4 Replies Latest reply on Jan 11, 2010 12:19 PM by rareddy

    How to impose role based security through management objects/profile service

    rareddy

      Hi,

       

      I understand that profile service can be accessed remotely and can be secured to get the Management View. With this scenario once the user has access to the view, they have access to modify any and all they can access through this view.

       

      Teiid management requires little more fine grained role based secuirty to manage access to managed objects or managed operations, such that some admins may only have "read only" permissions, where as others can have "read-write" etc.

       

      I heard JON has this functionality (I could be wrong), not found any information looking though my searches, can somebody share any info on this. Is this even possible?

       

      Thank you.

       

      Ramesh..

        • 1. Re: How to impose role based security through management objects/profile service
          mazz

          I can tell you how JON does it. The security model is wrapped around the abstract management model (in other words, JON relies on its own security mechanism, as opposed to relying on JBossAS security to do things like prohibit invoking operations or configuring things - this is how JON allows for the same security model to secure all types of managed resources in a generic way).

           

          http://rhq-project.org/display/JOPR2/Security+Model

           

          That link shows the different times of security permissions you can get. So, its possible you can view a resource but you can't do things like configure it or run operations on it. But again, this is at a layer above JBossAS (its at the management platform layer).

           

          I'm not sure if this is helpful, but that's what it is wrt JON.

          • 2. Re: How to impose role based security through management objects/profile service
            emuckenhuber

            From the profileservice side we don't provide any further options to configure security. It is something to think about adding, but it's more on the long term roadmap. For now management-clients would have to provide this additional security.

             

            The link you posted about remote access to ProfileService seems to be out of date. I need to validate that, but AFAIK you don't need to specify the SecureProfileService anymore. Security can be enabled with some server side settings using the same references - i'll update that. Thanks!

            1 of 1 people found this helpful
            • 3. Re: How to impose role based security through management objects/profile service
              anil.saldhana
              We should discuss further about utilizing RBAS facilities available via JBoss Security for your needs.
              1 of 1 people found this helpful
              • 4. Re: How to impose role based security through management objects/profile service
                rareddy

                Thank you for very helpful answers.

                 

                Although integration with JON might solve some of the problems, it does not solve all the issues for Teiid. Teiid provides same functionality that is exposed through profile service also through Admin API, thus having two different security models on both management interfaces is not really I want to do.

                 

                +1 for providing security integration through management framework so that all management tools can enforce same security profile.

                 

                Anil: we are already using JBoss Security, can you point me any info as to what you are suggesting.

                 

                Thanks.

                 

                Ramesh..