| <!DOCTYPE html> |
| <!-- |
| | Generated by Apache Maven Doxia |
| | Rendered using Apache Maven Fluido Skin 1.3.1 |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head> |
| <meta charset="UTF-8" /> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0" /> |
| <meta name="Date-Revision-yyyymmdd" content="20170517" /> |
| <meta http-equiv="Content-Language" content="en" /> |
| <title>Apache Redback – Redback Role Management</title> |
| <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.1.min.css" /> |
| <link rel="stylesheet" href="../css/site.css" /> |
| <link rel="stylesheet" href="../css/print.css" media="print" /> |
| |
| |
| <script type="text/javascript" src="../js/apache-maven-fluido-1.3.1.min.js"></script> |
| |
| |
| <!-- Google Analytics --> |
| <script type="text/javascript"> |
| |
| var _gaq = _gaq || []; |
| _gaq.push(['_setAccount', 'UA-140879-5']); |
| _gaq.push(['_trackPageview']); |
| |
| (function() { |
| var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; |
| ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; |
| var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); |
| })(); |
| |
| </script> |
| </head> |
| <body class="topBarEnabled"> |
| |
| |
| |
| |
| |
| <div id="topbar" class="navbar navbar-fixed-top "> |
| <div class="navbar-inner"> |
| <div class="container"><div class="nav-collapse"> |
| |
| |
| <ul class="nav"> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| |
| <li> <a href="../index.html" title="Introduction">Introduction</a> |
| </li> |
| |
| <li> <a href="../authentication.html" title="Authentication">Authentication</a> |
| </li> |
| |
| <li> <a href="../authorization.html" title="Authorization">Authorization</a> |
| </li> |
| |
| <li> <a href="../user-management.html" title="User Management">User Management</a> |
| </li> |
| |
| <li> <a href="../key-store.html" title="Key Stores">Key Stores</a> |
| </li> |
| |
| <li> <a href="../configuration.html" title="Configuration">Configuration</a> |
| </li> |
| |
| <li class="dropdown-submenu"> |
| <a href="../rbac/introduction.html" title="Role Based Access Control">Role Based Access Control</a> |
| <ul class="dropdown-menu"> |
| <li> <a href="../rbac/role-management.html" title="Role Management">Role Management</a> |
| </li> |
| </ul> |
| </li> |
| |
| <li> <a href="../integration/ldap.html" title="Ldap">Ldap</a> |
| </li> |
| |
| <li> <a href="../integration/rest.html" title="Rest">Rest</a> |
| </li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Development <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| |
| <li> <a href="../development/extending-authn.html" title="Extending Redback Authentication">Extending Redback Authentication</a> |
| </li> |
| |
| <li> <a href="../../redback/components" title="Redback Components">Redback Components</a> |
| </li> |
| |
| <li> <a href="../../redback/core" title="Redback Core">Redback Core</a> |
| </li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| |
| <li> <a href="http://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a> |
| </li> |
| |
| <li> <a href="http://www.apache.org/foundation/" title="Foundation">Foundation</a> |
| </li> |
| |
| <li> <a href="http://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a> |
| </li> |
| |
| <li> <a href="http://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a> |
| </li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| |
| <li class="dropdown-submenu"> |
| <a href="../project-info.html" title="Project Information">Project Information</a> |
| <ul class="dropdown-menu"> |
| <li> <a href="../integration.html" title="Continuous Integration">Continuous Integration</a> |
| </li> |
| <li> <a href="../issue-tracking.html" title="Issue Tracking">Issue Tracking</a> |
| </li> |
| <li> <a href="../mail-lists.html" title="Mailing Lists">Mailing Lists</a> |
| </li> |
| <li> <a href="../license.html" title="Project License">Project License</a> |
| </li> |
| <li> <a href="../team-list.html" title="Project Team">Project Team</a> |
| </li> |
| <li> <a href="../source-repository.html" title="Source Repository">Source Repository</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| |
| <form id="search-form" action="http://www.google.com/search" method="get" class="navbar-search pull-right" > |
| |
| <input value="http://archiva.apache.org/redback" name="sitesearch" type="hidden"/> |
| <input class="search-query" name="q" id="query" type="text" /> |
| </form> |
| <script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=search-form"></script> |
| |
| |
| |
| |
| <ul class="nav pull-right"><li> |
| |
| <a href="https://twitter.com/archiva" class="twitter-follow-button" data-show-count="false" data-align="right" data-size="large" data-show-screen-name="true" data-lang="en">Follow archiva</a> |
| <script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> |
| |
| </li></ul> |
| |
| |
| </div> |
| |
| </div> |
| </div> |
| </div> |
| |
| <div class="container"> |
| <div id="banner"> |
| <div class="pull-left"> |
| <a href="../../redback" id="bannerLeft"> |
| <img src="../images/redback.jpg" alt="Redback"/> |
| </a> |
| </div> |
| <div class="pull-right"> <a href="http://www.apache.org/" id="bannerRight"> |
| <img src="https://www.apache.org/images/asf_logo_wide_2016.png" alt="Apache Software Foundation"/> |
| </a> |
| </div> |
| <div class="clear"><hr/></div> |
| </div> |
| |
| <div id="breadcrumbs"> |
| <ul class="breadcrumb"> |
| |
| |
| <li id="publishDate">Last Published: 2017-05-17 |
| <span class="divider">|</span> |
| </li> |
| <li class=""> |
| <a href="http://www.apache.org/" class="externalLink" title="Apache"> |
| Apache</a> |
| <span class="divider">/</span> |
| </li> |
| <li class=""> |
| <a href="../" title="Apache Redback"> |
| Apache Redback</a> |
| <span class="divider">/</span> |
| </li> |
| <li class="active ">Redback Role Management</li> |
| |
| |
| |
| |
| </ul> |
| </div> |
| |
| |
| |
| <div id="bodyColumn" > |
| |
| <!-- Licensed to the Apache Software Foundation (ASF) under one --><!-- or more contributor license agreements. See the NOTICE file --><!-- distributed with this work for additional information --><!-- regarding copyright ownership. The ASF licenses this file --><!-- to you under the Apache License, Version 2.0 (the --><!-- "License"); you may not use this file except in compliance --><!-- with the License. You may obtain a copy of the License at --><!-- --><!-- http://www.apache.org/licenses/LICENSE-2.0 --><!-- --><!-- Unless required by applicable law or agreed to in writing, --><!-- software distributed under the License is distributed on an --><!-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY --><!-- KIND, either express or implied. See the License for the --><!-- specific language governing permissions and limitations --><!-- under the License. --><!-- NOTE: For help with the syntax of this file, see: --><!-- http://maven.apache.org/guides/mini/guide-apt-format.html --><div class="section"> |
| <h2><a name="Role_Management"></a>Role Management</h2> |
| <p>Managing roles in an application with Redback is governed through an implementation of the Role Manager, an interface defined in the redback-rbac-role-manager artifact that encapsulates most of the most comment role related activities. User assignment of roles, creating and removing of roles based on templates (more on this later), and simple role existence activities. </p> |
| <div class="section"> |
| <h3><a name="Role_Specification"></a>Role Specification</h3> |
| <p>Roles are loaded by the Default implementation of the role manager from a series of resources that are discovered in your classpath. The root of these files is searched for as:</p> |
| <div class="source"> |
| <pre> |
| META-INF/redback/redback-core.xml |
| </pre></div> |
| <p>This allows to you establish a basic set of resources, operations, roles and role templates that all other referencing applications can extend from. Other files that are loaded are located as:</p> |
| <div class="source"> |
| <pre> |
| META-INF/redback/redback.xml |
| </pre></div> |
| <p>Each of these files follows the same model, the one specified by <i>point to xsd generated by modello</i>.</p> |
| <div class="section"> |
| <h4><a name="Basic_Format"></a>Basic Format</h4> |
| <div class="source"> |
| <pre> |
| <redback-role-model> |
| <resources> |
| <resource> |
| <id>cornflakes</id> |
| <name>cornflakes</name> |
| <permanent>true</permanent> |
| <description>my breakfast cereal</description> |
| </resource> |
| </resources> |
| <operations> |
| <operation> |
| <id>eat</id> |
| <name>Eat</name> |
| <description>eat something</description> |
| </operation> |
| </operations> |
| <roles> |
| <role> |
| <id>can-eat-cornflakes</id> |
| <name>Role for happy cornflake eaters</name> |
| <permissions> |
| <permission> |
| <id>eat-cornflakes-permission</id> |
