Implement_Access_Control_in_auth-service#3 #18
Closed
abed.alrahman
wants to merge 0 commits from
Implement_Access_Control_in_auth-service#3 into develop
pull from: Implement_Access_Control_in_auth-service#3
merge into: clevermicro:develop
clevermicro:master
clevermicro:develop
Dismiss Review
Are you sure you want to dismiss this review?
Labels
Clear labels
Blocked
Needs feedback
Signed-off: Owner
Signed-off: Scrum Master
Signed-off: Tech Lead
Spike
A ticket in a blocked state and unable to complete until some other task is completed first.
Bounty
$100
A bounty of $100 for any open-source contributor who provides a MR that solves this issue
Bounty
$1000
A bounty of $1000 for any open-source contributor who provides a MR that solves this issue
Bounty
$10000
A bounty of $10000 for any open-source contributor who provides a MR that solves this issue
Bounty
$20
A bounty of $20 for any open-source contributor who provides a MR that solves this issue
Bounty
$2000
A bounty of $2000 for any open-source contributor who provides a MR that solves this issue
Bounty
$250
A bounty of $250 for any open-source contributor who provides a MR that solves this issue
Bounty
$50
A bounty of $50 for any open-source contributor who provides a MR that solves this issue
Bounty
$500
A bounty of $500 for any open-source contributor who provides a MR that solves this issue
Bounty
$5000
A bounty of $5000 for any open-source contributor who provides a MR that solves this issue
Bounty
$750
A bounty of $750 for any open-source contributor who provides a MR that solves this issue
MoSCoW
Could have
Could have feature in order to satisfy the epic/legendary.
MoSCoW
Must have
Must have feature in order to satisfy the epic/legendary.
MoSCoW
Should have
Should have feature in order to satisfy the epic/legendary.
There are questions in the ticket that can not be completed until the project owner provides clarity.
Points
1
1 man-hours worth of work for an expert with no learning curve.
Points
13
13 man-hours worth of work for an expert with no learning curve.
Points
2
2 man-hours worth of work for an expert with no learning curve.
Points
21
21 man-hours worth of work for an expert with no learning curve.
Points
3
3 man-hours worth of work for an expert with no learning curve.
Points
34
34 man-hours worth of work for an expert with no learning curve.
Points
5
5 man-hours worth of work for an expert with no learning curve.
Points
55
55 man-hours worth of work for an expert with no learning curve.
Points
8
8 man-hours worth of work for an expert with no learning curve.
Points
88
88 man-hours worth of work for an expert with no learning curve.
Priority
Backlog
This ticket has backlogged priority and is not to be worked on yet
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.
A ticket for learning a tool or technology that is needed to be able to do future planning and design.
State
Completed
The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.
State
Duplicate
A ticket that represents the same content as an existing ticket.
State
In Progress
A ticket that is actively being developed.
State
In Review
A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.
State
Paused
This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.
State
Unverified
All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.
State
Verified
The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.
State
Wont Do
This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.
Type
Bug
Something that doesnt work as intended.
Type
Discussion
Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.
Type
Documentation
An error or improvement needed in the documentation.
Type
Epic
Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.
Type
Feature
Some new functionality not present.
Type
Legendary
A type of Epic which will contain other Epics.
Type
Support
Someone needs help using the project.
Type
Task
A generic task that doesnt fit into the other type categories.
Type
Testing
Work exclusively focusing on fixing or expanding testing.
No Label
Projects
Clear projects
No project
Assignees
aleenaumair (Aleena Umair)
argocd
CoreRasurae (Luis Mendes)
drew (Drew Morris)
eugen.thaci (Eugen Thaci)
freemo (Jeffrey Phillips Freeman)
hurui200320 (Rui Hu)
justin.morris
mngrif (Michael Griffith)
org.clevermicro (System User)
org.cleverswarm (System User)
org.inf-cd
salcedo (Brian Salcedo)
stanislav.hejny (Stanislav Hejny)
Clear assignees
No Assignees
abed.alrahman
Notifications
Due Date
No due date set.
