Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » EMF » [CDO] Define fine grained object access with CDO security model ?(By using ObjectFilter, ExpressionFilter and combined expressions ?)
[CDO] Define fine grained object access with CDO security model ? [message #1141778] Thu, 17 October 2013 07:24 Go to next message
Laurent Le Moux is currently offline Laurent Le MouxFriend
Messages: 184
Registered: September 2011
Senior Member
Hi all,

I had a look to the security manager wiki http://wiki.eclipse.org/CDO/Security_Manager which sounds promising.

I was wondering whether the CDO security model could help with the following use case.
Let's say I have the following model : 'Actor' - uses - 'Application'.

I would like a CDO administrator to create default actors in the repository like 'Client' and 'Agent'.

Other repository users could link 'Client' or 'Agent' to an Application object but deleting or even renaming these two actors should not be permitted.

Could this be achieved using expressions ? Is there any exemple available as guideline on how to use this new security feature ?

Regards,

Laurent
Re: [CDO] Define fine grained object access with CDO security model ? [message #1141911 is a reply to message #1141778] Thu, 17 October 2013 09:10 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 17.10.2013 09:25, schrieb Laurent Le Moux:
> Hi all,
>
> I had a look to the security manager wiki http://wiki.eclipse.org/CDO/Security_Manager which sounds promising.
>
> I was wondering whether the CDO security model could help with the following use case.
> Let's say I have the following model : 'Actor' - uses - 'Application'.
>
> I would like a CDO administrator to create default actors in the repository like 'Client' and 'Agent'.
>
> Other repository users could link 'Client' or 'Agent' to an Application object but deleting
Then you need to remove write access to the container of these objects from that group of users.

> or even renaming these two actors should not be permitted.
Then your link between Actor and Application must not be bidirectional because otherwise the write access to
Actor::application(s) would also apply to Actor::name.

If it must be bidirectional you will have to model two classes, one for the name and one for the application(s) reference.

>
> Could this be achieved using expressions ?
I don't see yet how the object state impacts the permissions.

> Is there any exemple available as guideline on how to use this new security feature ?
I know of no public examples. Isn't http://wiki.eclipse.org/CDO/Security_Manager helpful?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Re: [CDO] Define fine grained object access with CDO security model ? [message #1142741 is a reply to message #1141911] Thu, 17 October 2013 20:42 Go to previous messageGo to next message
Laurent Le Moux is currently offline Laurent Le MouxFriend
Messages: 184
Registered: September 2011
Senior Member
Hi Eike,

I see my example wasn't clear enough.
I just want to restrict access to the actors created by the administrator.
Users may define, modify and suppress their own ones.

From the security model, I indeed understand that a ClassFilter read access will apply to Actor::application(s) as well as Actor::name.

As I need to be more fine grained and apply my control depending on the actor instance (for 'Client' and 'Agent' only), I wonder if using an ObjectFilter would be the right way ?

I could have my Actor EClass inherit from the ObjectFilter one and implement isApplicable().
The implementation would - for example - check the object creator.
Would it be the administrator, I should return true or false depending on the modified feature and how's trying to modify it.

So the question would be : how do I know what feature is about to be modified and by who ?
I would probably need to be notified by some kind of event.

Moreover - to be more efficient - it would probably be better not to wait for transaction commit to determine whether the modification may be performed or not...

Your opinion ?

Regards
Re: [CDO] Define fine grained object access with CDO security model ? [message #1143286 is a reply to message #1142741] Fri, 18 October 2013 05:05 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 17.10.2013 22:42, schrieb Laurent Le Moux:
> Hi Eike,
>
> I see my example wasn't clear enough.
> I just want to restrict access to the actors created by the administrator.
> Users may define, modify and suppress their own ones.
>
> From the security model, I indeed understand that a ClassFilter read access will apply to Actor::application(s) as
> well as Actor::name.
>
> As I need to be more fine grained and apply my control depending on the actor instance (for 'Client' and 'Agent'
> only), I wonder if using an ObjectFilter would be the right way ?
Yes.

>
> I could have my Actor EClass inherit from the ObjectFilter one and implement isApplicable().
Yes, that would be one way of doing it.

You could, as you suggested in your first mail, use an ExpressionFilter. Please note that those are brand new and
totally untested. Feedback is welcome ;-)

An easier solution would be if you store the objects you want to protect in a separate resource and use ResourceFilter
to define the permissions.

> The implementation would - for example - check the object creator.
> Would it be the administrator, I should return true or false depending on the modified feature
That's not how it's designed to work. Permissions (access levels) are determined and assigned at an object granule, not
a feature granule.

> and how's trying to modify it.
You mean *who* ? In ResourceFilterImpl.getMatchers() is an example on how to use PermissionFilterImpl.getUser().

>
> So the question would be : how do I know what feature is about to be modified and by who ?
See above.

> I would probably need to be notified by some kind of event.
These events (logon/authenticate, load revision, commit transaction) arrive internally in the SecurityManager:

org.eclipse.emf.cdo.server.internal.security.SecurityManager.Authenticator.authenticate()
org.eclipse.emf.cdo.server.internal.security.SecurityManager.PermissionManager.getPermission()
org.eclipse.emf.cdo.server.internal.security.SecurityManager.WriteAccessHandler.handleTransactionBeforeCommitting()

You only interface with this framework through PermissionFilter.isApplicable().

>
> Moreover - to be more efficient - it would probably be better not to wait for transaction commit to determine whether
> the modification may be performed or not...
Indeed the commit checking is just like the "last line of defense". When you client loads the objects (more exactly the
CDORevisions) the permissions are already assigned and you can call CDOObject.cdoPermission() to use them locally.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Re: [CDO] Define fine grained object access with CDO security model ? [message #1143634 is a reply to message #1143286] Fri, 18 October 2013 10:14 Go to previous messageGo to next message
Laurent Le Moux is currently offline Laurent Le MouxFriend
Messages: 184
Registered: September 2011
Senior Member
If I understand well, to get a feature level authorisation for any object, this would imply a combined usage of CDO security model with an evolution on EMF.Edit side ?

We could imagine in .genmodel to have - in the edit part of each feature - a new 'Enable access authorisation' flag.

If true, the EMF.Edit internals would check authorisation based on a public list of permissions containing [Feature, Role, Access, Rule] (OCLRule could even extend Rule...).
Default behavior would be R/W (as today).

On CDO side, the administrator could edit permissions as any other attribute of the selected object.

In my use case, this would mean :
- Add a permission to both 'Client' and 'Agent' where : Feature = Actor.ACTOR__NAME, Role='Restricted Object Access', Access = R and Rule = None.

To be exhaustive, EMF.Edit could offer the same mechanism at object and corresponding EClass levels (with the due priorities).

Regards,

Laurent
Re: [CDO] Define fine grained object access with CDO security model ? [message #1146282 is a reply to message #1143634] Sun, 20 October 2013 03:53 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 18.10.2013 12:14, schrieb Laurent Le Moux:
> If I understand well, to get a feature level authorisation for any object, this would imply a combined usage of CDO
> security model with an evolution on EMF.Edit side ?
Not sure what you're trying to suggest, but CDO has almost no "feature-level anything", e.g., no feature-level loading,
locking or permission checking. There's no infrastructure for this and I don't think that this infrastructure will
appear anytime soon.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


>
> We could imagine in .genmodel to have - in the edit part of each feature - a new 'Enable access authorisation' flag.
>
> If true, the EMF.Edit internals would check authorisation based on a public list of permissions containing [Feature,
> Role, Access, Rule] (OCLRule could even extend Rule...).
> Default behavior would be R/W (as today).
>
> On CDO side, the administrator could edit permissions as any other attribute of the selected object.
>
> In my use case, this would mean :
> - Add a permission to both 'Client' and 'Agent' where : Feature = Actor.ACTOR__NAME, Role='Restricted Object Access',
> Access = R and Rule = None.
>
> To be exhaustive, EMF.Edit could offer the same mechanism at object and corresponding EClass levels (with the due
> priorities).
>
> Regards,
>
> Laurent


Re: [CDO] Define fine grained object access with CDO security model ? [message #1737660 is a reply to message #1143286] Mon, 11 July 2016 15:56 Go to previous messageGo to next message
Xavier ZeitounFriend
Messages: 23
Registered: April 2016
Location: CEA LIST, Paris Saclay, F...
Junior Member
Hi Eike,

I would like to use expression filter to have filter based on UML (for filtering by UML Metaclass, by applied stereotypes, by properties ...).
Would you now have example of application or ExpressionFilter?

Thank you,
Best regards,
Xavier
Re: [CDO] Define fine grained object access with CDO security model ? [message #1737800 is a reply to message #1737660] Wed, 13 July 2016 06:45 Go to previous messageGo to next message
Tristan Faure is currently offline Tristan FaureFriend
Messages: 460
Registered: July 2009
Senior Member
I would also be interested.
Our use cas is : If one attribute value is set by an user other modification must be forbidden.

Do you think this is achievable by CDO ? using Expression Filter ?




Re: [CDO] Define fine grained object access with CDO security model ? [message #1739748 is a reply to message #1737660] Wed, 03 August 2016 11:27 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 11.07.2016 um 18:56 schrieb Xavier Zeitoun:
> Hi Eike,
>
> I would like to use expression filter to have filter based on UML (for filtering by UML Metaclass, by applied
> stereotypes, by properties ...).
> Would you now have example of application or ExpressionFilter?
No, unfortunately I have no example available. But maybe you can ask a more specific question or explain what exactly is
not working in your prototype?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Re: [CDO] Define fine grained object access with CDO security model ? [message #1739749 is a reply to message #1737800] Wed, 03 August 2016 11:31 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 13.07.2016 um 09:45 schrieb Tristan Faure:
> I would also be interested. Our use cas is : If one attribute value is set by an user other modification must be
> forbidden.
I assume you mean "must be forbidden *for all other users*". Is that correct?

> Do you think this is achievable by CDO ? using Expression Filter ?
I've never tried something like that, but if I would have to I'd certainly try to achieve it with expression filters. I
have the feeling that the concept of "object ownership" is intrinsic to your problem, so you'd need to find a way to
store and retrieve the ownership information for any given object.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Re: [CDO] Define fine grained object access with CDO security model ? [message #1739756 is a reply to message #1739749] Thu, 04 August 2016 14:03 Go to previous messageGo to next message
Tristan Faure is currently offline Tristan FaureFriend
Messages: 460
Registered: July 2009
Senior Member
OK we will check that the main issue I see is that we have attribute value ownership .... not sure that expression filter have attribute granularity ?



Re: [CDO] Define fine grained object access with CDO security model ? [message #1741970 is a reply to message #1737660] Wed, 03 August 2016 11:27 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 11.07.2016 um 18:56 schrieb Xavier Zeitoun:
> Hi Eike,
>
> I would like to use expression filter to have filter based on UML (for filtering by UML Metaclass, by applied
> stereotypes, by properties ...).
> Would you now have example of application or ExpressionFilter?
No, unfortunately I have no example available. But maybe you can ask a more specific question or explain what exactly is
not working in your prototype?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Re: [CDO] Define fine grained object access with CDO security model ? [message #1741971 is a reply to message #1737800] Wed, 03 August 2016 11:31 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 13.07.2016 um 09:45 schrieb Tristan Faure:
> I would also be interested. Our use cas is : If one attribute value is set by an user other modification must be
> forbidden.
I assume you mean "must be forbidden *for all other users*". Is that correct?

> Do you think this is achievable by CDO ? using Expression Filter ?
I've never tried something like that, but if I would have to I'd certainly try to achieve it with expression filters. I
have the feeling that the concept of "object ownership" is intrinsic to your problem, so you'd need to find a way to
store and retrieve the ownership information for any given object.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Re: [CDO] Define fine grained object access with CDO security model ? [message #1741982 is a reply to message #1739756] Fri, 05 August 2016 14:03 Go to previous message
Eike Stepper is currently offline Eike StepperFriend
Messages: 6682
Registered: July 2009
Senior Member
Am 04.08.2016 um 17:03 schrieb Tristan Faure:
> OK we will check that the main issue I see is that we have attribute value ownership .... not sure that expression
> filter have attribute granularity ?
An expression filter can access attribute values to determine the permission to grant to the user for the entire object.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Previous Topic:CLASS CAST EXCEPTION
Next Topic:Call for Submissions: Modeling Symposium @ EclipseCon Europe 2016
Goto Forum:
  


Current Time: Thu Mar 28 14:28:13 GMT 2024

Powered by FUDForum. Page generated in 0.06341 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top