This topic was brought up recently here. There’s a ticket to track its progress: https://issues.apache.org/jira/browse/FC-265
And a new readme created to explain usage: https://github.com/apache/directory-fortress-enmasse/blob/master/README-SECURITY-MODEL.md The document is not the best, but it begins to explain how it works. Will need to be worked on some more to make it a proper document that someone can use to setup and use these checks. There have been some key changes to how Fortress passes and uses security credentials. Some of this was work that was started many years ago, only just now getting completed. 1. Stop passing/accepting administrator’s RBAC session in the payload of the request. This is true of all services EXCEPT for those under Access and DelAccess managers, where the session is a normal part of the API’s public interface, i.e. method parameters. 2. Use the credentials passed inside the HTTP Basic Auth header as basis for the admin RBAC session. The realm already supports passing the caller’s RBAC session to the application, in this case Fortress Rest. Now on service invocation, the runtime will grab the caller’s RBAC session from the HTTP Servlet interface, i.e. HttpServletRequest.getUserPrincipal().toString(), which is then deserialized and synthesized into core.model.Session via realm API. 3. Use that RBAC session to enforce downstream ARBAC02 checks: a. Administrative permission check - does the caller have an ADMIN role that contains a permission that corresponds with the service being called, e.g. addUser. b. ARBAC02 range check - on specific services, i.e. de/assignUser, grant/revokePermission, ensure caller has ADMIN role containing range with authority of target role. c. ARBAC02 org check - on specific services, ensure the caller has ADMIN role containing user or perm OU matching the target entity being changed. See the readme above for more description on how the ARBAC checks work. The ARBAC02 checks are turned off by default in the Apache Fortress REST runtime. To enable, add this to fortress.properties file: is.arbac02=true *** The code has all been checked into the Core and Rest repos. All the tests pass for each of the components so this shouldn’t effect users who don’t specifically enable it. —Shawn
