New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow overriding of privilege parameters from the account model #593
Comments
Comment created by @bwaidelich: Some technical details that still need some thinking: In the database this relation probably can be serialized, but instead of a simple list of strings like it is now it needs to be some more complex representation like {"Some.Package:Role1": [], "Some.Package:Role2": [{"parameterA": "value1", "parameterB": "value2"}]} The initial migration won't be a problem, but we'll probably need a CLI command to migrate existing accounts when changing parameter definitions in the Policy |
Comment created by andi: We are working on this in a project this week... |
Comment created by @bwaidelich: [~andi] any news on this one? would be awesome to have this feature. I've seen a lot of flaky hacks around this. Maybe you can publish your fork somewhere so people can adjust/fine-tune it to be applied to master? |
@foerthner FYI I gave this a quick shot but it turned out to be more complex than I had hoped for. Currently I don't have a personal itch bit enough to overcome that, so I rest my efforts for now.. |
Jira issue originally created by user @bwaidelich:
Current situation:
Privilege Parameters allow to use placeholders in privilege matchers:
The parameters have to be specified when assigning a role to a PrivilegeTarget:
Otherwise an exception would be triggered:
So parameters have to be specified at design time which drastically limits their practicability
Suggestion
Instead of replacing the parameter placeholders during parsing of the
Policy.yaml
already we suggest to defer that to when aRole
is assigned to theAccount
inPolicyService::initialize()
.That would allow for specifying/overriding parameter values *in the Account model* itself which in turn would make it possible to implement some kind of Group mechanism on top of the existing Role-based authorization.
Example:
Imagine you have a role NewsEditor but you want to limit editors to certain news categories, too.
Now you could create a sub-role for for every category in question (like NewsEditor.Marketing, NewsEditor.Community, ...) but that's tedious and news categories can change during runtime.
By using deferred parameters you could solve this with the one existing role and parameters in the
Account
<->Role
assignment: "Account XYZ has role NewsEditor with a parameter categories of marketing, community".Consequences
The
Account
Model has to be extended, so that theAccount
<->Role
relation contains (optional) parameter values**** The service classes (e.g.
AccountFactory
) & CLI commands have to be adjusted accordingly so that one can specify parameters**** In order to be used from Neos the users management module should be extended
If you try to assign a role to an account without specifying all required parameters, an exception needs to be thrown
The
Security\Context::contextHash
that is currently used to cache all kinds of data based only on the authenticated roles has to be extended to include parameters, tooMatchers for the
MethodPrivilege
that contain parameter placeholders have to be rewritten because they are serialized at compile timeJira-URL: https://jira.neos.io/browse/FLOW-386
The text was updated successfully, but these errors were encountered: