You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2022/04/10 15:27:02 UTC

[directory-fortress-commander] branch wicket9 updated: refine arbac desc

This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch wicket9
in repository https://gitbox.apache.org/repos/asf/directory-fortress-commander.git


The following commit(s) were added to refs/heads/wicket9 by this push:
     new 269a0b1  refine arbac desc
269a0b1 is described below

commit 269a0b12ee5b91a5faa99944c3d2d43698b72b7d
Author: Shawn McKinney <sm...@symas.com>
AuthorDate: Sun Apr 10 10:26:57 2022 -0500

    refine arbac desc
---
 README-SECURITY-MODEL.md | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index 4c11da0..812a485 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md
@@ -133,11 +133,12 @@
 
 ## 5. Apache Wicket Buttons
 
-- The app pages have buttons that are protected by Apache Fortress Administrative permissions.  
-- When a user logs in, their activated Admin roles and permissions are cached into their HTTP session.
-- Whenever a page is loaded, the app verifies the User has a corresponding Admin permission, otherwise, the button is not loaded.
-- The following table shows the mappings between Admin permissions, Admin Roles and the corresponding Web Pages.
-- The security policy is defined here: [FortressWebDemoUsers](src/main/resources/FortressWebDemoUsers.xml)
+The app pages have buttons that are protected by Apache Fortress Administrative permissions. When a user logs in, their activated Admin roles and permissions get cached into their HTTP session.
+When a page loads, this Web app verifies the Users have the corresponding Admin permission for its buttons, otherwise, they're not loaded.
+
+### Table of Apache Fortress Web Permissions
+
+The following table shows the mappings between Admin permissions, Admin Roles and the corresponding Web Pages.
 
 | Administrative Permission Name (object name:operation name)               | Pages           | fortress-core-super-admin | fortress-web-user-admin | fortress-web-audit-admin |
 |---------------------------------------------------------------------------|-----------------|---------------------------|-------------------------|--------------------------|
@@ -199,9 +200,11 @@
 | org.apache.directory.fortress.core.impl.AuditMgrImpl:searchBinds          | BINDS           | true                      | false                   | true                     |
 | org.apache.directory.fortress.core.impl.AuditMgrImpl:getUserAuthZs        | AUTHZ           | true                      | false                   | true                     |
 
+- The above security policy is defined here: [FortressWebDemoUsers](src/main/resources/FortressWebDemoUsers.xml) and gets loaded into the database when the script is run.
+
 ### More on Apache Fortress Administrative Permissions
 
-Apache Fortress has two types of roles and permissions, RBAC and ARBAC. They are stored in separate trees in the directory:
+Apache Fortress supports two types of security semantics, RBAC and ARBAC. Their respective policies are stored inside separate trees in the directory:
 
 ```
 dc=example,dc=com
@@ -215,16 +218,15 @@ dc=example,dc=com
  └─ou=groups
  ...
 ```
-- The RBAC roles and permissions are checked by typical applications.
-- The ARBAC roles and permissions are checked by apps when loading sensitive security policy, e.g. Apache Fortress Web
-- The idea, one set controls the normal users policy (RBAC), the other, for administrative, think privileged users (ARBAC).
+- The RBAC roles and permissions are checked by typical applications and what we normally think of with Role-Based Access Control.
+- The ARBAC roles and permissions are checked by administrative apps when loading security policies, e.g. Apache Fortress Web.
 
 ## 6. Additional Administrative Role-Based Access Control (ARBAC) Checks
 
-In addition to the admin perm checks, as described above, the Apache Fortress Web optionally perform more rigorous checks in its API calls.
-These occur when Core APIs are invoked in a certain way -- when passing in an ARBAC session object.
+The Apache Fortress Web optionally enforces more rigorous checks down in the Apache Fortress Core APIs.
+Occur when Core APIs are invoked in a certain way -- passing in an ARBAC session object.
 
-e.g.
+e.g. enabling ARBAC in the Apache Fortress Core Admin Manager:
 
 ```java
 if (IS_ARBAC02){
@@ -232,8 +234,8 @@ if (IS_ARBAC02){
 }
 ```
 
-- For more on how ARBAC checks work: [Apache Fortress Rest Security Model](https://github.com/apache/directory-fortress-enmasse/blob/master/README-SECURITY-MODEL.md)
-- By default, the ARBAC checking is disabled in the Apache Fortress Web runtime.
+- For more on ARBAC checking: [Apache Fortress Rest Security Model](https://github.com/apache/directory-fortress-enmasse/blob/master/README-SECURITY-MODEL.md)
+- By default, ARBAC is disabled in the Apache Fortress Web runtime.
 - To enable, add the following to fortress.properties:
 
  ```