January 8, 2015 at 11:01 pm #2265handongwangParticipant
I am new to openAM. Hope someone may shed light on the best way to solve the problem.
I have a legacy application that has special requirements on authorization such as there are parent-child relationship between user groups as well as between resources. A child resource inherits parent resource permissions and may override (add/revoke) parent resource permissions. The same applies to child group. This child-parent relationship and overriding mechanism helps to simplify authorization configuration, which would consists of thousands of rules should it modelled using openAM authorization policies.
The legacy application is part of a system that uses openAM to manage authentication and authorization. The legacy application is a high throughput, low latency processing system. Performance is critical. I want to use use openAM to manage user identities for this legacy application as well as other applications. I could upgrade the legacy application’s A&A code to use openAM.
it is hard to model current authorization configuration and logic using openAM authorization capabilities. So i need to figure out a workaround.
one approach is to model current authorization configuration using openAM authorization configuration by adding special attributes to user groups as well as applying resource naming convention. The legacy application could download the configuration from openAM and check authorization by itself. the question is: is there a way to download openAM authorization data?
this is just one approach. Another approach I am thinking about is to use openAM for authentication only. group and authentication are defined and executed by the legacy application. the drawback is that the whole systems A&A is splitted even if it is doable.
Any suggestion is greatly appreciated!January 14, 2015 at 3:16 am #2402Peter MajorModerator
Any sort of configuration data (such as policies) should be accessible via the ClientSDK, but then the question remains: what’s the point of setting up the policies in AM if AM itself is unable to actually correctly evaluate them?
One possible approach could be to implement custom policy conditions, and you would evaluate the policies using the REST/ClientSDK APIs. That way you should be able to provide extra environment information for each policy evaluation, such as what parent resources are involved in the process and such.
Frankly your requirements sounds a bit too complex, so I’m not really sure if you were to implement anything custom, it could in any way become as performant as your current authorization solution.
It is also possible to go the extra mile of implementing a custom policy application with a custom resource comparator, but that isn’t really aware of the environment IIRC, so not sure if that would be of any help (also implementing a custom resource comparator is *really* difficult to get right).January 17, 2015 at 5:34 am #2456handongwangParticipant
thanks for your input.
I am thinking of use OpenAM to store user and group data only, i.e., OpenAM does authentication. Authorization rules are configured in the legacy application and enforced by the application (as it does now). Of course, I need to define groups in both OpenAM and the legacy application.
I need to upgrade the legacy application to accept OpenAM security tokens too.
I need to avoid define users in both OpenAM and the legacy application as there could be up to 8000 users in the legacy app.January 23, 2015 at 1:26 pm #2712Jamie BowenModerator
So you could use OpenDJ to store your users in and have OpenAM and your application both use OpenDJ as a user store. This is how OpenAM is used in the majority of deployments. From your application, you could also reach out to OpenDJ and use it as your user store.
You must be logged in to reply to this topic.