You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Mikhail Petrov <pm...@gmail.com> on 2019/09/11 14:34:35 UTC
[DISCUSSION] REST requests explicit authorization.
Igniters,
I would like to suggest expanding the IgniteSecurity interface with a
method for REST requests explicit authorization (e.g. public void
authorize(GridRestRequest req) throws SecurityException;).
Currently, REST request authorization starts in
GridRestProcessor#authorize(GridRestRequest) where GridRestCommand is
converted to SecurityPermission and then passed to
IgniteSecurity#authorize(String, SecurityPermission) for final
authorization.
I propose to allow GridSecurityProcessor to make an authorization
decision on its own by giving it GridRestRequest.
This approach can help to avoid tough mapping GridRestCommand ->
SecurityPermission and achieve much more flexibility in tweaking REST
request authorization.
I will appreciate your feedback on this proposal.
Re: [DISCUSSION] REST requests explicit authorization.
Posted by Denis Garus <ga...@gmail.com>.
Hello, Mikhail!
Why do we need to avoid tough mapping GridRestCommand -> SecurityPermission?
Maybe it would be more transparent if we add to the GridRestCommand a field
that will contain SecurityPermission for this command?
ср, 11 сент. 2019 г. в 17:34, Mikhail Petrov <pm...@gmail.com>:
> Igniters,
>
> I would like to suggest expanding the IgniteSecurity interface with a
> method for REST requests explicit authorization (e.g. public void
> authorize(GridRestRequest req) throws SecurityException;).
>
> Currently, REST request authorization starts in
> GridRestProcessor#authorize(GridRestRequest) where GridRestCommand is
> converted to SecurityPermission and then passed to
> IgniteSecurity#authorize(String, SecurityPermission) for final
> authorization.
>
> I propose to allow GridSecurityProcessor to make an authorization
> decision on its own by giving it GridRestRequest.
>
> This approach can help to avoid tough mapping GridRestCommand ->
> SecurityPermission and achieve much more flexibility in tweaking REST
> request authorization.
>
> I will appreciate your feedback on this proposal.
>
>