堆栈内存溢出
  简体   繁体   English

API 响应的网关级授权和策略执行

[英]API Gateway level authorization and policy enforcement on response

 原文  2021-12-08 13:26:22       api/ authorization/ microservices/ api-gateway/ api-authorization

问题描述

I am currently looking for a way to integrate Authorization to a microservice architecture with API Gateway (Kong).我目前正在寻找一种使用 API 网关 (Kong) 将授权集成到微服务架构的方法。 For Authentication Keycloak is being used and enforced via Kong.对于身份验证,正在使用 Keycloak 并通过 Kong 强制执行。 Now I want to create policies for granting access rights to the resources behind the gateway (eg resource should only be accessed by creator or admin).现在我想创建策略来授予对网关后面资源的访问权限(例如,资源只能由创建者或管理员访问)。 OPA seemed like the perfect fit but it seemingly can't be used for stripping fields off the reponse. OPA似乎是最合适的,但它似乎不能用于从响应中剥离字段。 If I for example want to hide certain fields the service has added to the response from the client or want to only allow PATCH on some fields OPA can't be used.例如,如果我想隐藏服务已添加到客户端响应中的某些字段,或者只想在某些字段上允许 PATCH,则 OPA 无法使用。 Did I miss something or do you know of a better solution for my use case?我错过了什么或者您知道我的用例有更好的解决方案吗?

1 个解决方案

解决方案1
 0 已采纳  2022-10-01 15:48:45

How we ended up doing it: OPA and OSO are both really good solutions for authorization, but they didn't match what we were looking for.我们最终是如何做到的:OPA 和 OSO 都是非常好的授权解决方案,但它们不符合我们的要求。 We wanted to 1. be able to gather information from databases about user attributes or relationships between data to decide whether the user should have access or not, and 2. be able to remove certain fields from the response.我们希望 1. 能够从数据库中收集有关用户属性或数据之间关系的信息,以确定用户是否应该具有访问权限,以及 2. 能够从响应中删除某些字段。 None of the available open source solutions seemed to provide this, so we decided to develop our own.似乎没有可用的开源解决方案提供此功能,因此我们决定开发自己的解决方案。

Our service is able to process a json-based policy dsm.我们的服务能够处理基于 json 的策略 dsm。 Policies can include queries to a Mongo DB, Neo4j, or to parts of the query.策略可以包括对 Mongo DB 的查询,Neo4j,或部分查询。 This way we can create truly generic policies for fine-grained access policies.这样我们就可以为细粒度的访问策略创建真正通用的策略。 The policy service is not deployed at the gateway level, but is integrated as middleware into the microservices that require Auth.策略服务并没有部署在网关层面,而是作为中间件集成到需要Auth的微服务中。 If you want to learn more about our solution, check out our documentation on the topic .如果您想了解有关我们解决方案的更多信息,请查看我们关于该主题的文档

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 刷新AWS API Gateway授权策略 - Refresh AWS API Gateway Authorization Policy google api授权错误“无效的cookie政策” - google api authorization error “invalid cookie policy” 如何更改 API 网关响应 - How to change API Gateway response 通过 CLI 更新 AWS API Gateway 资源策略的正确语法? - Correct syntax for updating AWS API Gateway resource policy via CLI? AWS API网关代理响应失败/已丢弃 - AWS API Gateway Proxy Response failure/dropped 如何在AWS API Gateway iOS中处理响应 - How to handle response in AWS API Gateway iOS AWS API Gateway 删除响应标头 - AWS API Gateway remove response headers AWS api 网关中的 401 响应不一致 - Inconsistent 401 response in AWS api gateway Spotify Web API授权未给出正确的响应 - Spotify Web API Authorization not giving correct response 如何在API网关中结合用户级和客户端级身份验证? - How to combine user- and client-level authentication in an API gateway?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM