堆栈内存溢出
  简体   繁体   English

Authzforce不存储策略吗?

[英]Authzforce does not store policies?

 原文  2017-12-12 16:51:17       fiware/ authz/ fiware-wilma/ authzforce

问题描述

I am developing a new application using Fiware and I am interested in adding a security layer using the specific Fiware GE for this: 我正在使用Fiware开发一个新的应用程序,并且我有兴趣为此使用特定的Fiware GE添加安全层:

I started by setting up my own local installation of these components, starting from this tutorial. 教程开始,我首先设置了这些组件的本地安装。 After a few minutes I was able to successfully install all three components up & running. 几分钟后,我能够成功安装并运行所有三个组件。

Then I started to create applications, roles, permissions, assign roles to user and so on. 然后,我开始创建应用程序,角色,权限,为用户分配角色等。 The thing is after a while playing with the components AuthZforce crashed and I had to re boot it. 事情是一段时间后,AuthZforce组件崩溃了,我不得不重新启动它。 After that I noticed that all policies and domains was erased from AuthZForce. 之后,我注意到所有策略和域都从AuthZForce中删除了。

I did some digging and discovered that all stuff are maintained in memory for AuthZForce and also in to IdM database, so if your AuthZForce crashes then you lose all your policies and application domains unless you recover it from IdM database. 我进行了一些挖掘,发现所有内容都保留在AuthZForce的内存中以及IDM数据库中,因此,如果AuthZForce崩溃,除非您从IdM数据库中恢复它,否则您将丢失所有策略和应用程序域。

The problem is when you restart AuthZForce all policies and application that are stored in IdM databases are not automatically synchronized with AuthZForce. 问题是,当您重新启动AuthZForce时,IdM数据库中存储的所有策略和应用程序都不会自动与AuthZForce同步。 To force the synchronization you must perform some change to your Application, for example using the IdM Web interface to change the application description. 要强制同步,您必须对应用程序进行一些更改,例如,使用IdM Web界面更改应用程序描述。 Then IdM re-create application domain and all application policies. 然后,IdM重新创建应用程序域和所有应用程序策略。

Is there any reason why this is so? 有什么理由吗? Why the synchronization is not done automatically? 为什么同步不会自动完成? Can the AuthZForce itself be responsible for the persistence of the policies? AuthZForce本身可以对策略的持久性负责吗?

1 个解决方案

解决方案1
 0 已采纳  2017-12-18 08:53:13

As far as AuthzForce is concerned, all the policies pushed successfully by the IdM to Authzforce are persisted to disk in AuthzForce server's /opt/authzforce-ce-server/data directory. 就AuthzForce而言,由IdM成功推送到Authzforce的所有策略都保留在AuthzForce服务器的/ opt / authzforce-ce-server / data目录中的磁盘上。 There is no reason that I know of for AuthzForce Server to erase data from there unless it is requested via the REST API, eg by the IdM. 除非通过REST API(例如,IdM)请求,否则我不知道让AuthzForce Server从那里擦除数据是没有原因的。 If you check the content of this directory at some point and it is empty, one of the reasons may be that the IdM didn't push any policy to AuthzForce at all. 如果您在某个时候检查了此目录的内容并且该目录为空,则原因之一可能是IdM根本没有将任何策略推送到AuthzForce。 If you actually find a case when an AuthzForce crash erases all files in /opt/authzforce-ce-server/data (assuming obviously that there were some files before), then please report this issue to AuthzForce team with relevant server logs and enough info to reproduce the issue. 如果您确实发现了AuthzForce崩溃会删除/ opt / authzforce-ce-server / data中的所有文件的情况(显然以前假设有一些文件),请将此问题与相关服务器日志和足够的信息报告给AuthzForce团队重现该问题。

Back to the last question, again, AuthzForce persists policies received from the IdM to disk. 再次回到最后一个问题,AuthzForce将从IdM接收到的策略持久保存到磁盘。 However, on the one hand, the IdM uses its own simplified format for managing role permissions from the GUI, whereas AuthzForce uses the XACML standard. 但是,一方面,IdM使用其自己的简化格式从GUI管理角色权限,而AuthzForce使用XACML标准。 The IdM GUI does not support the full expressiveness of XACML at the moment, far from it. IdM GUI目前尚不支持XACML的完整表达,甚至还不支持。 So when you click Save in the role permission editor, the IdM GUI converts from its own format to XACML (using simple template processing) before pushing to AuthzForce, and this is only one-way. 因此,当您在角色权限编辑器中单击“保存”时,IdM GUI在推送到AuthzForce之前会从其自身格式转换为XACML(使用简单的模板处理),而这只是一种方式。 Therefore, IdM cannot recover policies in its own format from AuthzForce (the XACML-to-IdM format translation is not implemented as far as I know) and therefore the IdM cannot rely only on AuthzForce for policy storage. 因此,IdM无法从AuthzForce恢复其自身格式的策略(据我所知,XACML到IDM格式的转换未实现),因此,IdM不能仅依赖AuthzForce进行策略存储。 I cannot go further into the details and why because I am not part of the IdM dev team. 我无法进一步探讨细节以及原因,因为我不属于IdM开发团队。 So please ask them if you want a better answer. 因此,请问他们是否想要更好的答案。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AuthzForce更新政策失败 - AuthzForce failed update policies 宇宙中的AuthZForce FIWARE - AuthZForce FIWARE in Cosmos 未安装FIWARE AuthZForce 5.4.1 - FIWARE AuthZForce 5.4.1 is not installing AuthZforce 在没有固件启动器的情况下使用 - AuthZforce use without fiware enablers “未为应用程序创建AZF域” AuthZforce - “AZF domain not created for application” AuthZforce Fiware AuthZForce错误:“未为应用程序创建AZF域” - Fiware AuthZForce error: “AZF domain not created for application” Fiware:使用IDM和PEP代理设置AuthZForce - Fiware: Setting up AuthZForce with idm and pep proxy Authzforce - 用于策略管理 (PAP) 的现有 GUI - Authzforce - Existing GUI for policy administration (PAP) Fiware IDM + AuthZForce + PEP-Proxy-Wilma - Fiware IDM+AuthZForce+PEP-Proxy-Wilma 未在AuthZForce PDP中调用访问请求策略 - Access request policy not being invoked in AuthZForce PDP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM