Added role based security to the PolicyRestrictor

[rhuss]

Currently the default acces restrictor, which is based on an XMl policy file, doesn't have any restriction on the currently connected Principal (i.e. the restrictions apply to every connected user).

Therefor the access restriction format should be extended to provide a possibility to define certain roles (and associated users with roles).

E.g.

<restrict>

  <!-- User to role mapping -->
  <users>
    <user name="joe" role="admin"/>
    <user name="nagios" role="monitor"/>
  </users>

  <!-- Role to restrict-set mapping  -->
  <role name="admin">
    <restrict ref="monitor"/>
    <restrict ref="management"/>
  </role>

  <role name="user">
    <restrict ref="monitor"/>
  </role>

  <!--  Dedicated "restrict sets" reference by a role definition  -->
  <restrict name="monitor">
    <allow>....</allow>
  </restrict>

  <restrict name="management">
    <allow>....</allow>
  </restrict>

  <!-- ================================================================= -->
  <!-- Default applying to all users which are not explicitly configured -->  
  <allow>....</allow>

</restrict>

With this scheme several indirections are configured: user-to-role, role-to-restrictset. Also, an extension like this would be backwards compatible to the current scheme.

While we are on it, a XSD schema would be nice, too.

[nevenr]

Hi,

I like your idea to enable roles, in fact they would be very useful in my current jolokia application.

On the other hand, I think users, roles and users to roles mapping do not belong logically to restriction configuration. Those mappings should be handled by some kind of authenticator (and its configuration) and simply propagate Principal (with roles) to upper layers.

Let me propose that restrictions configuration (jolokia-access.xml) has just role to restrictions mapping like this:

<restrict>
    <role name="monitor">
        <remote>
            <host>127.0.0.1</host>
        </remote>
        <http>
            <method>post</method>
        </http>
        <commands>
            <command>read</command>
            <command>list</command>
        </commands>
        <allow>
            <mbean>
                <name>java.lang:type=Memory</name>
                <operation>gc</operation>
            </mbean>
        </allow>
        <deny>
            <mbean>
                <name>com.mchange.v2.c3p0:type=PooledDataSource,*</name>
                <attribute>properties</attribute>
            </mbean>
        </deny>
    </role>

    <role name="admin">
        <remote>
            <host>127.0.0.1</host>
        </remote>
        <http>
            <method>post</method>
        </http>
        <commands>
            <command>read</command>
            <command>write</command>
            <command>list</command>
            <command>exec</command>
            <command>search</command>
        </commands>
        <allow>
            <mbean>
                <name>*</name>
            </mbean>
        </allow>
    </role>
</restrict>

Behavior needed to be defined in this cases only:

• user with no roles
• user with role that is not defined in restrictions configuration (maybe upper sub case)
• user with more than one role defined in restrictions configuration (overlap)

By the way, do you plan to introduce this feature and in which version (1.x or 2.x)? When we can expect something like this? :)

Thank you for jolokia, it is a great tool.

Regards, Neven

[rhuss]

Sorry for the super late response, just sorting things and found this issue again.

I started to work on 2.0 again (since I now can put more efforts into Jolokia) and role based security is definitely something I consider to add for 2.0 (but probably not for 1.x anymore).