SMQ-216 - Update auth documentation#218
Merged
dborovcanin merged 5 commits intoabsmach:mainfrom May 21, 2025
Merged
Conversation
felixgateru
force-pushed
the
smq216-auth
branch
from
c6a73cf to
feaa727
Compare
Musilah
reviewed
Mar 11, 2025
Musilah
reviewed
Mar 11, 2025
Musilah
reviewed
Mar 11, 2025
arvindh123
requested changes
Mar 17, 2025
Comment on lines
+29
to
45
| `User` represents the real (human) user of the system. Users are identified by their username and password, which are used as platform access credentials in order to obtain an access token. Once logged into the system, a user can manage their resources (i.e. domains,groups, clients and channels) in CRUD fashion and define access control policies by creating and managing roles for them. | ||
|
|
||
| `Group` represents a logical groupping of users. It is used to simplify access control management by allowing users to be grouped together. When assigning a user to a group, we create a policy that defines what that user can do with the resources of the group. This way, a user can be assigned to multiple groups, and each group can have multiple users assigned to it. Users in one group have access to other users in the same group as long as they have the required policy. A group can also be assigned to another group, thus creating a group hierarchy. When assigning a user to a group we create a policy that defines what that user can do with the group and other users in the group. | ||
| `Group` represents a logical grouping of clients, channels or other groups. It is used to simplify access control management by allowing these entities to be grouped together. When a user becomes the member of a role of a group, they are able to access the entities encompassed by the group. A user can have a role in multiple groups, and each group can have multiple members(users). Groups can have a single parent group and many children groups, this enables shared access to entities to users and a hierarchical structure. A role created for a group determines what a member(user) of the role can do with the group and entities associated with the group. | ||
|
|
||
| `Thing` represents devices (or applications) connected to SuperMQ that uses the platform for message exchange with other "things". | ||
| `Clients` represents devices (or applications) connected to SuperMQ that use the platform for message exchange with other "clients". Clients have roles to which users are members to, determining which actions the role member(user) can perform on them. | ||
|
|
||
| `Channel` represents a communication channel. It serves as a message topic that can be consumed by all of the things connected to it. It also servers as grouping mechanism for things. A thing can be connected to multiple channels, and a channel can have multiple things connected to it. A user can be connected to a channel as well, thus allowing them to have an access to the messages published to that channel and also things connected to that channel with the required policy. A channel can also be assigned to another channel, thus creating a channel hierarchy. Both things and users can be assigned to a channel. When assigning a thing to a channel, we create a policy that defines what that thing can do to the channel, for example reading or writing messages to it. When assigning a user to a channel, we create a policy that defines what that user can do with the channel and things connected to it, hereby enabling the sharing of things between users. | ||
| `Channel` represents a communication channel. It serves as a message topic that can be consumed by all of the clients connected to it. It also serves as grouping mechanism for clients. A client can be connected to multiple channels, and a channel can have multiple clients connected to it. A user can also have access to a channel thus allowing them access to the messages published to that channel. As mentioned before a channel can belong to a group.A client connected to a channel forms a connection in SuperMQ. The connection can be of three types: a Publish type, where the client can only publish messages to the channel, a Subscribe type, meaning a client can only receive messages sent to the channel and Publish and Subscribe type where the client can both publish and receive messages on the channel. Channels have roles which determine the actions a role member(user) can perform on them. | ||
|
|
||
| `Domain` represents a top level organizational unit which encompases entities such as groups, channels and clients. All these entities have to belong to a domain. A user has a role on a domain which determines what actions the user can perform on the domain as well as the entities in the domain. The domain enables access to clients,channels, groups and messages to be shared with other users on the platform. They also offer the collaborative space to perfom CRUD operations on these entities. | ||
|
|
||
| ## Messaging |
Contributor
There was a problem hiding this comment.
@felixgateru
Please add auth service both in diagram and docs
docs/authorization.md
Outdated
|
|
||
|  | ||
|  <!-- to be replaced --> | ||
|
|
Contributor
There was a problem hiding this comment.
https://github.com/felixgateru/supermq-docs/blob/main/docs/authorization.md#user-domain-relationship
Please add similar too this here.
felixgateru
changed the title
Contributor
|
@felixgateru Please resolve conflicts. @arvindh123 Please re-review since the comments are addressed. |
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
felixgateru
force-pushed
the
smq216-auth
branch
from
f64f28c to
89c2b22
Compare
Musilah
approved these changes
Apr 14, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this do?
This pr updates the architecture documentation to reflect the current platform structure.
Which issue(s) does this PR fix/relate to?
Resolves #216
List any changes that modify/break current functionality
None
Have you included tests for your changes?
No, manually tested
Did you document any new/modified functionality?
Yes, changes are to the documentation
Notes