You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/05/30 19:47:46 UTC
[isis] 02/02: ISIS-2699: updates docs for secman
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch ISIS-2699
in repository https://gitbox.apache.org/repos/asf/isis.git
commit b5facd393dfbeb31b4f8e03f6f1eb0afb4e6562a
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Sun May 30 20:47:30 2021 +0100
ISIS-2699: updates docs for secman
---
.../apache/isis/core/config/IsisConfiguration.java | 4 +-
.../adoc/modules/secman/pages/setting-up.adoc | 109 +++++++++------------
2 files changed, 51 insertions(+), 62 deletions(-)
diff --git a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
index 7b7f29a..6657dd9 100644
--- a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
+++ b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
@@ -3052,7 +3052,7 @@ public class IsisConfiguration {
* </p>
*
* <p>
- * The password for this user is set in {@link #getAdminPassword()}.
+ * The password for this user is set in {@link Admin#getPassword()}.
* </p>
*
* @see #getPassword()
@@ -3115,7 +3115,7 @@ public class IsisConfiguration {
* {@link NamespacePermissions#getAdditional()}.
* </p>
*
- * @see #getAdminAdditionalNamespacePermissions()
+ * @see NamespacePermissions#getAdditional()
*/
private List<String> sticky = ADMIN_STICKY_NAMESPACE_PERMISSIONS_DEFAULT;
diff --git a/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc b/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc
index 670ced5..ea48b29 100644
--- a/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc
+++ b/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc
@@ -96,71 +96,60 @@ Ensure that no other `IsisModuleSecurityXxx` module is imported.
<.> fixture script support
-[#configure-services]
-=== Configure Services
+[#configure-properties]
+== Configuration Properties
-It is also necessary to configure some aspects of SecMan.
-This is most easily done using `Bean` definitions within the `AppManifest`:
+Add the database schema used by the SecMan entities to the configuration file:
-[source,java]
-.AppManifest.java
+[source,yaml]
+.application.yml
+----
+isis:
+ persistence:
+ schema:
+ auto-create-schemas: isisExtensionsSecman
----
-//...
-public class AppManifest {
-
- @Bean
- public SecmanConfiguration secmanConfiguration() {
- return SecmanConfiguration.builder()
- .adminUserName("sven").adminPassword("pass") // <.>
- // .adminRoleName("isis-ext-secman-admin") // <.>
- // .regularUserRoleName("isis-ext-secman-user") // <.>
- .build();
- }
- @Bean
- public PermissionsEvaluationService permissionsEvaluationService() {
- return new PermissionsEvaluationServiceAllowBeatsVeto(); // <.>
- }
+Optionally, modify the configuration properties for Secman itself:
- @Bean
- public SecurityRealmService securityRealmService() {
- return new SecurityRealmService() {
- @Override
- public SecurityRealm getCurrentRealm() {
- return () ->
- EnumSet.noneOf(SecurityRealmCharacteristic.class); // <.>
- }
- };
- }
-}
+[source,yaml]
+.application.yml
+----
+isis:
+ extensions:
+ secman:
+ seed:
+ admin:
+ user-name: "secman-admin" <.>
+ password: "pass" <1>
+ role-name: "isis-ext-secman-admin" <.>
+ namespace-permissions:
+ sticky: ... <.>
+ additional: ... <.>
+ regular-user:
+ role-name: "isis-ext-secman-user" <.>
+ permissionsEvaluationPolicy: ALLOW_BEATS_VETO <.>
+ delegated-users:
+ auto-create-policy: AUTO_CREATE_AS_LOCKED <.>
+ user-registration:
+ initial-role-names: ... <.>
----
<.> indicates the security super-user and password
<.> indicates the name of the role granted to this security super-user.
-This can be any name; if not overridden will default to `SecmanConfiguration.DEFAULT_ADMIN_ROLE_NAME`
-
+This can be any name.
+<.> the "sticky" namespace permissions granted to the admin role.
+These cannot be removed (through the UI).
+<.> any additional namespace permissions to be granted to the admin role.
+These can be removed (through the UI).
<.> indicates the name of the role that should be granted to regular users of the application.
-This can be any name; if not overridden will default to `SecmanConfiguration.DEFAULT_REGULAR_USER_ROLE_NAME`
-+
-IMPORTANT: This role grants regular users the ability to logout (among other things).
+<.> if there are conflicted (allow vs veto) permissions at the same scope, then whether the allow wins or the veto wins
<.> indicates that only local users are supported (no delegate realm is in used).
+
See <<delegate-realms,below>> to configure for a delegate realm.
-
-
-== Configuration
-
-Add the database schema used by the SecMan entities to the configuration file:
-
-[source,yaml]
-.application.yml
-----
-isis:
- persistence:
- schema:
- auto-create-schemas: isisExtensionsSecman
-----
-
+<.> if self-user registration is enabled in the viewer, this defines the set of roles to be granted to said user.
++
+This is discussed in more detail <<user-registration-aka-sign-up,below>>.
[#default-roles]
== Default Roles
@@ -171,13 +160,13 @@ These are summarised here:
* Available in both production and prototype mode
-** `SecmanConfiguration#getAdminRoleName()`
+** Admin role (as defined in the configuration, see <<configure-properties,above>>)
+
Admin permissions for Secman itself.
This is the role granted to the security super-user, and whose exact name is configured using .
This role should therefore be extremely tightly locked down.
-** `SecmanConfiguration#getRegularUserRoleName()`
+** Regular user role (as defined in the configuration, see <<configure-properties,above>>)
+
Regular user permissions for Secman.
This should be granted to all users (in particular, it includes the ability to logout!)
@@ -384,11 +373,11 @@ The exact roles to setup are specified using configuration property:
.application.yaml
----
isis:
- extensions:
- secman:
- user-registration:
- initial-roles:
- - "self-registered-user-role"
- - "regular-user-role"
+ extensions:
+ secman:
+ user-registration:
+ initial-roles:
+ - "self-registered-user-role"
+ - "regular-user-role"
----