| <operation>eat</operation> |
| <resource>cornflakes</resource> |
| </permission> |
| </permissions> |
| </role> |
| </roles> |
| <templates> |
| <template> |
| <id>eater-template</id> |
| <namePrefix>Eater of</namePrefix> |
| <permissions> |
| <permission> |
| <id>eat-cornflakes-permission</id> |
| <operation>eat</operation> |
| <resource>${resource}</resource> |
| </permission> |
| </permissions> |
| </template> |
| </templates> |
| </redback-role-model> |
| </pre></div></div> |
| <div class="section"> |
| <h4><a name="Resources"></a>Resources</h4> |
| <p>Resources are the entities in role based access control that roles provide access to through the binding of the resource with an operation in the form of a permission. In the example above, 'cornflakes' are the resource that are in play.</p></div> |
| <div class="section"> |
| <h4><a name="Operations"></a>Operations</h4> |
| <p>Operations are conceptually actions that can be performed, somewhat akin to verbs in the english language. 'Eat' in the example above is and action that can be performed on any given resource.</p></div> |
| <div class="section"> |
| <h4><a name="Roles"></a>Roles</h4> |
| <p>Roles are assignable entities that grant permissions to their assignies. In this example, a user that has the can-eat-cornflakes role assigned can...eat cornflakes.</p></div> |
| <div class="section"> |
| <h4><a name="Permissions"></a>Permissions</h4> |
| <p>Permissions are the component of a role and role template that bind an operation and a resource together into a form that is useful for authorization. In this simple example we have the 'eat' operation being paired with the 'cornflake' resource which effectively allows assignees to eat thier cornflakes.</p></div> |
| <div class="section"> |
| <h4><a name="Templates"></a>Templates</h4> |
| <p>Templates address the fundamental issue in role based access control systems regarding resources that may not exist at the time of role specification. For example it would be virtually impossible to specific all manner of possible foods you might encounter in life at application creation. The 'eater-template' above addresses this. If you are exposed to 'tirimisu', that would be created as a resource at runtime and then the eater-template would be run with the tirimisu as its target resource (note the ${resource})</p></div></div> |
| <div class="section"> |
| <h3><a name="Role_Inheritance"></a>Role Inheritance</h3> |
| <p>Roles and Role templates would be woefully boring and tedious to work with if there was not some concept of inheritence. Inhertiance is also added through the model above.</p> |
| <div class="source"> |
| <pre> |
| META-INF/redback/redback-core.xml |
| |
| <redback-role-model> |
| <resources> |
| <resource> |
| <id>cornflakes</id> |
| <name>cornflakes</name> |
| <permanent>true</permanent> |
| <description>my breakfast cereal</description> |
| </resource> |
| <resource> |
| <id>milk</id> |
| <name>milk</name> |
| <permanent>true</permanent> |
| <description>white stuff from cows</description> |
| </resource> |
| </resources> |
| <operations> |
| <operation> |
| <id>eat</id> |
| <name>Eat</name> |
| <description>eat something</description> |
| </operation> |
| <operation> |
| <id>drink</id> |
| <name>Drink</name> |
| <description>drink something</description> |
| </operation> |
| </operations> |
| <roles> |
| <role> |
| <id>can-eat-cornflakes</id> |
| <name>Role for happy cornflake eaters</name> |
| <permissions> |
| <permission> |
| <id>eat-cornflakes-permission</id> |
| <operation>eat</operation> |
| <resource>cornflakes</resource> |
| </permission> |
| </permissions> |
| </role> |
| <role> |
| <id>can-drink-milk</id> |
| <name>Role for milk drinkers</name> |
| <permissions> |
| <permission> |
| <id>drink-milk-permission</id> |
| <operation>drink</operation> |
| <resource>milk</resource> |
| </permission> |
| </permissions> |
| </role> |
| <role> |
| <id>bowl-drinker</id> |
| <name>Bowl Drinker</name> |
| <chlldRoles> |
| <childRole>can-eat-cornflakes</childRole> |
| <childRole>can-drink-milk</childRole> |
| </childRoles> |
| </role> |
| </roles> |
| <templates> |
| <template> |
| <id>eater-template</id> |
| <namePrefix>Eater of</namePrefix> |
| <permissions> |
| <permission> |
| <id>eat-cornflakes-permission</id> |
| <operation>eat</operation> |
| <resource>${resource}</resource> |
| </permission> |
| </permissions> |
