You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Brian Demers <br...@gmail.com> on 2015/03/01 20:31:54 UTC
Re: A question about Shiro's capabilities
If you haven't already take a look at wild card permissions:
http://shiro.apache.org/permissions.html
For #3 and #4
In my mind roles and groups are used almost interchangeably. But if i had
to split them up, I would say that a role is a collection of permissions,
and a group is a collection of users. In this case a Role could be
assigned to an individual user or a Group. A simple example might be an
'Administrator-role' would likely contain all permissions. An
'Administrator-group' would contain all your admin users. You would assign
the 'Administrator-role' to the 'Administrator-group' (this would be done
in a realm.
As for your question about realms. Yes, in respects to only supporting
'read' operations, this is mainly because most applications have there own
requirements, for example lots of applications store users in some other
type of store (i.e. LDAP / AD)
Does that answer your questions?
On Fri, Feb 27, 2015 at 4:03 PM, Raghuram Devarakonda <dr...@gmail.com>
wrote:
>
> Hi All,
>
> We currently use Spring security for authorization (ACL module in
> particular) but there are some new use cases which may make the continued
> use of Spring security infeasible. So I started looking for alternatives
> and in that process, have run into Apache Shiro. I read the documentation
> available on the Shiro site and I think I have some idea how it works. But
> there are some questions that I would like to get some clarification on and
> I would appreciate any help.
>
> Here are some authorization requirements from our application:
>
> 1) Support granular privileges (mapping to operations such as "read" and
> "write"). Note that there are no resources at this point. These are just
> possible operations.
>
> 2) A role is a combination of privileges, again without reference to any
> resources.
>
> 3) Individual resources can be organized into resource groups where one
> resource can belong to multiple resource groups.
>
> 4) Finally, roles can be assigned to users (or groups) for a given
> resource or resource group.
>
> It seems to me that Shiro supports (1) and (2) but I am not clear about
> the rest.
>
> Also, is it true that the application needs to take care of all "write"
> operations as mentioned in one of the documents? Here is the relevant
> snippet:
>
> "Currently all Realm implementations support ‘read’ operations for
> acquiring authentication and authorization data to perform logins and
> access control. ‘Write’ operations, like creating user accounts, groups
> and roles, or associating users with roles groups and permissions, are not
> supported. This is because the data model to support these operations
> varies dramatically across applications and it would be difficult to
> enforce a ‘write’ API on all Shiro users. "
>
> Thanks in advance,
> Raghu
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Re: A question about Shiro's capabilities
Posted by Brian Demers <br...@gmail.com>.
Agreed, use roles as a collection of permissions.
On Tue, Mar 3, 2015 at 2:01 PM, Christian Wolfe <ta...@gmail.com> wrote:
> It sounds like one possible solution would be to create a role (with
> assigned permissions) for each resource group, and then write your Shiro
> Realm such that it determines which groups any given user is in. For
> example, you'd have to look at what site the user is at, and then determine
> which if any roles the user should be given. The only trick is that you
> would have to perform these checks for every single kind of resource group
> you'd like to support.
>
> On Tue, Mar 3, 2015 at 9:41 AM, Raghuram Devarakonda <dr...@gmail.com>
> wrote:
>
>>
>> On Mon, Mar 2, 2015 at 11:54 AM, Brian Demers <br...@gmail.com>
>> wrote:
>>
>>> I guess I don't know what you mean by a resource group? Can you give an
>>> example ?
>>>
>>> If I had a group of similar resources, I would assign them similar named
>>> permissions, (similar to the printer example in the link below)
>>>
>>
>>
>> By resource group, I mean group of resources that don't necessarily of
>> the same type. For example, a company may create a resource group of
>> various types of resources belonging to a particular site and give
>> permissions on that group to users at that site.
>>
>> Thanks,
>> Raghu
>>
>
>
Re: A question about Shiro's capabilities
Posted by Christian Wolfe <ta...@gmail.com>.
It sounds like one possible solution would be to create a role (with
assigned permissions) for each resource group, and then write your Shiro
Realm such that it determines which groups any given user is in. For
example, you'd have to look at what site the user is at, and then determine
which if any roles the user should be given. The only trick is that you
would have to perform these checks for every single kind of resource group
you'd like to support.
On Tue, Mar 3, 2015 at 9:41 AM, Raghuram Devarakonda <dr...@gmail.com>
wrote:
>
> On Mon, Mar 2, 2015 at 11:54 AM, Brian Demers <br...@gmail.com>
> wrote:
>
>> I guess I don't know what you mean by a resource group? Can you give an
>> example ?
