Archived
This forum has been archived. Please start a new discussion on GitHub.
Glacier and service access authorization
Hi!
I have recently discovered Glacier2 to myself and I am very pleased with it. I have successfully implemented global SSL certificate-based authentication (SSLPermissionsVerifier). Anyway, I am currently thinking about whether I could use Glacier2 service to implement global point for authorizing client access to each and every service behind my Glacier2 server. I guess it is an arhitectural point and it even might have been described somewhere in the docs or samples, but at the moment I am kind of saturated with the amount of information at hand and I feel that I just miss something. Need your help to find out the answer to the following question: how can I specify which user can gain access to a particular service behind Glacier2 so that this point of authorization is implemented as a service without the need to implement authorization check on the level of each service itself.
Thanks in advance,
Dmitry.
I have recently discovered Glacier2 to myself and I am very pleased with it. I have successfully implemented global SSL certificate-based authentication (SSLPermissionsVerifier). Anyway, I am currently thinking about whether I could use Glacier2 service to implement global point for authorizing client access to each and every service behind my Glacier2 server. I guess it is an arhitectural point and it even might have been described somewhere in the docs or samples, but at the moment I am kind of saturated with the amount of information at hand and I feel that I just miss something. Need your help to find out the answer to the following question: how can I specify which user can gain access to a particular service behind Glacier2 so that this point of authorization is implemented as a service without the need to implement authorization check on the level of each service itself.
Thanks in advance,
Dmitry.
0
Comments
-
Hi,
The best way to do this is to have your clients use a session service.
Initially, a client only has access to the session object. Through the session object, clients obtain proxies on backend services. The implementation of the session checks whether or not the client is allowed to access the requested backend service. If it's allowed, it modifies the Glacier2 session filters to allow access to the service's Ice object (see the Glacier2 dynamic filtering documentation for more information on how to setup filters)
With this design, access control is done by the sessions and you don't have to worry about it in your backend services. If you need more fine grained access control such as per-operation (in addition of per-object), you'll need to implement facade objects for the backend objects. These facade objects will be used by the client to send requests to backend objects and will check whether or not a given client is allowed to invoke a given operation. These facade objects can also provide a simpler view of the backend services to your client.
Cheers,
Benoit.0
