Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2015-01-27

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
05:50 ramteid joined #openam
08:36 KermitTheFragger joined #openam
09:30 hos001 joined #openam
09:46 aldaris joined #openam
10:04 hos001 joined #openam
10:17 aldaris Good morning everyone
10:27 hos001_ joined #openam
11:09 asyd morning
11:10 qt_br joined #openam
11:10 qt_br hello everybody
11:11 qt_br does anybody knows why I'm not able to create realms through API but I can through openam UI?
11:12 asyd what the error?
11:14 qt_br access denied
11:15 asyd i don't know if it's still true but you need to restart oepnam after created a realm
11:15 qt_br the problem is that i can't create the realm
11:16 qt_br not that I can't modify its properties
11:16 asyd yeah but you created a realm from the webui right?
11:17 qt_br to test if a given user can create it
11:17 qt_br (which worked and I was able to modify/remove it without restarting the service)
11:20 aldaris the REST API for managing realms isn't necessarily the best, but realm creation should work just fine
11:20 aldaris by default it creates the realms as inactive though
11:21 aldaris just make sure you provide an admin session ID as part of the invocation
11:23 qt_br aldaris: I don't mind if its inactive. And for admin do you understand any user within the group with "realm privileges"?
11:23 aldaris oh
11:23 aldaris delegated privileges don't really work with most of the new REST APIs
11:24 qt_br I mean, if login into UI with the same user allows to create realm, it should be true that this user is able to create realms
11:24 qt_br uhmmm.. does it means is an API bug/limitation?
11:24 qt_br is there any tracking url with more info?
11:27 aldaris this looks generic enough: https://bugster.forgerock.org/jira/browse/OPENAM-4034
11:30 aldaris managing configuration via REST will potentially happen in 13, but may be moved to 14, don't know
11:31 qt_br wow
11:31 qt_br this really breaks my schema...
11:32 qt_br because I can't assign amAdmin to any created group (neither Top level nor sub-realm)
11:32 aldaris and why would you assign amadmin to groups?!
11:32 qt_br well.. I don't know if that's true
11:32 aldaris *want ^
11:33 qt_br because I'm building an external UI to manage realms/users
11:33 aldaris that's not an answer to the question :)
11:33 qt_br but for non-techies fellas, so I need it to keep it simple
11:34 aldaris still doesn't explain why you would want to add amadmin to a group
11:34 qt_br and authorization decissions comes from users group
11:35 qt_br well.. I'm very used to split my sentences.. :P sorry for that
11:35 aldaris what kind of authorization decisions are you talking about?!
11:37 qt_br is the user able to create realms? or is a plain user and just have access to its "dashboard"
11:37 aldaris the amadmin user doesn't have to belong to any group, it is just simply able to modify any part of the configuration
11:39 qt_br we wanted to have an "amAdmin" to access openAM UI and our own admin who is just able to manage realms and its users
11:39 qt_br but if we can't have this admin role because of privileges delegation
11:39 aldaris you can do that, just don't use the REST endpoints for that :)
11:40 qt_br hahaha
11:40 qt_br seems legit
11:40 aldaris there is a Java SDK which fully exposes the configuration
11:40 aldaris and privilege delegation works as well
11:43 qt_br well... gonna work on this, wish me luck :P
11:44 qt_br btw, if a policy has subject "amAdmin" and a custom condition (i.e. groups)
11:44 qt_br it won't authorize me, isn't it?
11:45 aldaris why would you want to create policies that matches amAdmin?
11:45 aldaris the admin should be used to administer OpenAM, not to access arbitrary applications
11:45 qt_br I mean, it will say subject is OK but as it doesn't belongs to any group it won't work
11:46 qt_br well.. I'm trying to do so... but through my own application instead of openam "complex" console
11:46 aldaris sounds like a good overcomplicated project to me
11:47 aldaris you should use ssoadm (CLI tool) to manage OpenAM configuration btw
11:47 aldaris that makes config changes repeatable..
11:48 qt_br does it mean that I can change my API call to create the realm to make it like a system call?
11:49 qt_br maybe it's a bit messy... but I just trying to fit requirements with capabilities :S
11:49 aldaris https://bugster.forgerock.org/jira/browse/OPENAM-4606 HAH :)
11:51 aldaris anything that you could possibly come up with to implement a non-complex console will inherently become awfully complex and most likely incorrect
11:51 qt_br is this a channel to help openam users or just to demoralize them?
11:51 qt_br :P
11:52 aldaris I'm helping you by driving you away from something that you really don't want to do
11:52 qt_br I know, it was a joke
11:52 qt_br and I understand what you are trying to do
11:53 aldaris but you are right a bit :) working with OpenAM for the past 5 years made me a bit cynical
11:54 qt_br let's see if my boss have your sense of humor :P
11:57 qt_br whatever, I don't need to delegate if I'm using ssoadm system call... I can write some spaghetti code to use the policy as is and if its authorized, just use the ssoadm with hardcoded user and pass
11:58 aldaris ssoadm is only meant to run from the same server as OpenAM is deployed onto btw
11:59 qt_br great... hahaha
11:59 aldaris thought you might find that useful to know :)
11:59 qt_br I will leave the channel, you're driving me crazy
12:00 qt_br yes it is
12:00 qt_br thanks
12:00 qt_br :)
16:15 balo_ joined #openam
18:51 aldaris joined #openam
19:28 aldaris joined #openam
19:45 ilbot3 joined #openam
19:45 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 12.0.0 is out! OpenAM 11.0.2 is out! Channel logs at: http://irclog.perlgeek.de/openam/today
21:53 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary