问题
I've deployed an application based on Fiware generic enablers, in Docker. The versions are:
- Orion 1.14
- Cygnus 1.9.0
- Authzforce 5.4.1
- Keyrock: the latest
- Pep-proxy: 7.0.1
but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info
, or to specify only the resource prefix like: /resource2/<whatever>
.
Really exists the syntax for the dynamic resource and authzforce can create a permissions asociated to a dynamic resource or is necessary create a XACML rule?
回答1:
Yes, it is necessary to create an Advanced XACML Rule. For example, you may look at the XACML Rule template in the IDM source code, which is used to generate a basic Rule (for a static resource path); you would have to customize it (besides removing the template code <%...%>
), especially modify the Target and the Condition elements (use XACML function string-concatenate to create the string /resource1/{param}/info
dynamically).
Another difficulty is to get the {param}
value in the PEP, and make sure it is sent in the XACML Request to AuthzForce PDP. The Pep-proxy only gets/sends the following XACML attributes as you can see from the Pep's Authzforce client code (names shortened for conciseness): resource-id, sub-resource-id, action-id, subject-role. Therefore, if you want the user-id as {param}
for example, you have to modify the Pep code I just mentioned, i.e. extract the user ID from the userInfo
variable and add the corresponding XACML Attribute (subject-id) in the Request. Or use your own Pep and do whatever you want of course.
来源:https://stackoverflow.com/questions/51316032/fiware-idm-dynamic-permission-resource