[keycloak-user] Migrating existing system vs. resource mangement

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[keycloak-user] Migrating existing system vs. resource mangement

Yannick Lazzari
Hi,

We're currently evaluating Keycloak to migrate an existing system. For the
sake of the discussion, let's use the photoz example and pretend we are an
online pictures hosting service and that we have millions of albums,
belonging to thousands of users (users typically have more than one album,
so we have more albums than users).

If we were to implement the same permissions and wanted to constraint the
deletion of an album to its owner, does that mean that we would first need
to "sync" all our existing albums in Keycloak by "pushing" a
ResourceRepresentation for each of them, so that we can then have a policy
that uses the owner?

And what if we actually have dozens of other resource types for which we
want to enforce similar "resource owner" policies, each of them having
millions of records and living in different databases? Is it also expected
for all of them to do the same, essentially maintaining duplicates (in some
form) of all existing records in our system inside Keycloak's single
database, just so that we can use the resource owner in some policies?

We understand the simple photoz example, for something that starts from
scratch and with little data, but we have a hard time seeing how such an
approach can scale well for an existing system with millions of resources
of different types. Or perhaps we're completely missing the point or an
important piece of the puzzle.

Instead of having to push resources to Keycloak, is there a way to provide
arbitrary attributes that would be stored in the evaluation context of
policies and made available for the duration of a single authorization
request? For instance, when authorizing access to /album/123, could we tell
Keycloak that the owner of this album is actually user id 456, have it
stored in some attribute in the evaluation context and then use that
attribute in a policy (whether it's Javascript or Drools), along with some
other arbitrary attributes? We've seen discussions around the usage of
custom user claims, but this does not really seem to apply here since those
are not resource-specific. Or would there be a way to "extend" Keycloak and
use a hook that is provided that would allow us to somehow add this
information to the evaluation context?

Looking for help to see how we would start tackling such a problem, if we
were to adopt Keycloak.

Thank you very much for any insight anyone can provide!

Yannick
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Migrating existing system vs. resource mangement

Pedro Igor Silva
Hello Yannick,

Starting from the bottom ...

Right now, policy evaluation is solely based on the resources you have in
Keycloak. So yes, you would need to use the Protection API to manage your
resources every time you create/remove them from your application.

I understand your concern about "maintaining duplicates" of resources.
However, authorization services is strongly based on UMA concepts and there
the AS plays an important role when managing the resources belonging to
your users. By having complete control over resource owner's resources, the
AS is capable of managing and taking care of these resources for your users
(and your application) so you benefit from everything the AS provides such
as privacy control, permission management and resource sharing, things that
are very closely related with the basis of UMA: user managed access.

What you described as "provide arbitrary attributes" is exactly what we are
looking for. So you would have a more "stateless" permissioning model where
you don't really want Keycloak to manage your resources, but just provide
"facts" to the policy engine and have them processed by any matching policy
in order to get a decision. This feature is pretty close related with a
better contextual access control support. As it stands today, the "context"
is basically what you have in your access token and you are not able to
send any additional information.

Back to "maintaining duplicates" topic, some time ago Bill Burke suggested
a very interesting approach to resource management and storage. He
suggested that we could provide a "Resource Provider SPI" that users could
implement in order to fetch resources from an external database. I think is
another thing we would start working for the next release.

On Tue, May 9, 2017 at 7:30 AM, Yannick Lazzari <[hidden email]>
wrote:

> Hi,
>
> We're currently evaluating Keycloak to migrate an existing system. For the
> sake of the discussion, let's use the photoz example and pretend we are an
> online pictures hosting service and that we have millions of albums,
> belonging to thousands of users (users typically have more than one album,
> so we have more albums than users).
>
> If we were to implement the same permissions and wanted to constraint the
> deletion of an album to its owner, does that mean that we would first need
> to "sync" all our existing albums in Keycloak by "pushing" a
> ResourceRepresentation for each of them, so that we can then have a policy
> that uses the owner?
>
> And what if we actually have dozens of other resource types for which we
> want to enforce similar "resource owner" policies, each of them having
> millions of records and living in different databases? Is it also expected
> for all of them to do the same, essentially maintaining duplicates (in some
> form) of all existing records in our system inside Keycloak's single
> database, just so that we can use the resource owner in some policies?
>
> We understand the simple photoz example, for something that starts from
> scratch and with little data, but we have a hard time seeing how such an
> approach can scale well for an existing system with millions of resources
> of different types. Or perhaps we're completely missing the point or an
> important piece of the puzzle.
>
> Instead of having to push resources to Keycloak, is there a way to provide
> arbitrary attributes that would be stored in the evaluation context of
> policies and made available for the duration of a single authorization
> request? For instance, when authorizing access to /album/123, could we tell
> Keycloak that the owner of this album is actually user id 456, have it
> stored in some attribute in the evaluation context and then use that
> attribute in a policy (whether it's Javascript or Drools), along with some
> other arbitrary attributes? We've seen discussions around the usage of
> custom user claims, but this does not really seem to apply here since those
> are not resource-specific. Or would there be a way to "extend" Keycloak and
> use a hook that is provided that would allow us to somehow add this
> information to the evaluation context?
>
> Looking for help to see how we would start tackling such a problem, if we
> were to adopt Keycloak.
>
> Thank you very much for any insight anyone can provide!
>
> Yannick
> _______________________________________________
> keycloak-user mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Migrating existing system vs. resource mangement

Yannick Lazzari
Thanks a lot for your prompt response Pedro and for confirming our
understanding.

Do you have opened issues that would describe what "supporting a better
contextual access control" would translate into, and that we can also vote
on it?

This seems to be the missing bit that probably will make us reconsider
Keycloak for the moment. Having policies that require knowledge about the
resources' attributes, other than the resource owner, is a fundamental
piece of the policies we would like to implement. Even if we did go through
the process of first pushing all our resources to Keycloak and keeping them
in-sync afterwards, we'd still need to access more than just the resource's
owner in our policies. From what I understand, this ins't possible at the
moment, and this could be solved with those contextual access control
improvements.

We thought this would already be covered because we considered that a
pretty "standard" need, but the fact that this isn't currently possible
makes us wonder: is this in the scope of what UMA is trying to address?
Take the following policy for instance (pseudo code):

rule "Expensive Product"
    when
       $evaluation : Evaluation($permission.resource != null &&
$permission.resource.price > 100.00)
    then
        $evaluation.grant();
end

Should this exist as a Keycloak policy? Should it know that our "product"
resource has a "price" attribute and that we have policies that depend on
it?

What we're also trying to address as a problem is to have a central
repository of where our security policies are defined (in whole) so that
it's easier to audit, review and maintain them. If we can't have such
policies defined because it's not in the scope of what is supposed to be
covered by Keycloak (or other authorization servers for that matters), then
we'd be forced to distribute the authorization process between Keycloak and
some other service. And because of that, we wouldn't have all the rules
required to resolve a policy in a single location.

Does that make sense?

Thanks!



On Tue, May 9, 2017 at 8:03 AM Pedro Igor Silva <[hidden email]> wrote:

> Hello Yannick,
>
> Starting from the bottom ...
>
> Right now, policy evaluation is solely based on the resources you have in
> Keycloak. So yes, you would need to use the Protection API to manage your
> resources every time you create/remove them from your application.
>
> I understand your concern about "maintaining duplicates" of resources.
> However, authorization services is strongly based on UMA concepts and there
> the AS plays an important role when managing the resources belonging to
> your users. By having complete control over resource owner's resources, the
> AS is capable of managing and taking care of these resources for your users
> (and your application) so you benefit from everything the AS provides such
> as privacy control, permission management and resource sharing, things that
> are very closely related with the basis of UMA: user managed access.
>
> What you described as "provide arbitrary attributes" is exactly what we
> are looking for. So you would have a more "stateless" permissioning model
> where you don't really want Keycloak to manage your resources, but just
> provide "facts" to the policy engine and have them processed by any
> matching policy in order to get a decision. This feature is pretty close
> related with a better contextual access control support. As it stands
> today, the "context" is basically what you have in your access token and
> you are not able to send any additional information.
>
> Back to "maintaining duplicates" topic, some time ago Bill Burke suggested
> a very interesting approach to resource management and storage. He
> suggested that we could provide a "Resource Provider SPI" that users could
> implement in order to fetch resources from an external database. I think is
> another thing we would start working for the next release.
>
> On Tue, May 9, 2017 at 7:30 AM, Yannick Lazzari <[hidden email]
> > wrote:
>
>> Hi,
>>
>> We're currently evaluating Keycloak to migrate an existing system. For the
>> sake of the discussion, let's use the photoz example and pretend we are an
>> online pictures hosting service and that we have millions of albums,
>> belonging to thousands of users (users typically have more than one album,
>> so we have more albums than users).
>>
>> If we were to implement the same permissions and wanted to constraint the
>> deletion of an album to its owner, does that mean that we would first need
>> to "sync" all our existing albums in Keycloak by "pushing" a
>> ResourceRepresentation for each of them, so that we can then have a policy
>> that uses the owner?
>>
>> And what if we actually have dozens of other resource types for which we
>> want to enforce similar "resource owner" policies, each of them having
>> millions of records and living in different databases? Is it also expected
>> for all of them to do the same, essentially maintaining duplicates (in
>> some
>> form) of all existing records in our system inside Keycloak's single
>> database, just so that we can use the resource owner in some policies?
>>
>> We understand the simple photoz example, for something that starts from
>> scratch and with little data, but we have a hard time seeing how such an
>> approach can scale well for an existing system with millions of resources
>> of different types. Or perhaps we're completely missing the point or an
>> important piece of the puzzle.
>>
>> Instead of having to push resources to Keycloak, is there a way to provide
>> arbitrary attributes that would be stored in the evaluation context of
>> policies and made available for the duration of a single authorization
>> request? For instance, when authorizing access to /album/123, could we
>> tell
>> Keycloak that the owner of this album is actually user id 456, have it
>> stored in some attribute in the evaluation context and then use that
>> attribute in a policy (whether it's Javascript or Drools), along with some
>> other arbitrary attributes? We've seen discussions around the usage of
>> custom user claims, but this does not really seem to apply here since
>> those
>> are not resource-specific. Or would there be a way to "extend" Keycloak
>> and
>> use a hook that is provided that would allow us to somehow add this
>> information to the evaluation context?
>>
>> Looking for help to see how we would start tackling such a problem, if we
>> were to adopt Keycloak.
>>
>> Thank you very much for any insight anyone can provide!
>>
>> Yannick
>>
> _______________________________________________
>> keycloak-user mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
yev
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Migrating existing system vs. resource mangement

yev
This post has NOT been accepted by the mailing list yet.
Yannick

Thanks for posting this, we are looking for this level of functionality as well. If Keycloak is to be considered an ABAC provider, additional resource based attributes are definitely required.

Pedro, is there a feature request I can upvote :)

Thanks
Yev