authnz

Abstract

Authorization and authentication design

Subject. Entity that can make a request - User/Device/Service
Login. Represents a subject which can log in (synonym: sign in), user/device
Profile. Linked to login, personal data and other application specific information
Principal (Принципал). Unique key which can be used in ACL (список управления доступом)
- Login | Group | Role
Role (Роль). Schema-level principal (predefined group, предопределенная группа)
- Allows to create predefined ACLs (предопределенные списки управления доступом)
- Examples
  - unTill: Waiter, Waiter+, Manager
  - PK: Executor, Executor+, Manager
Group (Группа). Workspace-level principal
PrincipalToken (То́кен Принципала) - token which authenticated principals (токен который удостоверяет подлинность принципалов)
- Login + Role/Group memberships
ACL. Acces Control List (список управления доступом)
- Currently we use predefined ACLs only (предопределенные списки управления доступом)
  - ACL managements too complicated
- Users can only manage groups and roles membership
- Permissions for Hosts can be manages by
  - GRANT ROLE ChargeBee TO ADDRESS

Step	Actor	Served by
Send a request to the QueryProcessor	Subject
Authenticate Principal	QueryProcessor	IAuthenticator.Authenticate()
Authorize EXECUTE operation	QueryProcessor	IAuthorizer.Authorize()
Opt: Authorize READ operation	QueryProcessor	IAuthorizer.Authorize()

Step	Actor	Served by
Send a request to the CommandProcessor	Subject
Authenticate Principal	CommandProcessor	IAuthenticator.Authenticate()
Authorize EXECUTE operation	CommandProcessor	IAuthorizer.Authorize()
Authorize fields CREATE/UPDATE	CommandProcessor	IAuthenticator.Authorize()