Identity manages the following entities for a tenant:

  • user
  • role
  • permissions
  • permittable group
  • service token (for a future version)
  • certain data saved per tenant...

A user consists of the following:

  • identifier (unique within the scope of the tenant)
  • password hash (+ associated data like variable salt)
  • password expiration date
  • role
  • service tokens (for a future version)

A role consists of the following:

  • identifier (unique within the scope of the tenant)
  • permissions

A permission consists of the following:

  • whether it is for change (POST+PUT), read (GET+HEAD), or delete (DELETE)
  • identifier of the permittable group being permitted

A permittable group consists of the following:

  • a unique identifier usually provided by the microservice for which the permittable group is defined.
  • list of URIs of endpoints included in the group (not including domain and port, but including service name and version)

A designator consists of the following: (for a future version)

  • url specifying the meaning of a placeholder in a permission url.

A service token consists of the following: (for a future version)

  • name (unique for the user)
  • description
  • role (the permissions for this role need to be a subset of the permissions for the user's role)
  • creation date
  • last accessed date

The data saved for the tenant in identity includes:

  • public and private key used to sign tokens
  • fixed salt used for server-side password hashing
  • password for the admin. The admin is saved user in isis. Her permissions could be changed.
  • how long a user's password is valid between password changes.
  • how long the user's grace period is to change a password after it has expired.

A special note about identifiers: (for example user identifier, role name, and service token name)

  • These names are used to reference their respective REST resources and must therefore URL encode to themselves.

The users "seshat" and "guest" cannot be created. They have a special meaning for anubis and are therefore reserved.

The role "disabled" cannot be created or deleted. Assigning this role to a user has the effect of taking away all that users permissions and therefore disabling him.

  • No labels