Connector framework for authorization, Connector 4.0 authorization (beta) – Google Search Appliance Security User Manual
Page 37
37
Connector Framework for Authorization
Another option for modeling security is implementing
As it’s explained in this paper
and GSA documentation, a connector can be created to “traverse” or feed public or secure content into
the search appliance as well as to support serve time authentication and authorization. We have
discussed connectors
. Here we will discuss using connectors to perform
authorization as a late binding mechanism.
Interface support
The Connector Framework defines the following interface to be implemented by a connector developer:
public interface AuthorizationManager;
It has the following method for authorization:
public List authorizeDocids(Collection docids, AuthenticationIdentity
identity)throws RepositoryException;
“docids” is a collection of unique document IDs for matched search results. Multiple docids are passed
from the appliance to a connector. When enough documents are authorized based on search user’s
identity, the appliance stops calling the connector. Otherwise, the appliance will keep calling this API—
each time with more docids than previous call until either the allocated time runs out, docids run out, or
enough documents with “PERMIT” are returned to the search user.
AuthenticationIdentity holds the verified identity of the user. Depending on the authentication protocol
used, it can contain username, domain, or even password (if the authentication protocol deployed gathers
password). A connector implementation should decide what minimum information in
AuthenticationIdentity is required.
Connector 4.0 Authorization
(beta)
A connector only needs to provide implementation for the following interface:
public interface AuthzAuthority
and register it with:
AdaptorContext.setAuthzAuthority()