Introduction

Reference implentation of based on Modularized Persistence.

Interfaces

• AuthorizationManager: Managing permissions and permission inheritances
• PermissionChecker: Checking permissions, getting the scope of the authorization and the resource id of the system
• AuthorizationQdslUtil: Generating predicates for existing Querydsl based database queries

God mode

There is a resource id that identifies the system. It is created when the authorization-ri component is first started and stored in property-manager. It is possible to retrieve the resource id of the system from the PermissionChecker OSGi service.

When the system resource is used, all permission checks return true (even if the target resource id does not exist).

Programmers, who develop custom permission check query extensions, should always take care of checking if the authorized resource id is the resource id of the system.

Database structure

Permission table

• authorized_resource_id: Resource id of a user, group, role, etc. A resource that can be authorized to do actions on something.
• target_resource_id: Resource id of a book, document, etc. A resource that can be used to run authorized actions on.
• action: edit, view, delete, etc. Any activity that needs permission.

All three fields are part of the composite primary key of the table. The two resource ids are foreign keys that reference the resource table.

Permission inheritance table

• parent_resource_id: Resource id of a role, user group, etc.
• child_resource_id: Resource id of a user, role, user group, etc.

The child resource inherits all rights from the parent resource. Inheritance works transitively. E.g.: Multi-level role or user group hierarchy can be designed.

The two fields are part of the composite primary key of the table. Both fields are foreign keys that reference the resource table.

Caching

The component needs two caches to be able to work.

• Permission cache: Stores the records of the permission table. The cache also stores those permissions, that were queried but the permission is not granted.
• Permission inheritance cache: Stores the content of the permission_inheritance table as it is.

NoOp cache can be used, however, the tests show that with a no-operation cache the checkPermission function works at least twenty times slower.

Performance

With the simplest cache implementation (ConcurrentHashMap), and a simple three level permission inheritance graph, the permission checker can answer a 1.000 times in a millisecond on an average notebook. This might be worse a little bit with large set of data and with a real transactional cache. The cache size should be at least as big as many records are used frequently from the database frequently on one node.