[Mailman-Developers] User-centric authentication and access control
Andrew Stuart
andrew.stuart at supercoders.com.au
Tue Sep 1 23:13:06 CEST 2015
It might be helpful if I explain what Mailmania does.
login - an anonymous HTTP request can be sent to the server asking to log in and POSTing Mailman username and password. Success results in a response with a JWT in the HTTP headers.
authentication - when an HTTP request arrives, it is examined to see if it contains a valid Jason web token (JWT) in its headers
authorization - when an HTTP request comes in, the request is examined to determine if the requesting user (as defined by the JWT attached to the request) has permission to access the resource they have requested. It has a set of business rules that make decisions about what resources a user is able to access. If authorization is approved, the request is proxied to the Mailman core REST API.
The Mailman permissions model is based on the idea that Mailman has the following resources:
a server
domains
lists
users
Users can have auth roles: (not the same as Mailman 2 roles I think)
userowner (this is implied, a user is its own owner)
listowner
listmember
listmoderator
listnonmember
domainowner
serverowner
Any HTTP request to Mailmania must be from a specific user, attempting to access a specific resource. Mailmania basically just figures out if that user is indeed allowed access to the resource that have asked for, and sends it through or denies it.
More information about the Mailman-Developers
mailing list