In this section, I would like to present some screenshots, SQL statements and printouts representative for the use cases implemented by the RBAC demo.
The printout below shows a projection of the useradmin view after the execution of a SQL script which presets the tables
with the basic scenario:
mysql> SELECT snapshot, creationtime, userid, `user`, password, failures, roleid, groupname, description
-> FROM useradmin
-> ORDER BY snapshot, userid, roleid;
+----------+---------------------+--------+-------------+----------------------------------------------+----------+--------+-----------+---------------------------------------------------------------+
| snapshot | creationtime | userid | user | password | failures | roleid | groupname | description |
+----------+---------------------+--------+-------------+----------------------------------------------+----------+--------+-----------+---------------------------------------------------------------+
| 1 | 2015-03-01 00:00:00 | 1 | supertester | iSX8nhg/eOHGBaF5SDl53cBvOTfYXf37Kktiwt4DMQo= | 0 | 1 | appadmin | Grants administration access to the web application. |
| 1 | 2015-03-01 00:00:00 | 1 | supertester | iSX8nhg/eOHGBaF5SDl53cBvOTfYXf37Kktiwt4DMQo= | 0 | 2 | appuser | Indicates a normal webapp user with no administration access. |
| 1 | 2015-03-01 00:00:00 | 2 | tester | 8PlYV724EZJwTdJ4ViBrkMq7gxyxJAWTKqy93/AQ/8Y= | 0 | 2 | appuser | Indicates a normal webapp user with no administration access. |
| 2 | 2015-04-08 00:00:00 | 2 | tester | 8PlYV724EZJwTdJ4ViBrkMq7gxyxJAWTKqy93/AQ/8Y= | 0 | 2 | appuser | Indicates a normal webapp user with no administration access. |
| 2 | 2015-04-08 00:00:00 | 3 | supertester | jXrCjUkOWYeL9xucvmWqfvU4urk5uKT78KsNtioLtIY= | 0 | 1 | appadmin | Grants administration access to the web application. |
| 2 | 2015-04-08 00:00:00 | 3 | supertester | jXrCjUkOWYeL9xucvmWqfvU4urk5uKT78KsNtioLtIY= | 0 | 2 | appuser | Indicates a normal webapp user with no administration access. |
+----------+---------------------+--------+-------------+----------------------------------------------+----------+--------+-----------+---------------------------------------------------------------+
The scenario above includes two snapshots. The significant snapshot had been created at 8th of April 2015. User 'tester' (id==2) is referenced by both snapshots. The password of 'supertester' had been changed and therefore the significant snapshot owns an exclusive incarnation of 'supertester' (id==3). User 'tester' fulfills solely the role 'appuser' whereas 'supertester' owns additionally the role 'appadmin'. The application is required to validate the provided credentials. For this purpose the hashed password and salt (omitted above) needs to be selected from the latest snapshot:
1 |
SELECT DISTINCT password, salt |
2 |
FROM useradmin |
3 |
WHERE snapshot = (SELECT MAX(id) FROM snapshot) AND disabled = 'N' AND failures < trials AND BINARY user = ? |
The RBAC demo counts the failed logins. When reaching the treshold the account must be reset. The 'principals' table contains the users or accounts.
1 |
UPDATE principals p JOIN principalsnapshot ps JOIN snapshot s |
2 |
ON (p.id = ps.principal_id AND ps.snapshot_id = s.id) |
3 |
SET p.failures = p.failures + 1 |
4 |
WHERE s.id = (SELECT MAX(id) FROM snapshot) AND p.`name` = ? |
The screenshot below shows the RBAC demo app immediately after the login of 'supertester' (click to enlarge).
We are supposed to click on the respective Edit-Button to process the properties of a certain user:
This brings up a modal dialog with a pick list which can be used to add or remove roles of the chosen user.
We exchanged the 'appuser' role for the 'apptest' role:
This action has caused a copy-on-write for user 'tester'. The previous version of 'tester' can still be accessed:
Note, that some controls are disabled now since the modification of entities belonging to a former snapshot isn't allowed:
Now we are changing back to the significant snapshot:
We might want to make a new snapshot before we create another account.
The (highlighted) control shows the id and creation time of the snapshot that has just been created:
Now we create a new account:
Again a modal dialog pops up. We change the suggested name and chose the role 'appuser':
The account table shows automatically the new user:
