You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fortress@directory.apache.org by "Oleksandr Bodriagov (Polystar)" <ol...@polystar.com> on 2015/04/20 15:01:32 UTC

Apache Fortress REST API

Hi,

I have a question concerning Fortress' REST API . The only example I have
found is "EmTest.java" in directory-fortress-enmasse.
Our use case is as follows. We have a few RESTful web services to which we
would like to control access using Fortress + LDAP with users/groups and
our own OAuth2.0 token provider/access control server. Our permissions in
this case would be something like:
  - read data from https://server1.com/whateever
  - modify report at https://server2.com/profile/whatever
  - read report at https://server2.com/profile/whatever
 
So, we have operations {read, modify, delete, Š} and objects
{https://server1.com/whateever, https://server2.com/profile/whatever, Š}.
Our token provider receives a request for the OAuth token that represents
permissions of the requesting user. To answer this question, the token
provider, using a fortress-rest-user account, should authenticate the
requesting user (using this user's username/password) against Fortress and
then get user permissions from Fortress using REST API.
How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ? Am
I on the right track?
AccessMgrRestImpl seems to be doing what we need, but how do corresponding
HTTP requests look like?
I would be really grateful for any help.

Best regards,
Oleksandr

Re: [Bulk] [Bulk] Apache Fortress REST API

Posted by Shawn McKinney <sm...@apache.org>.
Here is trace of sessionPermissions request/response:

https://paste.apache.org/m3EA

Shawn
smckinney@apache.org



> On Apr 20, 2015, at 9:03 AM, Shawn McKinney <sm...@apache.org> wrote:
> 
> 
>> On Apr 20, 2015, at 8:01 AM, Oleksandr Bodriagov (Polystar) <ol...@polystar.com> wrote:
>> 
>> I have a question concerning Fortress' REST API . The only example I have
>> found is "EmTest.java" in directory-fortress-enmasse.
>> Our use case is as follows. We have a few RESTful web services to which we
>> would like to control access using Fortress + LDAP with users/groups and
>> our own OAuth2.0 token provider/access control server. Our permissions in
>> this case would be something like:
>> - read data from https://server1.com/whateever
>> - modify report at https://server2.com/profile/whatever
>> - read report at https://server2.com/profile/whatever
>> 
>> So, we have operations {read, modify, delete, Š} and objects
>> {https://server1.com/whateever, https://server2.com/profile/whatever, Š}.
>> Our token provider receives a request for the OAuth token that represents
>> permissions of the requesting user. To answer this question, the token
>> provider, using a fortress-rest-user account, should authenticate the
>> requesting user (using this user's username/password) against Fortress and
>> then get user permissions from Fortress using REST API.
>> How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ? Am
>> I on the right track?
>> AccessMgrRestImpl seems to be doing what we need, but how do corresponding
>> HTTP requests look like?
>> I would be really grateful for any help.
> 
> Hello Oleksandr,
> 
> To get all permissions for a particular user call sessionPermissions.  This returns a collection of all permissions for the user’s activated role set.
> 
> To check a single permission for a particular user call checkAccess.  This simply returns true or false.
> 
> Both require sending the session object document that was returned on createSession.  
> 
> I can anticipate the need to enhance this interaction by allowing the rest server to hold onto the user’s rbac session for a configurable amount of time.  This would make things easier on the client at the expense of requiring the server to be stateful.  Will speed things up on throughput while making the server-side heavier with memory.  WDYT?
> 
> Shawn
> smckinney@apache.org
>

Re: Re: [Bulk] [Bulk] Apache Fortress REST API

Posted by Shawn McKinney <sm...@apache.org>.
> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar) <ol...@polystar.com> wrote:
> 
> Hi Shawn,
> 
> Thank you very much for your answer! I think I get it now more or less.
> Please correct me if I am wrong.
> 1) I make a POST request to URL =
> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacCreate" with
> "createSession.xml" that looks like
> <FortRequest>
>    <contextId>HOME</contextId>
>    <entity xsi:type="user"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>    <userId>someuser</userId>
>    <password>userpwd</password>
>    </entity>
>   </FortRequest>
> 
> As a response I get the session object document that describes a session
> for the user defined in "createSession.xml" if and only if this user was
> successfully authenticated.
> 

Correct.  Failure will return something like this:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Mon, 20 Apr 2015 14:53:40 GMT
Content-Type: application/xml
Content-Length: 435

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <FortResponse>
      <errorCode>1005</errorCode>
      <errorMessage>getUser userId [jutsuser1] not found, Fortress rc=1005</errorMessage>
      <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
      <isAuthorized xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
      <session xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
   </FortResponse



> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar) <ol...@polystar.com> wrote:
> 
> 2) Using the session object document, I make another POST request to URL =
> "http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacPerms" and get
> back a document describing all permissions for the user.
> 
> After getting all permissions for the user from Fortress, OAuth2.0 token
> provider creates a self-contained digitally signed JSON Web token that
> describes all user's permissions and that is valid for some period of
> time. This token is returned to the client, and client can use it (until
> it expires) to access different resource servers.
> 
> I think, in this case, we do not really have troubles with throughput
> because the client will ask for a new token only after the current token
> expires. It would be different if we were doing steps (1)+(2) every time a
> client requested some resource from a resource server. By the way, how
> many (1)+(2) requests can Fortress handle at the same time?
> 

Theoretically unlimited but in practice you will be bound by the HTTP server’s (tomcat) ability to process concurrent threads, and of course the server’s ability to do the xml serialization/deserialization.  I doubt we will come close to maxing the ldap server.  What is the max number of concurrent connections to Tomcat?  I’d think that number quite high.

It would be a good idea to benchmark this.  I have the jmeter test cases, just need to run them.  I’ll try to get around that in the next week or two.


> On Apr 20, 2015, at 9:57 AM, Oleksandr Bodriagov (Polystar) <ol...@polystar.com> wrote:
> 
> Is it possible to have definitions of users&groups on one LDAP server and
> definition of roles/permissions/objects on another LDAP server?

Today, no.  Tomorrow anything is possible.  This isn’t the first time I have been asked a question like this so it is worth considering adding as future enhancement.  

Shawn
smckinney@apache.org

Re: [Bulk] Apache Fortress REST API

Posted by "Oleksandr Bodriagov (Polystar)" <ol...@polystar.com>.
Hi Shawn,

Thank you very much for your answer! I think I get it now more or less.
Please correct me if I am wrong.
1) I make a POST request to URL =
"http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacCreate" with
"createSession.xml" that looks like
<FortRequest>
    <contextId>HOME</contextId>
    <entity xsi:type="user"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <userId>someuser</userId>
    <password>userpwd</password>
    </entity>
   </FortRequest>

As a response I get the session object document that describes a session
for the user defined in "createSession.xml" if and only if this user was
successfully authenticated.

2) Using the session object document, I make another POST request to URL =
"http://<server>:<port>/fortress-rest-1.0-RC40-SNAPSHOT/rbacPerms" and get
back a document describing all permissions for the user.

After getting all permissions for the user from Fortress, OAuth2.0 token
provider creates a self-contained digitally signed JSON Web token that
describes all user's permissions and that is valid for some period of
time. This token is returned to the client, and client can use it (until
it expires) to access different resource servers.

I think, in this case, we do not really have troubles with throughput
because the client will ask for a new token only after the current token
expires. It would be different if we were doing steps (1)+(2) every time a
client requested some resource from a resource server. By the way, how
many (1)+(2) requests can Fortress handle at the same time?

Is it possible to have definitions of users&groups on one LDAP server and
definition of roles/permissions/objects on another LDAP server?

/Oleksandr








On 20/4/2015 16:03 , "Shawn McKinney" <sm...@apache.org> wrote:

>
>> On Apr 20, 2015, at 8:01 AM, Oleksandr Bodriagov (Polystar)
>><ol...@polystar.com> wrote:
>> 
>> I have a question concerning Fortress' REST API . The only example I
>>have
>> found is "EmTest.java" in directory-fortress-enmasse.
>> Our use case is as follows. We have a few RESTful web services to which
>>we
>> would like to control access using Fortress + LDAP with users/groups and
>> our own OAuth2.0 token provider/access control server. Our permissions
>>in
>> this case would be something like:
>>  - read data from https://server1.com/whateever
>>  - modify report at https://server2.com/profile/whatever
>>  - read report at https://server2.com/profile/whatever
>> 
>> So, we have operations {read, modify, delete, Š} and objects
>> {https://server1.com/whateever, https://server2.com/profile/whatever,
>>Š}.
>> Our token provider receives a request for the OAuth token that
>>represents
>> permissions of the requesting user. To answer this question, the token
>> provider, using a fortress-rest-user account, should authenticate the
>> requesting user (using this user's username/password) against Fortress
>>and
>> then get user permissions from Fortress using REST API.
>> How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ?
>>Am
>> I on the right track?
>> AccessMgrRestImpl seems to be doing what we need, but how do
>>corresponding
>> HTTP requests look like?
>> I would be really grateful for any help.
>
>Hello Oleksandr,
>
>To get all permissions for a particular user call sessionPermissions.
>This returns a collection of all permissions for the user's activated
>role set.
>
>To check a single permission for a particular user call checkAccess.
>This simply returns true or false.
>
>Both require sending the session object document that was returned on
>createSession.  
>
>I can anticipate the need to enhance this interaction by allowing the
>rest server to hold onto the user's rbac session for a configurable
>amount of time.  This would make things easier on the client at the
>expense of requiring the server to be stateful.  Will speed things up on
>throughput while making the server-side heavier with memory.  WDYT?
>
>Shawn
>smckinney@apache.org
>

Re: [Bulk] Apache Fortress REST API

Posted by Shawn McKinney <sm...@apache.org>.
> On Apr 20, 2015, at 8:01 AM, Oleksandr Bodriagov (Polystar) <ol...@polystar.com> wrote:
> 
> I have a question concerning Fortress' REST API . The only example I have
> found is "EmTest.java" in directory-fortress-enmasse.
> Our use case is as follows. We have a few RESTful web services to which we
> would like to control access using Fortress + LDAP with users/groups and
> our own OAuth2.0 token provider/access control server. Our permissions in
> this case would be something like:
>  - read data from https://server1.com/whateever
>  - modify report at https://server2.com/profile/whatever
>  - read report at https://server2.com/profile/whatever
> 
> So, we have operations {read, modify, delete, Š} and objects
> {https://server1.com/whateever, https://server2.com/profile/whatever, Š}.
> Our token provider receives a request for the OAuth token that represents
> permissions of the requesting user. To answer this question, the token
> provider, using a fortress-rest-user account, should authenticate the
> requesting user (using this user's username/password) against Fortress and
> then get user permissions from Fortress using REST API.
> How can it be done? I have found HttpIds.PERM_READ, HttpIds.USER_READ? Am
> I on the right track?
> AccessMgrRestImpl seems to be doing what we need, but how do corresponding
> HTTP requests look like?
> I would be really grateful for any help.

Hello Oleksandr,

To get all permissions for a particular user call sessionPermissions.  This returns a collection of all permissions for the user’s activated role set.

To check a single permission for a particular user call checkAccess.  This simply returns true or false.

Both require sending the session object document that was returned on createSession.  

I can anticipate the need to enhance this interaction by allowing the rest server to hold onto the user’s rbac session for a configurable amount of time.  This would make things easier on the client at the expense of requiring the server to be stateful.  Will speed things up on throughput while making the server-side heavier with memory.  WDYT?

Shawn
smckinney@apache.org