Versions Compared

Old Version 64

changes.mady.by.user Min Chen

Saved on

compared with

New Version 65

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
/**
* SecurityChecker checks the ownership and access control to objects within
*/
public interface SecurityChecker extends Adapter {

...

/**
* Checks if the account can access the object.
*
* @param caller
* account to check against.
* @param entity
* object that the account is trying to access.
* @param accessType
*
* @param action
*
* @return true if access allowed. false if this adapter cannot provide permission.
* @throws PermissionDeniedException
* if this adapter is suppose to authenticate ownership and the check failed.
*/
boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException;

....
}

IAM Interface to check API Access

IAM Plugin 'PolicyBasedAccessChecker' will also provide a group and policy based implementation of the APIChecker interface. The implementation will check if a given user is permitted to make invoke the given 'action' on the given API call resource by looking at the usersaccount's groups and the associated policies of those groups.

For given user, resource and given api name,

  • Find all groups the user belongs too.
  • Find all 'effective' policies the groups are associated to. Effective includes all policy associations in the DB and the dynamic 'Resource Owner' policy if the resource is owned by the user
  • If any policy 'Allows' the API, grant permission to make this call
  • Else, if any policy 'Denies' the API, deny permission to make this call
  • else, if no Allow or Deny entry is found for any policy for this API, deny the permission

IAM Interface to check API Access

IAM Plugin 'PolicyBasedAccessChecker' will implement the APIChecker interface.

Code Block
// APIChecker checks the ownership and access control to API requests
public interface APIChecker extends Adapter {
    // Interface for checking access for a role using apiname
    // If true, apiChecker has checked the operation
    // If false, apiChecker is unable to handle the operation or not implemented
    // On exception, checkAccess failed don't allow
    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
}

The API permissions are also stored in the same db schema as the entity permissions. Since the above entity access already checks if the user is allowed to invoke the given API for the given resource, we need not have one more check just to see if the user can invoke the API.

So PolicyBasedAccessChecker :: checkAccess(User user, String apiCommandName), can return true always and rely on the entity based access check.

IAM Interface to facilitate Query APIs

...