| <childRoles> |
| <childRole>can-drink-milk</childRole> |
| </childRoles> |
| </template> |
| </templates> |
| </redback-role-model> |
| </pre></div> |
| <p>With this example we have added another resource and operation, which can be combined to allow a user to drink milk. We also added a new role called 'bowl-drinker' which has no additional permissions but illustrates the childRole concept, that someone with this role effectively has the two child roles, which when combined would all someone to eat their cornflakes in the morning, and then drink the milk.</p> |
| <p>Also added to this example is the can-drink-milk role to the eater-template, which would allow the user to automatically drink milk during any meal that might be created during runtime.</p> |
| <div class="section"> |
| <h4><a name="Parent_Roles"></a>Parent Roles</h4> |
| <p>Since roles can be loaded up from different redback.xml files, it is possible to reference roles in the redback-core.xml file and have them add a child relationship to your role, and example of this is in play with continuum and archiva both. Each of these applications define an extension of the System Administrator role that is created in the redback-xwork-integration artifact (where is the redback-core.xml is). These extensions would simply add:</p> |
| <div class="source"> |
| <pre> |
| <role> |
| .... |
| <parentRoles> |
| <parentRole>system-administrator</parentRole> |
| </parentRoles> |
| </role> |
| </pre></div> |
| <p>Then at role creation the role manager would know to have the System Administrator role create a child role relationship with the corresponding child role.</p></div> |
| <div class="section"> |
| <h4><a name="Child_and_Parent_Templates"></a>Child and Parent Templates</h4> |
| <p>Templates can also have child and parent relationships that are all established during runtime. </p> |
| <p>NOTE: Roles can not declare childTemplate or parentTemplate relationships since roles are created at startup time. One way around this restriction is to add an aggregator role.</p></div> |
| <div class="section"> |
| <h4><a name="Aggregator_Roles"></a>Aggregator Roles</h4> |
| <p>One very useful role pattern to keep track off is an aggregator role. In this case you would have the following example:</p> |
| <div class="source"> |
| <pre> |
| META-INF/redback/redback-core.xml |
| |
| <redback-role-model> |
| ... |
| <roles> |
| ... |
| <role> |
| <id>eater-aggreator</id> |
| <name>Eat Lots Role</name> |
| </role> |
| </roles> |
| <templates> |
| <template> |
| <id>eater-template</id> |
| <namePrefix>Eater of</namePrefix> |
| <permissions> |
| <permission> |
| <id>eat-cornflakes-permission</id> |
| <operation>eat</operation> |
| <resource>${resource}</resource> |
| </permission> |
| </permissions> |
| <parentRole> |
| <parentRole>eater-aggregator</parentRole> |
| </parentRole> |
| </template> |
| </templates> |
| </redback-role-model> |
| </pre></div> |
| <p>In this example you can see that there is a role that is created at startup time called the eater-aggregator. Initially this role has nothing in it, no permissions, no child roles, nothing, its is totally empty. You can assign this role to someone and they get no added permissions. However, as new roles are created using the eater-template, anyone that has that eater-aggregator role assigned will automatically pick up permissions for each of these new roles. </p></div></div></div> |
| </div> |
| </div> |
| |
| <hr/> |
| |
| <footer> |
| <div class="container"> |
| <div class="row"> |
| <p >Copyright © 2006–2017 |
| <a href="http://www.apache.org/">The Apache Software Foundation</a>. |
| All rights reserved. |
| |
| </p> |
| </div> |
| |
| |
| <div class="row span12">Apache Redback, Redback, Apache, the Apache feather logo, and the Apache Archiva project logos are trademarks of The Apache Software Foundation.</div> |
| |
| <div class="row span12"> |
| <a href="http://archiva.apache.org/redback-site/privacy-policy.html">Privacy Policy</a> |
| </div> |
| |
| <p id="poweredBy" class="pull-right"> |
| <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> |
| <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" /> |
| </a> |
| </p> |
| |
| |
| |
| |
| |
| <div id="ohloh" class="pull-right"> |
| <script type="text/javascript" src="http://www.ohloh.net/p/8659/widgets/project_basic_stats.js"></script> |
| </div> |
| </div> |
| </footer> |
| </body> |
| </html> |
