Creating, retrieving and managing realms and also enabling, disabling and checking per realm security status.
The realm is a central and fundamental concept in Bondy. It does not only serve as an authentication and authorization domain but also as a message routing domain. Bondy ensures no messages routed in one realm will leak into another realm.
Realms are routing and administrative domains that act as namespaces. All resources in Bondy belong to a Realm. Messages are routed separately for each individual realm so sessions attached to a realm won’t see message routed on another realm.
In Bondy a realm is represented by a control plane object and is identified by a WAMP URI e.g.
Realms (and the associated users, credentials, groups, sources and permissions) are persisted to disk and replicated across the cluster by Bondy's control plane data replication service.
How many realms?
Because a realm is a control plane data object, there is no limit to the number of realms you can have. However, since part of the realm data is stored both in memory and disk, the actual limit is determined by the amount of memory and storage a Bondy node has access to.
Notice that since realms are globally replicated, the smallest node in a Bondy cluster (in terms of memory and storage) will be the one determining the actual limit.
When you start Bondy for the first time it creates and stores the Bondy Master realm identifiedm with the uri
bondy (also the now deprecated
This realm is the root realm which allows an admin user to create, list, modify and delete other realms. The realm can be customised either through the
bondy.conf file or dynamically using the WAMP and HTTP APIs.
However, the master realm has some limitations:
Prototypical inheritance allows us to reuse the properties (including RBAC definitions) from one realm to another through a reference URI configured on the
prototype_uriproperty is defined as an irreflexive property i.e. a realm cannot have itself as prototype.
A Prototype Realm is a realm that acts as a prototype for the construction of other realms. It is a normal realm whose property
is_prototype has been set to
The following is the list of properties which a realm inherits from a prototype when those properties have not been assigned a value. Setting a value to these properties is equivalent to overriding the prototype's.
In addition realms inherit Groups, Sources and Grants from their prototype. based on the following rules:
all. Permissions granted to
allare merged between a realm and its prototype.
Each realm has its own Security service, which provides Authentication and Authorization.
A realm's security service may be checked, enabled, or disabled by an administrator through the APIs. This allows an administrator to change security settings of a realm on the whole cluster quickly without needing to change settings on a node-by-node basis.
Bondy SSO (Same Sign-on) is a feature that allows users to access multiple realms using just one set of credentials.
To use SSO one needs first create a realm (A) as an SSO realm (by setting its
is_sso_realm property to
Subsequently one or more realms can use realm A as their SSO Realm by respectively setting their property
sso_realm_uri to the URI of realm A.
To learn more about this topic review the Same Sign-on page.
What constitutes an administrator i.e. what permissions and administrator has and which user is an administrator is actually defined by you using the security configuration. ↩︎