Skip to content

Instantly share code, notes, and snippets.

@abstractj

abstractj/gist:8896fb6c54fede35c022

Forked from sebastienblanc/gist:6547605
Last active August 29, 2015 14:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abstractj/8896fb6c54fede35c022 to your computer and use it in GitHub Desktop.
Save abstractj/8896fb6c54fede35c022 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

User Management for the Aerogear Unfied Push Server

Introduction

The goal of this document is to describe how the User Management will be implemented in the Unified Push Server. Currently there is only one user created by default when installing UPS. Having the possibility to create multiple users is a "Must Have" and should be manageable from the Admin Console. Some roles should also be introduced

Roles / Permissions

There will be 3 different roles in this first version :

  • Admin (super user): The Admin is like the super-user, it can access all the features of UPS including the creation of users.
  • Developer (developer) : The developer can create/read/update and delete Applications/variants.
  • viewer : Can only 'Read', can be useful for monitoring apps (or for the future UPS Forge Plugin).
Role / action Create Update Read Delete Reset secret User Mngt
Admin X X X X X X
Developer X X X X X
Viewer                X                          

User management flow

An Admin can create new user by providing a loginName. This will be possible through :

  • The console
  • The REST service

Password Management

At creation, the user will have a default password , i.e 123.

First Login

When logging in for this first, the new created user will be prompted to change his password.

Reset Password Instruction

If a user wants to reset his password, he has to request manually (email, post pigeon ...) to an admin. The password will be again the default one and the user will have to change it again when logging in.

Scope of the current permissions

Currently, a authenticated user can see all the applications / variants / installations, no matter he is the author or not. There is also no concept of groups, that may come in the future releases.

Security Implementation

Currently, it would be possible to implement this using Aerogear-Security-Picketlink and with some raw Picketlink :

  • Login / Logout / Registration : AG-Security offers all we need
  • Roles and permissions : AG-Security offers a secures annotation that can be used to protect the endpoints.

I know there some concerns about this last points (Role escalation etc ...) and would like to have advice / feedback on what is acceptable / doable for the 0.10.0 release (15/01).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment