Users & roles

[Bob Lannoy <bo...@gmail.com>]

Hi,

suppose I have users & hierarchical roles in Syncope and an external
system (tomcat webapp) that needs to authenticate those users and get
the roles.
Can you give me an indication on how I would go about this?

I did some preliminary tests:
- I can do an authentication to core using basic auth, but I saw that
the user object also contains the hashed password of the user
- /auth/getentitlements doesn't give me the roles of the connected user
- /user/read?username=user : gives me the user but only if I
authenticated with a user that has the possiblity to read other users
as well. This means I should have some kind of administration
connection to core instead of a user specific connection?
- if there are hierarchical roles, I only get the child role. I
suppose I have to walk the tree myself to retrieve the other roles?
i.e. based on response to role/list request?
regards

Bob

Re: Users & roles

[Francesco Chicchiriccò <il...@apache.org>]

On 30/03/2012 15:13, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
>> let me clarify one point: if role A (with entitlement E) has child role
>> B, and user U has role B assigned, this DOES NOT IMPLY that user U has
>> role A assigned as well.
>> When defining roles, you can choose whether a role will inherit some
>> information (entitlements, for example) from its parent.
> Are you referring to the "inherit attributes" checkbox when creating a
> child role? What is the exact meaning of this - that the child role
> does not inherit any attributes or entitlements from the parent role?
> Or is it stronger as you seem to be implying in the example, that no
> hierarchy exists (i.e. a user in the child role does not inherit the
> parent role at all when this box is ticket)?

Ops, I now realize that my sample was bound to an old version: you are
right: entitlements are ALWAYS inherited, but there are many things that
a role can inherit from its parent:

 * attributes (the checkbox you are referring above, under tab "Attributes")
 * derived attributes (under tab "Derived Attributes")
 * virtual attributes (under tab "Virtual Attributes")
 * password policies
 * account policies

Role hierarchy exists because each role might have a parent role and
child roles can inherit from parent roles.

But, as I've said before, user U is member of B, not A.

In this sense, one can say that roles are hierarchical but role
assignments (a.k.a. memberships) are not hierarchical.

Regards.

> 2012/3/30 Francesco Chicchiriccò <il...@apache.org>:
>> On 30/03/2012 14:48, Bob Lannoy wrote:
>>> On 30 March 2012 14:29, Colm O hEigeartaigh <co...@apache.org> wrote:
>>>> Hi Bob,
>>>>
>>>> I've been running into similar issues.
>>>>
>>>>> - /auth/getentitlements doesn't give me the roles of the connected user
>>>> It gives you the list of entitlements associated with the roles of the
>>>> connected user. Perhaps this controller should also have a similar
>>>> method for returning a list of role names of the connected user as
>>>> well?
>>> Through the console both are mixed so I confused entitlements with the roles.
>>> A "getroles" method for the connected user would indeed be handy.
>>> Ideally it could return the child with its parents
>>>
>>> I could try to have a go at it although I'm not a hard core developer ;)
>> Hi,
>> let me clarify one point: if role A (with entitlement E) has child role
>> B, and user U has role B assigned, this DOES NOT IMPLY that user U has
>> role A assigned as well.
>>
>> When defining roles, you can choose whether a role will inherit some
>> information (entitlements, for example) from its parent.
>>
>> This means, referring to example above, that if B is configured to
>> inherit entitlements from A, user U will have entitlement E.
>>
>> Hence, a method like the one above proposed by Colm will not be needed:
>> when using the self-read REST method (as indicated by Fabio in another
>> e-mail), you will find such information in UserTO.getRoles().
-- 
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/

Re: Users & roles

[Colm O hEigeartaigh <co...@apache.org>]

Hi Francesco,

> let me clarify one point: if role A (with entitlement E) has child role
> B, and user U has role B assigned, this DOES NOT IMPLY that user U has
> role A assigned as well.

> When defining roles, you can choose whether a role will inherit some
> information (entitlements, for example) from its parent.

Are you referring to the "inherit attributes" checkbox when creating a
child role? What is the exact meaning of this - that the child role
does not inherit any attributes or entitlements from the parent role?
Or is it stronger as you seem to be implying in the example, that no
hierarchy exists (i.e. a user in the child role does not inherit the
parent role at all when this box is ticket)?

