influenced by AWS's Identity and Access Management system. AWS uses it to allow users to manage their AWS services.