4 Replies Latest reply on Jan 11, 2010 12:19 PM by rareddy

How to impose role based security through management objects/profile service

rareddy Jan 8, 2010 3:45 PM

Hi,

I understand that profile service can be accessed remotely and can be secured to get the Management View. With this scenario once the user has access to the view, they have access to modify any and all they can access through this view.

Teiid management requires little more fine grained role based secuirty to manage access to managed objects or managed operations, such that some admins may only have "read only" permissions, where as others can have "read-write" etc.

I heard JON has this functionality (I could be wrong), not found any information looking though my searches, can somebody share any info on this. Is this even possible?

Thank you.

Ramesh..

1. Re: How to impose role based security through management objects/profile service

mazz Jan 8, 2010 4:09 PM (in response to rareddy)

I can tell you how JON does it. The security model is wrapped around the abstract management model (in other words, JON relies on its own security mechanism, as opposed to relying on JBossAS security to do things like prohibit invoking operations or configuring things - this is how JON allows for the same security model to secure all types of managed resources in a generic way).

http://rhq-project.org/display/JOPR2/Security+Model

That link shows the different times of security permissions you can get. So, its possible you can view a resource but you can't do things like configure it or run operations on it. But again, this is at a layer above JBossAS (its at the management platform layer).

I'm not sure if this is helpful, but that's what it is wrt JON.
Actions
2. Re: How to impose role based security through management objects/profile service

emuckenhuber Jan 11, 2010 5:42 AM (in response to rareddy)

From the profileservice side we don't provide any further options to configure security. It is something to think about adding, but it's more on the long term roadmap. For now management-clients would have to provide this additional security.

The link you posted about remote access to ProfileService seems to be out of date. I need to validate that, but AFAIK you don't need to specify the SecureProfileService anymore. Security can be enabled with some server side settings using the same references - i'll update that. Thanks!
1 of 1 people found this helpful
Actions
3. Re: How to impose role based security through management objects/profile service

anil.saldhana Jan 11, 2010 10:23 AM (in response to rareddy)

We should discuss further about utilizing RBAS facilities available via JBoss Security for your needs.
1 of 1 people found this helpful
Actions
4. Re: How to impose role based security through management objects/profile service

rareddy Jan 11, 2010 12:19 PM (in response to anil.saldhana)

Thank you for very helpful answers.

Although integration with JON might solve some of the problems, it does not solve all the issues for Teiid. Teiid provides same functionality that is exposed through profile service also through Admin API, thus having two different security models on both management interfaces is not really I want to do.

+1 for providing security integration through management framework so that all management tools can enforce same security profile.

Anil: we are already using JBoss Security, can you point me any info as to what you are suggesting.

Thanks.

Ramesh..
Actions

Go to original post