Colm.

2012/3/30 Francesco Chicchiriccò <il...@apache.org>:
> On 30/03/2012 14:48, Bob Lannoy wrote:
>> On 30 March 2012 14:29, Colm O hEigeartaigh <co...@apache.org> wrote:
>>> Hi Bob,
>>>
>>> I've been running into similar issues.
>>>
>>>> - /auth/getentitlements doesn't give me the roles of the connected user
>>> It gives you the list of entitlements associated with the roles of the
>>> connected user. Perhaps this controller should also have a similar
>>> method for returning a list of role names of the connected user as
>>> well?
>> Through the console both are mixed so I confused entitlements with the roles.
>> A "getroles" method for the connected user would indeed be handy.
>> Ideally it could return the child with its parents
>>
>> I could try to have a go at it although I'm not a hard core developer ;)
>
> Hi,
> let me clarify one point: if role A (with entitlement E) has child role
> B, and user U has role B assigned, this DOES NOT IMPLY that user U has
> role A assigned as well.
>
> When defining roles, you can choose whether a role will inherit some
> information (entitlements, for example) from its parent.
>
> This means, referring to example above, that if B is configured to
> inherit entitlements from A, user U will have entitlement E.
>
> Hence, a method like the one above proposed by Colm will not be needed:
> when using the self-read REST method (as indicated by Fabio in another
> e-mail), you will find such information in UserTO.getRoles().
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Apache Cocoon PMC and Apache Syncope PPMC Member
> http://people.apache.org/~ilgrosso/
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Users & roles

[Francesco Chicchiriccò <il...@apache.org>]

On 30/03/2012 14:48, Bob Lannoy wrote:
> On 30 March 2012 14:29, Colm O hEigeartaigh <co...@apache.org> wrote:
>> Hi Bob,
>>
>> I've been running into similar issues.
>>
>>> - /auth/getentitlements doesn't give me the roles of the connected user
>> It gives you the list of entitlements associated with the roles of the
>> connected user. Perhaps this controller should also have a similar
>> method for returning a list of role names of the connected user as
>> well?
> Through the console both are mixed so I confused entitlements with the roles.
> A "getroles" method for the connected user would indeed be handy.
> Ideally it could return the child with its parents
>
> I could try to have a go at it although I'm not a hard core developer ;)

Hi,
let me clarify one point: if role A (with entitlement E) has child role
B, and user U has role B assigned, this DOES NOT IMPLY that user U has
role A assigned as well.

When defining roles, you can choose whether a role will inherit some
information (entitlements, for example) from its parent.

This means, referring to example above, that if B is configured to
inherit entitlements from A, user U will have entitlement E.

Hence, a method like the one above proposed by Colm will not be needed:
when using the self-read REST method (as indicated by Fabio in another
e-mail), you will find such information in UserTO.getRoles().

Regards.

-- 
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/

Re: Users & roles

[Bob Lannoy <bo...@gmail.com>]

On 30 March 2012 14:29, Colm O hEigeartaigh <co...@apache.org> wrote:
> Hi Bob,
>
> I've been running into similar issues.
>
>> - /auth/getentitlements doesn't give me the roles of the connected user
>
> It gives you the list of entitlements associated with the roles of the
> connected user. Perhaps this controller should also have a similar
> method for returning a list of role names of the connected user as
> well?

Through the console both are mixed so I confused entitlements with the roles.
A "getroles" method for the connected user would indeed be handy.
Ideally it could return the child with its parents

I could try to have a go at it although I'm not a hard core developer ;)

Bob

Re: Users & roles

[Francesco Chicchiriccò <il...@apache.org>]

On 16/04/2012 16:49, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
>> Actually, I think that this verifyPassword() taking userId as argument
>> is an ancient residual of the times where there was no username: in my
>> opinion the current method can be removed and a new one taking username
>> and password as parameters must be added.
> A quick query on this change - this is similar to the "readByUsername"
> issue, where you must add the ".json" suffix, e.g.
> "user/verifyPassword/{username}.json?password=..." or else any
> username with periods will get truncated. Is this ok do you reckon?

Yep :-)

Cheers.

