You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2019/04/24 15:14:07 UTC

[directory-fortress-enmasse] branch master updated: describe the policy load files

This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-fortress-enmasse.git


The following commit(s) were added to refs/heads/master by this push:
     new 11b8ce4  describe the policy load files
11b8ce4 is described below

commit 11b8ce4428a87a9da94cfddaba6a8ecdebeba133
Author: Shawn McKinney <sm...@apache.org>
AuthorDate: Wed Apr 24 10:13:58 2019 -0500

    describe the policy load files
---
 README-SECURITY-MODEL.md | 57 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 52 insertions(+), 5 deletions(-)

diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index e984710..c05180a 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md
@@ -80,7 +80,6 @@ ________________________________________________________________________________
  ```concept
 # Boolean value. Disabled by default. If this is set to true, the runtime will enforce administrative permissions and ARBAC02 DA checks:
 is.arbac02=true
-
  ```
 
 The ARBAC checks when enabled, include the following:
@@ -140,8 +139,18 @@ c. Some services (#'s 9,10,11,12) perform a range check on the target RBAC role
 
 ## 5. Java EE security and Apache CXF SimpleAuthorizingInterceptor policy load
 
- * Load file here: [FortressRestServerPolicy](./src/main/resources/FortressRestServerPolicy.xml)
- * To load into LDAP:
+ a. The policy load file in this section performs the following:
+  * Create Java EE security role, *fortress-rest-user*, assigned users past the Java EE security role check described earlier.
+  * Create the roles needed to pass corresponding Apache CXF **SimpleAuthorizingInterceptor** checks described earlier.
+  * For example...
+  * Users assigned to *fortress-rest-admin-user* have access to all of the RBAC admin services.
+  * "        "        *fortress-rest-review-user* have access to all the RBAC review services.
+  * "        "        *fortress-rest-deladmin-user* have access to all the ARBAC admin services.
+  * etc...
+  * So a user would have to be assigned the *fortress-rest-user* and the particular interceptor role to successfully execute one of the rest services.
+  * The *fortress-rest-power-user*, inherits all of the others, making it very powerful. A user assigned this role has access to all services.
+
+ b. To load [FortressRestServerPolicy](./src/main/resources/FortressRestServerPolicy.xml) into LDAP:
 
  ```maven
  mvn install -Dload.file=src/main/resources/FortressRestServerPolicy.xml
@@ -149,8 +158,46 @@ c. Some services (#'s 9,10,11,12) perform a range check on the target RBAC role
 
 ## 6. ARBAC policy load
 
- * Load file here: [FortressRestArbacSamplePolicy](./src/main/resources/FortressRestArbacSamplePolicy.xml)
- * To load into LDAP:
+ a. The ARBAC policies are enforced when the following property is present in runtime *fortress.properties*:
+ ```concept
+# Boolean value. Disabled by default. If this is set to true, the runtime will enforce administrative permissions and ARBAC02 DA checks:
+is.arbac02=true
+ ```
+
+ b. The policy load file in this section Creates an Admin RBAC (ARBAC) Role named: *fortress-rest-admin*, and associate with (Test) Perm and User OU's:
+
+ ```
+PermOUs="APP0,APP1,APP2,APP3,APP4,APP5,APP6,APP7,APP8,APP9,APP10,
+      oamT3POrg8,oamT3POrg9,oamT3POrg1,oamT3POrg10,oamT3POrg2,
+      oamT3POrg3,oamT3POrg4,oamT3POrg5,oamT3POrg6,oamT3POrg7,
+      oamT3POrg8,oamT4POrg1,oamT4POrg10,oamT4POrg2,oamT4POrg3,
+      oamT4POrg4,oamT4POrg5,oamT4POrg6,oamT4POrg7,oamT4POrg8,
+      oamT4POrg9,T5POrg1,T5POrg2,T5POrg3,T5POrg4,T5POrg5,T6POrg1,
+      T6POrg2,T6POrg3,T6POrg4,T6POrg5,T6POrg6,T6POrg7,T7POrg1,T7POrg2,
+      T7POrg3,T7POrg4,T7POrg5,T7POrg6,T7POrg7,"
+
+UserOUs="DEV0,DEV1,DEV2,DEV3,DEV4,DEV5,DEV6,DEV7,DEV8,DEV9,DEV10,
+      oamT1UOrg1,oamT1UOrg10,oamT1UOrg2,oamT1UOrg3,oamT1UOrg4,
+      oamT1UOrg5,oamT1UOrg6,oamT1UOrg7,oamT1UOrg8,oamT1UOrg9,
+      oamT2UOrg1,oamT2UOrg10,oamT2UOrg2,oamT2UOrg3,oamT2UOrg4,
+      oamT2UOrg5,oamT2UOrg6,oamT2UOrg7,oamT2UOrg8,oamT2UOrg9,
+      T5UOrg1,T5UOrg2,T5UOrg3,T5UOrg4,T5UOrg5,T6UOrg1,T6UOrg2,
+      T6UOrg3,T6UOrg4,T6UOrg5,T6UOrg6,T6UOrg7,T7UOrg1,T7UOrg2,
+      T7UOrg3,T7UOrg4,T7UOrg5,T7UOrg6,T7UOrg7"
+ ```
+ Note: These Perm and User OUs are a prerequisite to the subsequent load script successfully running.
+ They get created during Apache Fortress Core during integration testing.  That means the completion of those tests are a prerequisite to importing this data.
+
+ c. Next the policy load scripts performs the following:
+
+ * Creates the Administrative Permissions that correspond with every Apache Fortress Rest service in this system.
+ * Grants the Admin Perms to the Admin Role *fortress-rest-admin*.
+ * Assigns role *fortress-rest-admin* to User *demoUser4*.
+   * Users who have been granted this role, like *demoUser4*, may call every Apache Fortress Rest service in this syteem and pass the ARBAC02 perm checks.
+   * Assigned users will pass the ARBAC02 organizational checks for (only) the data contained within the Apache Fortress core junit tests.
+   * Assigned users will pass *all* of the ARBAC02 role range checks.
+
+ d. To load the [FortressRestArbacSamplePolicy](./src/main/resources/FortressRestArbacSamplePolicy.xml) into LDAP:
 
  ```maven
  mvn install -Dload.file=src/main/resources/FortressRestArbacSamplePolicy.xml