Fiware IDM : Dynamic permission resource

六月ゝ 毕业季﹏ 提交于 2019-12-24 10:59:50

问题


I've deployed an application based on Fiware generic enablers, in Docker. The versions are:

  • Orion 1.14
  • Cygnus 1.9.0
  • Authzforce 5.4.1
  • Keyrock: the latest
  • Pep-proxy: 7.0.1

but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info, or to specify only the resource prefix like: /resource2/<whatever>.

Really exists the syntax for the dynamic resource and authzforce can create a permissions asociated to a dynamic resource or is necessary create a XACML rule?


回答1:


Yes, it is necessary to create an Advanced XACML Rule. For example, you may look at the XACML Rule template in the IDM source code, which is used to generate a basic Rule (for a static resource path); you would have to customize it (besides removing the template code <%...%>), especially modify the Target and the Condition elements (use XACML function string-concatenate to create the string /resource1/{param}/info dynamically).

Another difficulty is to get the {param} value in the PEP, and make sure it is sent in the XACML Request to AuthzForce PDP. The Pep-proxy only gets/sends the following XACML attributes as you can see from the Pep's Authzforce client code (names shortened for conciseness): resource-id, sub-resource-id, action-id, subject-role. Therefore, if you want the user-id as {param} for example, you have to modify the Pep code I just mentioned, i.e. extract the user ID from the userInfo variable and add the corresponding XACML Attribute (subject-id) in the Request. Or use your own Pep and do whatever you want of course.



来源:https://stackoverflow.com/questions/51316032/fiware-idm-dynamic-permission-resource

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!