-- 
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/

Re: Users & roles

[Colm O hEigeartaigh <co...@apache.org>]

Hi Francesco,

> Actually, I think that this verifyPassword() taking userId as argument
> is an ancient residual of the times where there was no username: in my
> opinion the current method can be removed and a new one taking username
> and password as parameters must be added.

A quick query on this change - this is similar to the "readByUsername"
issue, where you must add the ".json" suffix, e.g.
"user/verifyPassword/{username}.json?password=..." or else any
username with periods will get truncated. Is this ok do you reckon?

Colm.

2012/3/30 Francesco Chicchiriccò <il...@apache.org>:
> On 30/03/2012 15:25, Fabio Martelli wrote:
>> Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto:
>>> Hi Fabio,
>>>
>>>> I agree with you.
>>>>
>>>> In this case I'd follow the steps below:
>>>> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
>>>> 2. verify password by calling the method verifyPassword provided by the userController
>>>>
>>>> What do you think about?
>>> Could we add a duplicate verifyPassword method to UserController that
>>> takes the username/password instead of userId/password? The latter
>>> requires the application to find the user Id first and then check the
>>> password, whereas the former only requires one step to accomplish
>>> third-party authentication.
>> Sure! I think we must.
>
> Actually, I think that this verifyPassword() taking userId as argument
> is an ancient residual of the times where there was no username: in my
> opinion the current method can be removed and a new one taking username
> and password as parameters must be added.
>
> Regards.
>
>> On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
>> <fa...@gmail.com> wrote:
>>>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>>>>
>>>>> Hi Fabio,
>>>>>
>>>>>> Further, you have the method verifyPassword provided by UserController that
>>>>>> could be used to verify userid/password.
>>>>>> This method, for security reason can be called only by a user with USER_READ
>>>>>> capability.
>>>>> Consider the use-case as mentioned by Bob, where you have a third
>>>>> party application which receives login credentials and wishes to
>>>>> authenticate the user, and retrieve the roles associated with that
>>>>> user for authorization. If the application logs on with the received
>>>>> username/password, then it is assuming that the given user has a
>>>>> USER_READ entitlement. IMO the application would log on with its own
>>>>> credentials, and wish to authenticate the given username/password via
>>>>> some kind of "authenticateUser" method as I mentioned before.
>>>>>
>>>>> Do you see a use-case for this kind of functionality or am I missing something?
>>>> I agree with you.
>>>>
>>>> In this case I'd follow the steps below:
>>>> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
>>>> 2. verify password by calling the method verifyPassword provided by the userController
>>>>
>>>> What do you think about?
>>>>
>>>>>> Actually users have only the roles explicitly assigned.
>>>>> The question is whether it is possible to easily retrieve the
>>>>> hierarchy of roles for a particular user (or the authenticated user)?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Colm.
> --
> Francesco Chicchiriccò
>
> Apache Cocoon PMC and Apache Syncope PPMC Member
> http://people.apache.org/~ilgrosso/
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Users & roles

[Francesco Chicchiriccò <il...@apache.org>]

On 30/03/2012 15:25, Fabio Martelli wrote:
> Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto:
>> Hi Fabio,
>>
>>> I agree with you.
>>>
>>> In this case I'd follow the steps below:
>>> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
>>> 2. verify password by calling the method verifyPassword provided by the userController
>>>
>>> What do you think about?
>> Could we add a duplicate verifyPassword method to UserController that
>> takes the username/password instead of userId/password? The latter
>> requires the application to find the user Id first and then check the
>> password, whereas the former only requires one step to accomplish
>> third-party authentication.
> Sure! I think we must.

Actually, I think that this verifyPassword() taking userId as argument
is an ancient residual of the times where there was no username: in my
opinion the current method can be removed and a new one taking username
and password as parameters must be added.

Regards.

> On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
> <fa...@gmail.com> wrote:
>>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>>>
>>>> Hi Fabio,
>>>>
>>>>> Further, you have the method verifyPassword provided by UserController that
>>>>> could be used to verify userid/password.
>>>>> This method, for security reason can be called only by a user with USER_READ
>>>>> capability.
>>>> Consider the use-case as mentioned by Bob, where you have a third
>>>> party application which receives login credentials and wishes to
>>>> authenticate the user, and retrieve the roles associated with that
>>>> user for authorization. If the application logs on with the received
>>>> username/password, then it is assuming that the given user has a
>>>> USER_READ entitlement. IMO the application would log on with its own
>>>> credentials, and wish to authenticate the given username/password via
>>>> some kind of "authenticateUser" method as I mentioned before.
>>>>
>>>> Do you see a use-case for this kind of functionality or am I missing something?
>>> I agree with you.
>>>
>>> In this case I'd follow the steps below:
>>> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
>>> 2. verify password by calling the method verifyPassword provided by the userController
>>>
>>> What do you think about?
>>>
>>>>> Actually users have only the roles explicitly assigned.
>>>> The question is whether it is possible to easily retrieve the
>>>> hierarchy of roles for a particular user (or the authenticated user)?
>>>>
>>>> Thanks,
>>>>
>>>> Colm.
-- 
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/

Re: Users & roles

[Fabio Martelli <fa...@gmail.com>]

Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto:

> Hi Fabio,
> 
>> I agree with you.
>> 
>> In this case I'd follow the steps below:
>> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
>> 2. verify password by calling the method verifyPassword provided by the userController
>> 
>> What do you think about?
> 
> Could we add a duplicate verifyPassword method to UserController that
> takes the username/password instead of userId/password? The latter
> requires the application to find the user Id first and then check the
> password, whereas the former only requires one step to accomplish
> third-party authentication.

Sure! I think we must.
Regards,
F.

> 
> Colm.
> 
> On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
> <fa...@gmail.com> wrote:
>> 
>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>> 
>>> Hi Fabio,
>>> 
>>>> Further, you have the method verifyPassword provided by UserController that
>>>> could be used to verify userid/password.
>>>> This method, for security reason can be called only by a user with USER_READ
>>>> capability.
>>> 
>>> Consider the use-case as mentioned by Bob, where you have a third
>>> party application which receives login credentials and wishes to
>>> authenticate the user, and retrieve the roles associated with that
>>> user for authorization. If the application logs on with the received
>>> username/password, then it is assuming that the given user has a
>>> USER_READ entitlement. IMO the application would log on with its own
>>> credentials, and wish to authenticate the given username/password via
>>> some kind of "authenticateUser" method as I mentioned before.
>>> 
>>> Do you see a use-case for this kind of functionality or am I missing something?
>> 
>> I agree with you.
>> 
>> In this case I'd follow the steps below:
>> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
>> 2. verify password by calling the method verifyPassword provided by the userController
>> 
>> What do you think about?
>> 
>>>> Actually users have only the roles explicitly assigned.
>>> 
>>> The question is whether it is possible to easily retrieve the
>>> hierarchy of roles for a particular user (or the authenticated user)?
>>> 
>>> Thanks,
>>> 
>>> Colm.
>> 
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com

Re: Users & roles

[Colm O hEigeartaigh <co...@apache.org>]

Hi Fabio,

> I agree with you.
>
> In this case I'd follow the steps below:
> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
> 2. verify password by calling the method verifyPassword provided by the userController
>
> What do you think about?

Could we add a duplicate verifyPassword method to UserController that
takes the username/password instead of userId/password? The latter
requires the application to find the user Id first and then check the
password, whereas the former only requires one step to accomplish
third-party authentication.

Colm.

On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
<fa...@gmail.com> wrote:
>
> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>
>> Hi Fabio,
>>
>>> Further, you have the method verifyPassword provided by UserController that
>>> could be used to verify userid/password.
>>> This method, for security reason can be called only by a user with USER_READ
>>> capability.
>>
>> Consider the use-case as mentioned by Bob, where you have a third
>> party application which receives login credentials and wishes to
>> authenticate the user, and retrieve the roles associated with that
>> user for authorization. If the application logs on with the received
>> username/password, then it is assuming that the given user has a
>> USER_READ entitlement. IMO the application would log on with its own
>> credentials, and wish to authenticate the given username/password via
>> some kind of "authenticateUser" method as I mentioned before.
>>
>> Do you see a use-case for this kind of functionality or am I missing something?
>
> I agree with you.
>
> In this case I'd follow the steps below:
> 1. authenticate the third party application with an administrator (or user with USER_READ capability)
> 2. verify password by calling the method verifyPassword provided by the userController
>
> What do you think about?
>
>>> Actually users have only the roles explicitly assigned.
>>
>> The question is whether it is possible to easily retrieve the
>> hierarchy of roles for a particular user (or the authenticated user)?
>>
>> Thanks,
>>
>> Colm.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Users & roles

[Fabio Martelli <fa...@gmail.com>]

Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:

> Hi Fabio,
> 
>> Further, you have the method verifyPassword provided by UserController that
>> could be used to verify userid/password.
>> This method, for security reason can be called only by a user with USER_READ
>> capability.
> 
> Consider the use-case as mentioned by Bob, where you have a third
> party application which receives login credentials and wishes to
> authenticate the user, and retrieve the roles associated with that
> user for authorization. If the application logs on with the received
> username/password, then it is assuming that the given user has a
> USER_READ entitlement. IMO the application would log on with its own
> credentials, and wish to authenticate the given username/password via
> some kind of "authenticateUser" method as I mentioned before.
> 
> Do you see a use-case for this kind of functionality or am I missing something?

I agree with you.

In this case I'd follow the steps below:
1. authenticate the third party application with an administrator (or user with USER_READ capability)
2. verify password by calling the method verifyPassword provided by the userController

What do you think about?

>> Actually users have only the roles explicitly assigned.
> 
> The question is whether it is possible to easily retrieve the
> hierarchy of roles for a particular user (or the authenticated user)?
> 
> Thanks,
> 
> Colm.

Re: Users & roles

[Bob Lannoy <bo...@gmail.com>]

On Mar 30, 2012 5:17 PM, "Fabio Martelli" <fa...@gmail.com> wrote:

>
> I think your design is correct.
> Syncope roles could be used to simulate a generic organisational
structure like yours.

Ok good to know I'm on the right track.

> > I could use the syncope entitlements so that the admin role in orgA
> > can only create users in the orgA/users/user role and assign
> > application roles.
>
> This should be possible by default:
> 1. create entitlement called ROLE_<id of the role orgA/users/user>
> 2. add entitlement to the role orgA/users/admin
I assume that first this needs to be fixed:
https://issues.apache.org/jira/browse/SYNCOPE-48

Regards

Bob

Re: Users & roles

[Fabio Martelli <fa...@gmail.com>]

Il giorno 30/mar/2012, alle ore 15.51, Bob Lannoy ha scritto:

> Hi,
> 
> Maybe I should try to explain a bit more on what I'm trying to achieve ;)
> 
> - I have an external application that contains some general roles. and
> possibly custom roles for specific elements
> - several organisations will use that application
> 
> I was thinking that Syncope could manage the users of those
> organisations which means:
> - an admin user from orgA can create users for orgA and assign
> application roles to them
> - an admin user from orgB can create users for orgB and assign
> application roles to them
> The external app would then have to authenticate the user + get the
> application roles
> 
> However there is no notion of organisational structure in Syncope so I
> tried a role hierarchy to model a basic structure.
> orgA (roletype=org)
> -users
>  --user (roletype=user)
>  --admin (roletype=user)
> -applications
>  --app1 (roletype=app)
> OrgB
> ....
> Applications
> --app2 (roletype=app)

I think your design is correct.
Syncope roles could be used to simulate a generic organisational structure like yours.

> I could use the syncope entitlements so that the admin role in orgA
> can only create users in the orgA/users/user role and assign
> application roles.

This should be possible by default:
1. create entitlement called ROLE_<id of the role orgA/users/user>
2. add entitlement to the role orgA/users/admin

> From the application side I would have to get info from Syncope
> stating user X from orgA has applicationrole app1 and app2.
> In my case I would get the role "user" and need to get the parent with
> roletype=org to find the org name.

This should be done programmatically.

Regards,
F.