>>
>> If I had a group of similar resources, I would assign them similar named
>> permissions, (similar to the printer example in the link below)
>>
>
>
> By resource group, I mean group of resources that don't necessarily of the
> same type. For example, a company may create a resource group of various
> types of resources belonging to a particular site and give permissions on
> that group to users at that site.
>
> Thanks,
> Raghu
>
Re: A question about Shiro's capabilities
Posted by Raghuram Devarakonda <dr...@gmail.com>.
On Mon, Mar 2, 2015 at 11:54 AM, Brian Demers <br...@gmail.com>
wrote:
> I guess I don't know what you mean by a resource group? Can you give an
> example ?
>
> If I had a group of similar resources, I would assign them similar named
> permissions, (similar to the printer example in the link below)
>
By resource group, I mean group of resources that don't necessarily of the
same type. For example, a company may create a resource group of various
types of resources belonging to a particular site and give permissions on
that group to users at that site.
Thanks,
Raghu
Re: A question about Shiro's capabilities
Posted by Brian Demers <br...@gmail.com>.
I guess I don't know what you mean by a resource group? Can you give an
example ?
If I had a group of similar resources, I would assign them similar named
permissions, (similar to the printer example in the link below)
You could do the same for user management:
users:*:* - admin user can modify any user resource
users:bdemers:* - I can modify only my resource
users:*:read - I can read any users
On Mon, Mar 2, 2015 at 9:48 AM, Raghuram Devarakonda <dr...@gmail.com>
wrote:
>
> On Sun, Mar 1, 2015 at 2:31 PM, Brian Demers <br...@gmail.com>
> wrote:
>
>> If you haven't already take a look at wild card permissions:
>> http://shiro.apache.org/permissions.html
>>
>
> Yes, I did read about wild card permissions and they do support what I had
> in mind.
>
>
>>
>> For #3 and #4
>> In my mind roles and groups are used almost interchangeably. But if i
>> had to split them up, I would say that a role is a collection of
>> permissions, and a group is a collection of users. In this case a Role
>> could be assigned to an individual user or a Group. A simple example might
>> be an 'Administrator-role' would likely contain all permissions. An
>> 'Administrator-group' would contain all your admin users. You would assign
>> the 'Administrator-role' to the 'Administrator-group' (this would be done
>> in a realm.
>>
>
> Thanks. This clarifies the concepts a bit. But can you tell me if there is
> a concept of grouping resource instances together, say into a resource
> group? Of course, if the application is responsible for modelling the
> entities, I guess it can implement the resource group concept itself but I
> just wanted to know if Shiro provides or recognizes any such support.
>
>
>>
>> As for your question about realms. Yes, in respects to only supporting
>> 'read' operations, this is mainly because most applications have there own
>> requirements, for example lots of applications store users in some other
>> type of store (i.e. LDAP / AD)
>>
>> Does that answer your questions?
>>
>
> Mostly yes. Thanks a lot.
>
> Raghu
>
>
>
Re: A question about Shiro's capabilities
Posted by Raghuram Devarakonda <dr...@gmail.com>.
On Sun, Mar 1, 2015 at 2:31 PM, Brian Demers <br...@gmail.com> wrote:
> If you haven't already take a look at wild card permissions:
> http://shiro.apache.org/permissions.html
>
Yes, I did read about wild card permissions and they do support what I had
in mind.
>
> For #3 and #4
> In my mind roles and groups are used almost interchangeably. But if i had
> to split them up, I would say that a role is a collection of permissions,
> and a group is a collection of users. In this case a Role could be
> assigned to an individual user or a Group. A simple example might be an
> 'Administrator-role' would likely contain all permissions. An
> 'Administrator-group' would contain all your admin users. You would assign
> the 'Administrator-role' to the 'Administrator-group' (this would be done
> in a realm.
>
Thanks. This clarifies the concepts a bit. But can you tell me if there is
a concept of grouping resource instances together, say into a resource
group? Of course, if the application is responsible for modelling the
entities, I guess it can implement the resource group concept itself but I
just wanted to know if Shiro provides or recognizes any such support.
>
> As for your question about realms. Yes, in respects to only supporting
> 'read' operations, this is mainly because most applications have there own
> requirements, for example lots of applications store users in some other
> type of store (i.e. LDAP / AD)
>
> Does that answer your questions?
>
Mostly yes. Thanks a lot.
Raghu