You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2022/05/25 04:40:00 UTC

[jira] [Commented] (JAMES-3756) Configurable impresonnation

    [ https://issues.apache.org/jira/browse/JAMES-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541816#comment-17541816 ] 

Benoit Tellier commented on JAMES-3756:
---------------------------------------

I am starting to work on this, https://github.com/apache/james-project/pull/1015 proposes a simple API to back the corresponding storage.

Regarding Cassandra storage, I believe it would make sens to add an `authorizedUsers` column into `users` table. 

This avoids introducing yet another table, and fits into what a user is. At the cost of a easy upgrade instruction.

> Configurable impresonnation 
> ----------------------------
>
>                 Key: JAMES-3756
>                 URL: https://issues.apache.org/jira/browse/JAMES-3756
>             Project: James Server
>          Issue Type: Improvement
>          Components: IMAPServer, SMTPServer, UsersStore &amp; UsersRepository
>            Reporter: Benoit Tellier
>            Priority: Major
>
> h3. What is impersonnation
> Hello I'm Bob, connect me as Alice.
> Use cases:
>  - 1. Migration: migration user impersonnate existing user to migrate in/out emails of the user
>  - 2. Assistance: An admin impersonate a user to assist them with one problem...
>  - 3. Delegation: The secretary impersonnate her boss mails.
> h3. What exists today in James
> Impersonation exists for IMAP AUTHENTICATE PLAIN.
> Impersonation relies on the 'Authorizator' interface.
> A simple implementation of it is provided: We then verify this the user performing the impersonation is an admin account defined in the configuration.
> This makes it suitable for simple use cases defined in 1 and 2 (where multi-tenancy is not an issue)
> However, this is unsuitable for more advanced use cases.
> h3. Proposal
> Provide a configuration option to enable fine-grained authorization.
> If enabled, a storage API for delegation will be enabled (stores user X have the right to impersonate to user Y). We can then have a webadmin API to manage this, as well as the wiring needed in the AUthorizator.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org