I'm currently working on a project based on openstack. In the project I would like to extend the openstack REST API with some RBAC (Role Based Access Control) mechanism.
But what is the best way? I don't want to touch all the openstack code and by this loose maybe compatibility with the major openstack release. Due to that I had the idea to write an "RBAC-Proxy" that enables RBAC for the http verbs.
Every access to the openstack API would be routed over the proxy. It would be great if you can give me any advise into that direction.
Thanks and kind regards,
Jan
HEAT might be a good place to put that functionality.
First I'd read the gerrit workflow page on the openstack wiki. This is good reading for new developers:
https://wiki.openstack.org/wiki/Gerrit_Workflow
Second I would reach out to the openstack-dev mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Ultimately,
What you should probably do is work up a blueprint, and submit that before the next summit. See what developers have to say about it. It strikes me that folks might want that functionality or at the very least have some ideas about how that can be solved well.
Related
My goal is to implement a generically extendible .NET core web API. The generic refers to modules that can be added at runtime and provide new endpoints as well as functionality. These modules will be developed based on a framework.
Currently I am still deciding if the modules will be included as a DLL or run as a separate process (.exe).
I have the basic understanding of Dependenci Injection regarding the addressing of controllers in a DLL. But now I wonder if and how to realize the whole thing via an own process.
The API should always be addressable via http://localhost/myapi/{endpoint}, i.e. a request to a module should be done via the same URL. For the user / developer of the frontend everything should be presented as one API.
Unfortunately I was not successful on my research and don't know exactly what I have to / should look for specifically. Therefore I hope that you can help me.
Examples are helpful, but I am also keywords or articles, which deal with such a topic, help me further.
kind regards
Is there a single sign-on solution with completely RESTful API installable on my server? I have looked at OpenAM, which have some of the API available through HTTP/JSON, but not all (and seems too heavy, but if it had all the API, I'd not care).
Do you know of solution for authorization, authentication and identity management that can be used for single sign-on and has all (maybe without setting admin password and such critical issues) its API available though HTTP(S)/JSON?
I have no need for Java API etc., HTTP(S)+CLI for setup is only thing I look for. That is, I doin;t realkly care what the solution is implemented in (no need for Java EE etc.) as far as it does its job and it is secure.
Have you seen Mozilla's new Persona solution built on BrowserID? It does a lot, but it's hard to know if it's sufficient for you without more details about how integrated you need the authorization to be.
You might want to look at Stormpath. They're the largest identify management service (for developers) -- and they are all REST + JSON API backed.
I am going to run a Web App on JBoss App Server 7. Does JBoss have some sort of inbuilt user management module/API which I can use rather than code my own? Or do I have to make this module myself. I know about the default JAAS pieces providing authentication AND authorisation, however I am looking to manage, add, edit, delete users from the datasource as well.
I'm not being lazy or anything, just want to know if JBoss has an easy inbuilt way before I start :)
Google implies no so I want to make sure by asking here.
As far as I know they don't provide any easy to managed identity provider, they "only" provide way to connect to identity provider using standard protocol like LDAP, SAML and WS-trust, openid to provide container managed authentication.
They have a idm project but it seems to provide standard protocol SSO identity backed by some identity store but doesn't provide way to manage the users.
PicketBox and PricketLink are the tow JBoss project you should look for more information.
These element can be used if you want to use global identity system, existing one, new product deployment or custom build.
(disclaimer: I have sped some time on Picket* projects documentation and I still don't think I get a good knowledge on how it works... )
There is a web interface and a command line interface for management operations. See the Management Clients section of the documentation.
The security realms could be what you're after. I'm not really a security expert though.
Maybe a security domain could be helpful too.
Please specify and rate your experience if you know any. Thanks! =]
No there wouldn't be anything like that. In my experience each web service is designed for a very specific purpose, and would not have application outside it's original product. Also, a lot of web services are locked down to prevent unauthorized access. I am not aware of any collection of web services being made available from a single place. Would be curious to check it out if there is one, though.
Plamen
I'm rather new to the WCF/IIS/MS web stack corner of the world so I'm hoping for some help evaluating my design.
What I need is a system that presents a number of resources as URIs. Each resource is a WCF web service providing a number of read and write operations. I need to provide username/password security for different resources.
How I'm hoping to make this work is to have IIS handle the security using the normal devices it uses for everything else. Then uses URL rewriting to remap everything to a single web service that will provide the correct resource based on the rewritten query string.
Will this work?
Am I missing something?
Is there a better way to do this?
If you happen to known of a really good tutorial for the bits and peaces (like what file does the security settings go in?) I would appreciate links?
For now there will be only a handful (2 to 20) users so static config files would be preferred for that as along as it won't cause problems later.
As I said, I hardly known jack in this domain so I don't really known what I don't known.
A few links I have found (don't even known yet if I'm looking in the right direction)
Fundamentals of WCF Security (assumes a bit more familiarity than I have)
Improving Web Security: Scenarios and Implementation Guidance for WCF (really long, book length)
Yes this sounds sane. For authentication you want to use ASP.NET membership module it provides a generic security API which can use intergrated (windows user), web form login, even LiveID or some custom authentication. In my experience MSDN has proven a good resource, here's a hands on article.
For web http binding WCF provides Uri rewriting out of the box using WebGet attribute.
for SOAP, the end point URL is the same, so I assume you want RESTful endpoint. If so, you need Basic auth over https not WS-Security.