grouper-dev - quotas and Grouper
Subject: Grouper Developers Forum
- From: Chris Hyzer <>
- To: Bert Bee-Lindgren <>
- Cc: Grouper Dev <>
- Subject: quotas and Grouper
- Date: Thu, 9 Jul 2009 02:58:37 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
Sorry I missed the beginning of the call, with part of your description of
quotas I think. When you send your use case it will probably be more clear.
However, in the meantime, let me explain the initial direction:
Roles are a linking of permissions and subjects (users/groups). So you would
assign permissions to either a role (i.e. everyone inside), or to a
membership of a role (immediate or effective, and though we discussed on
call, I wasn't really thinking assigning to a group-subject membership would
imply assigning to all members). Roles are special in that you can have a
role hierarchy for inherited permissions (e.g. a senior loan administrator is
a loan administrator with a few more grants).
Also, if you drop out of the role, you lose your permissions. This loose
coupling improves the security by removing access when someone's status
changes (if groups setup appropriately), and make it convenient since you
might want to change who has file system quota later on, without changing who
a student is (e.g. distance learning students don't get the quota anymore).
Here is the Kuali Rice glossary which is similar to what I am suggesting:
"Group: A Group has members that can be either Principals or other Groups
(nested). Groups essentially become a way to organize Entities (via Principal
relationships) and other Groups within logical categories.
Groups can be given authorization to perform actions within applications by
giving them Roles and Qualified Roles."
"Role: Aggregate Permissions. Roles are not scoped to Namespace; therefore,
Roles can provide authorization privileges across Namespaces. When Roles are
given to Entities (via their relationship with Principals) or Groups, an
authorization for all associated Permissions is granted.
Roles can also have arbitrary data associated with them (e.g., Role
Attributes) for scoping or classification purposes that can help qualify
authorization checks in a very limited fashion."
So... if you want to control file system usage (is there one central
filesystem quota, or are there a bunch of servers?)
The current plan would be to identify your:
1. Groups: gatech:community:students, gatech:community:faculty
2. Roles: gatech:apps:filesystem:roles:studentUser,
3. Permission: gatech:apps:filesystem:permissions:fileSystemAccess
4. Limit: gatech:apps:filesystem:limits:fileSystemQuotaBytes (integer)
Link everything up:
Put the student group in the student role, the faculty group in the faculty
role, the permission in both roles, and assign the quota to both assignments
Now, what decision or data do you want out of the system. Is an external
system going to ask grouper for the overall quota for a user? I think to get
this answer without creating a custom service, maybe we need to tunnel
through existing data structures and use hooks. So create another permission
(e.g. gatech:apps:filesystem:permissions:fileSystemOverallAccess) which is
not assignable to anything in grouper, and allow the same
fileSystemQuotaBytes limit to be assigned to it. Then ask Grouper (e.g.
through web service), give me the permission fileSystemOverallAccess for the
user 123456. A hook would intercept that call (if it didn't, it would not
find an assignment), find all fileSystemAccess permissions/quotas for that
user, add up the quotas, and return fileSystemOverallAccess permission and
limit (sum). Something like that.
I know there are redundant objects here (i.e. just assign the permission to
the group), but I am trying to go for an RBAC type system, where the Group is
just collections of subjects. The Role represents "job functions" or
something app specific. Note the namespace difference. I think it is a
little cleaner to not have all apps assigning all their permissions directly
to the student group. They would make their own role that they have access
to, and assign to that. If there were an app specific group, used only for
the app, then just make it a role. If there is a group that is shared among
apps, then make a role for each app, and add the group to each role.
Can this work?
- quotas and Grouper, Chris Hyzer, 07/09/2009
Archive powered by MHonArc 2.6.16.