You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Avner Cohen <Av...@fundtech.co.il> on 2011/04/01 09:18:15 UTC

Complex Authorization Setup

Hi All,
 
A question on the underline design of a complex (or is it?) authorization mechanism.
 
In a simple case, a user might have access to a folder, a file within this folder and then "write" permission on it:
 
"folder:file_name:write"
 
One of the properties of the file is it's size (>1M), some user may have permission to the file, only if it's smaller than 1M.
 
One option is to add this criteria as a top level thing, I guess..:
"1M:folder..."
 
But than, another property is relevant, what IP of SANs is the folder existing in A, B or C (some user's might be entitled to see files >1M, but only if it's in the A or B servers).
 
So is that a further top level?
"IP:1M:folder:*" ?
 
All in all, It might just be a simple design of permission exercise for people with more experience on this, I'd appreciate thoughts or pointers on how to go about designing this, and what would be the best place to store the metadata eventually (Rational structure in DB, a file system?).
 
 
Many thanks,
    Avner.

Re: Complex Authorization Setup

Posted by Tamás Cservenák <ta...@cservenak.net>.

Just as an idea... not that's it relevant:

sentences like "permission of file smaller than...", "bigger than..." etc
would make me consider combining discrete permissions together with spatial
ones...

See examples here:
https://github.com/cstamas/shiro-extras

Thanks,
~t~

On Fri, Apr 1, 2011 at 9:18 AM, Avner Cohen <Av...@fundtech.co.il> wrote:

>  Hi All,
>
> A question on the underline design of a complex (or is it?) authorization
> mechanism.
>
> In a simple case, a user might have access to a folder, a file within this
> folder and then "write" permission on it:
>
> "folder:file_name:write"
>
> One of the properties of the file is it's size (>1M), some user may have
> permission to the file, only if it's smaller than 1M.
>
> One option is to add this criteria as a top level thing, I guess..:
> "1M:folder..."
>
> But than, another property is relevant, what IP of SANs is the folder
> existing in A, B or C (some user's might be entitled to see files >1M, but
> only if it's in the A or B servers).
>
> So is that a further top level?
> "IP:1M:folder:*" ?
>
> All in all, It might just be a simple design of permission exercise for
> people with more experience on this, I'd appreciate thoughts or pointers on
> how to go about designing this, and what would be the best place to store
> the metadata eventually (Rational structure in DB, a file system?).
>
>
> Many thanks,
>     Avner.
>