> But maybe I'm looking at it the wrong way.
> 
> Bob
> On 30 March 2012 15:09, Colm O hEigeartaigh <co...@apache.org> wrote:
>> Hi Fabio,
>> 
>>> Further, you have the method verifyPassword provided by UserController that
>>> could be used to verify userid/password.
>>> This method, for security reason can be called only by a user with USER_READ
>>> capability.
>> 
>> Consider the use-case as mentioned by Bob, where you have a third
>> party application which receives login credentials and wishes to
>> authenticate the user, and retrieve the roles associated with that
>> user for authorization. If the application logs on with the received
>> username/password, then it is assuming that the given user has a
>> USER_READ entitlement. IMO the application would log on with its own
>> credentials, and wish to authenticate the given username/password via
>> some kind of "authenticateUser" method as I mentioned before.
>> 
>> Do you see a use-case for this kind of functionality or am I missing something?
>> 
>>> Actually users have only the roles explicitly assigned.
>> 
>> The question is whether it is possible to easily retrieve the
>> hierarchy of roles for a particular user (or the authenticated user)?
>> 
>> Thanks,
>> 
>> Colm.

Re: Users & roles

[Bob Lannoy <bo...@gmail.com>]

Hi,

Maybe I should try to explain a bit more on what I'm trying to achieve ;)

- I have an external application that contains some general roles. and
possibly custom roles for specific elements
- several organisations will use that application

I was thinking that Syncope could manage the users of those
organisations which means:
- an admin user from orgA can create users for orgA and assign
application roles to them
- an admin user from orgB can create users for orgB and assign
application roles to them
The external app would then have to authenticate the user + get the
application roles

However there is no notion of organisational structure in Syncope so I
tried a role hierarchy to model a basic structure.
orgA (roletype=org)
 -users
  --user (roletype=user)
  --admin (roletype=user)
 -applications
  --app1 (roletype=app)
OrgB
....
Applications
--app2 (roletype=app)

I could use the syncope entitlements so that the admin role in orgA
can only create users in the orgA/users/user role and assign
application roles.

>From the application side I would have to get info from Syncope
stating user X from orgA has applicationrole app1 and app2.
In my case I would get the role "user" and need to get the parent with
roletype=org to find the org name.

But maybe I'm looking at it the wrong way.

Bob
On 30 March 2012 15:09, Colm O hEigeartaigh <co...@apache.org> wrote:
> Hi Fabio,
>
>> Further, you have the method verifyPassword provided by UserController that
>> could be used to verify userid/password.
>> This method, for security reason can be called only by a user with USER_READ
>> capability.
>
> Consider the use-case as mentioned by Bob, where you have a third
> party application which receives login credentials and wishes to
> authenticate the user, and retrieve the roles associated with that
> user for authorization. If the application logs on with the received
> username/password, then it is assuming that the given user has a
> USER_READ entitlement. IMO the application would log on with its own
> credentials, and wish to authenticate the given username/password via
> some kind of "authenticateUser" method as I mentioned before.
>
> Do you see a use-case for this kind of functionality or am I missing something?
>
>> Actually users have only the roles explicitly assigned.
>
> The question is whether it is possible to easily retrieve the
> hierarchy of roles for a particular user (or the authenticated user)?
>
> Thanks,
>
> Colm.

Re: Users & roles

[Colm O hEigeartaigh <co...@apache.org>]

Hi Fabio,

> Further, you have the method verifyPassword provided by UserController that
> could be used to verify userid/password.
> This method, for security reason can be called only by a user with USER_READ
> capability.

Consider the use-case as mentioned by Bob, where you have a third
party application which receives login credentials and wishes to
authenticate the user, and retrieve the roles associated with that
user for authorization. If the application logs on with the received
username/password, then it is assuming that the given user has a
USER_READ entitlement. IMO the application would log on with its own
credentials, and wish to authenticate the given username/password via
some kind of "authenticateUser" method as I mentioned before.

Do you see a use-case for this kind of functionality or am I missing something?

> Actually users have only the roles explicitly assigned.

The question is whether it is possible to easily retrieve the
hierarchy of roles for a particular user (or the authenticated user)?

Thanks,

Colm.

Re: Users & roles

[Fabio Martelli <fa...@gmail.com>]

Il giorno 30/mar/2012, alle ore 14.29, Colm O hEigeartaigh ha scritto:

> Hi Bob,
> 
> I've been running into similar issues.
> 
>> - /auth/getentitlements doesn't give me the roles of the connected user
> 
> It gives you the list of entitlements associated with the roles of the
> connected user. Perhaps this controller should also have a similar
> method for returning a list of role names of the connected user as
> well?

Probably you can have required information by using UserRequestController (see below).

> A question I have is whether the list of entitlements is only for the
> child roles or all of the entitlements associated with the role
> hierarchy?

https://issues.apache.org/jira/browse/SYNCOPE-48

> 
>> - /user/read?username=user : gives me the user but only if I
>> authenticated with a user that has the possiblity to read other users
>> as well. This means I should have some kind of administration
>> connection to core instead of a user specific connection?
> 
> Yes I think so. Your Tomcat user account should have the ability to
> read users/roles etc., and you authenticate as this user. I think
> there should possibly be an "authenticateUser" method or something
> similar that takes in a username/password and returns true or false
> depending on if there is a matching user in Syncope.

You can read data about authenticated user by calling
.../syncope/rest/user/request/read/self.xml
This method is provided by the UserRequestController.

Further, you have the method verifyPassword provided by UserController that could be used to verify userid/password.
This method, for security reason can be called only by a user with USER_READ capability. 

>> - if there are hierarchical roles, I only get the child role. I
>> suppose I have to walk the tree myself to retrieve the other roles?
>> i.e. based on response to role/list request?
> 
> IMO there should be an easy way to get all roles of the user rather
> than having to walk the tree.

Actually users have only the roles explicitly assigned.

Regards,
F.

> 
> Colm.
> 
> On Fri, Mar 30, 2012 at 12:42 PM, Bob Lannoy <bo...@gmail.com> wrote:
>> Hi,
>> 
>> suppose I have users & hierarchical roles in Syncope and an external
>> system (tomcat webapp) that needs to authenticate those users and get
>> the roles.
>> Can you give me an indication on how I would go about this?
>> 
>> I did some preliminary tests:
>> - I can do an authentication to core using basic auth, but I saw that
>> the user object also contains the hashed password of the user
>> - /auth/getentitlements doesn't give me the roles of the connected user
>> - /user/read?username=user : gives me the user but only if I
>> authenticated with a user that has the possiblity to read other users
>> as well. This means I should have some kind of administration
>> connection to core instead of a user specific connection?
>> - if there are hierarchical roles, I only get the child role. I
>> suppose I have to walk the tree myself to retrieve the other roles?
>> i.e. based on response to role/list request?
>> regards
>> 
>> Bob
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com

Re: Users & roles

[Colm O hEigeartaigh <co...@apache.org>]

Hi Bob,

I've been running into similar issues.

> - /auth/getentitlements doesn't give me the roles of the connected user

It gives you the list of entitlements associated with the roles of the
connected user. Perhaps this controller should also have a similar
method for returning a list of role names of the connected user as
well?

A question I have is whether the list of entitlements is only for the
child roles or all of the entitlements associated with the role
hierarchy?

> - /user/read?username=user : gives me the user but only if I
> authenticated with a user that has the possiblity to read other users
> as well. This means I should have some kind of administration
> connection to core instead of a user specific connection?

Yes I think so. Your Tomcat user account should have the ability to
read users/roles etc., and you authenticate as this user. I think
there should possibly be an "authenticateUser" method or something
similar that takes in a username/password and returns true or false
depending on if there is a matching user in Syncope.

> - if there are hierarchical roles, I only get the child role. I
> suppose I have to walk the tree myself to retrieve the other roles?
> i.e. based on response to role/list request?

IMO there should be an easy way to get all roles of the user rather
than having to walk the tree.

Colm.

On Fri, Mar 30, 2012 at 12:42 PM, Bob Lannoy <bo...@gmail.com> wrote:
> Hi,
>
> suppose I have users & hierarchical roles in Syncope and an external
> system (tomcat webapp) that needs to authenticate those users and get
> the roles.
> Can you give me an indication on how I would go about this?
>
> I did some preliminary tests:
> - I can do an authentication to core using basic auth, but I saw that
> the user object also contains the hashed password of the user
> - /auth/getentitlements doesn't give me the roles of the connected user
> - /user/read?username=user : gives me the user but only if I
> authenticated with a user that has the possiblity to read other users
> as well. This means I should have some kind of administration
> connection to core instead of a user specific connection?
> - if there are hierarchical roles, I only get the child role. I
> suppose I have to walk the tree myself to retrieve the other roles?
> i.e. based on response to role/list request?
> regards
>
> Bob



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com