Blocks
#3 Implement Access Control in auth-service via Traefik Forward Auth
clevermicro/user-management
#15 Unit test: Implement Access Control in auth-service
clevermicro/user-management
Reference: clevermicro/user-management#18
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "Implement_Access_Control_in_auth-service#3"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR should be after PR #16, It contains the code for Access control using Keycloak groups and roles.
@@ -89,0 +316,4 @@* Constructs the required Keycloak Client Role name based on the HTTP method and relative path.* Example: GET /api/jobs/{id} -> GET_api_jobs_BY_ID Example: POST /api/users -> POST_api_users*/private String constructRequiredRoleName(String httpMethod, String relativePath) {If the path contains underline, this solution may not work well.
And according to this doc https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/user-privilege-design, we need a lookup table to figure out which roles the user has and which role gives the access for the certain path, instead of finding roles based on url itself.
Path will never contain an underscore(underline), this: Example: GET /api/jobs/{id} -> GET_api_jobs_BY_ID
means how we automatically parse the request method and URI, here request: method=GET URI=/api/jobs/{id}
will be parsed as the role name (GET_api_jobs_BY_ID), then this role name should exist in the Keycloak roles, I showed this in the last demo, but I will show it again in the next spring review
According to the document I mentioned earlier, the role name itself shouldn't indicate the permission itself. The role name is simply a name for humans to distinguish one role from another. The permission itself is described by the role's content, as documented in the design:
The privileges grant actual access permission. And a privilege is defined here:
The resource field describes the scope of this privilege:
This is where the path lives.
Unless I'm reading out-of-date documentation (Stan shares this one in the group chat on May 1st), I didn't find any design document that matches your implementation in this PR. If you have the link to the document you're following with, please do share it. Thanks.
Also, a path can contain an underscore, since it's a valid URL. For example, a rest endpoint to manage digital books, I might give the path
/api/digital_books/, although it looks weird and is generally not recommended (should usedigital-books), the URL is legal and works with other systems. I couldn't see why we must add such limits to exclude underscores from URL path.Ref: https://datatracker.ietf.org/doc/html/rfc3986#section-2.3
Here is the design document for this ticket:
#2
We are implementing the ACL over Keycloak ACL capabilities as a first step.
Regarding the Stan blueprint document, we will think about it when it comes to a specific permission system.
ok, since Stan gives his approval, I can accept this PR as the first step. Although I still think the current solution is not perfect, we will improve it in the future. After all, the whole permission system is still in the early stage.
@@ -0,0 +60,4 @@}private String getUserClientRolesEndpoint(String userId, String clientInternalId) {return String.format("%s/admin/realms/%s/users/%s/role-mappings/clients/%s/composite",I would be generally concerned about security when I saw string concatenation for things like SQL or URL. I did check the code and right now it's safe. But fundamentally, I can pass something like
someone?var=value#to hijack this webclient to send something we don't want to keycloak, maybe trying to fool it to do something else and give us a false result.Ref: https://stackoverflow.com/questions/51544420/what-is-the-right-way-to-safely-concatenate-an-url-without-forgetting-a-separato/51545278#51545278
You are right. We should take care of SQL or HTML injection, but here, the string concatenation doesn't come from the request. I only know what the client name is, and the value comes from either the configuration file or from Keycloak config, nothing from the request.
@@ -48,7 +47,7 @@ public class KeycloakIdentityManagerService implements IdentityManagerService {private String getIntrospectionEndpoint() {return String.format("%s/realms/%s/protocol/openid-connect/token/introspect",Same url concat issue.
You are right. We should take care of SQL or HTML injection, but here, the string concatenation doesn't come from the request. I only know what the client name is, and the value comes from either the configuration file or from Keycloak config, nothing from the request.
merged with the develop branch manually.
Pull request closed