FIWARE Orion-LD 实体类型的访问控制规则
[英]FIWARE Orion-LD access control rules by entity type
问题描述
Is it possible to configure access-control rules for Orion-LD based on the entity type?
是否可以根据实体类型为 Orion-LD 配置访问控制规则? Or, alternatively, on the presence of some attributes in the entities?或者,或者,实体中存在某些属性?
A similar question was asked here: Get a list of all resources accessible to users in FIWARE .这里提出了一个类似的问题: Get a list of all resources access to users in FIWARE 。 The answer seems to imply that in the so-called Advanced Authorization scenario it is possible to achieve something like this by means of XACML filters for broker endpoints, allowing for instance GET access to the endpoint /entities?type=SomeEntityType for certain users.答案似乎暗示在所谓的高级授权场景中,可以通过代理端点的 XACML 过滤器来实现类似的事情,例如允许某些用户对端点/entities?type=SomeEntityType进行 GET 访问。 However, this appears like a very brittle solution, since the type query parameter may be preceded by other params in a real-world request.然而,这似乎是一个非常脆弱的解决方案,因为在实际请求中, type查询参数之前可能有其他参数。 Furthermore, there are other ways to filter resources returned by the /entities endpoint, eg by means of parameters q or attrs (according to the NGSI-LD spec, https://www.etsi.org/deliver/etsi_gs/CIM/001_099/009/01.06.01_60/gs_CIM009v010601p.pdf , see 6.4.3.2), hence separate rules would be needed for all of these and it seems impossible to keep them consistent.此外,还有其他方法可以过滤/entities端点返回的资源,例如通过参数q或attrs (根据 NGSI-LD 规范, https://www.etsi.org/deliver/etsi_gs/CIM/001_099 /009/01.06.01_60/gs_CIM009v010601p.pdf ,见 6.4.3.2),因此所有这些都需要单独的规则,而且似乎不可能保持它们一致。 Ideally, I would also like GET requests to /entites/{entityId} to be evaluated against the type of the entity, without configuring this individually for every entity.理想情况下,我还希望根据实体类型评估对/entites/{entityId}的 GET 请求,而无需为每个实体单独配置。
Am I missing a simple solution to this problem?我是否缺少解决此问题的简单方法?
1 个解决方案
解决方案1
0 2022-09-01 06:39:03
This will depend on the capabilities of the PDP you are using.这取决于您使用的 PDP 的功能。 Of course, a flexible XACML-based PDP like Authzforce is able to adjudicate on anything given sufficient information from the PEP, but you could also use something like Open Policy Agent it is just the matter of extracting sufficient information from the payload and passing it on for analysis.当然,像 Authzforce 这样灵活的基于 XACML 的 PDP 能够根据来自 PEP 的足够信息对任何事情进行裁决,但是您也可以使用诸如 Open Policy Agent 之类的东西,这只是从有效负载中提取足够信息并将其传递给进行分析。
To take the Keyrock/Wilma as an example, they support a payload-based PDP permit/deny decision process.以 Keyrock/Wilma 为例,它们支持基于有效载荷的 PDP 允许/拒绝决策过程。 In Keyrock you have 3 different PDP levels - basic , payload and advanced .在 Keyrock 中,您有 3 个不同的 PDP 级别 - basic 、 payload和advanced 。 If you set - IDM_PDP_LEVEL=payload , you can set permissions like this:如果您设置 - IDM_PDP_LEVEL=payload ,您可以像这样设置权限:
Where the type , id and attrs in the payload can be filtered.可以过滤有效载荷中的type , id和attrs 。
Keyrock's basic /user?access_token=..&action=..&resource=.. PDP only covers basic rules, so to check payloads you'll need to switch to use a more advanced PDP. Keyrock 的基本/user?access_token=..&action=..&resource=.. PDP 仅涵盖基本规则,因此要检查有效负载,您需要切换到使用更高级的 PDP。 Keyrock's /pdp/xacml handler accepts XACML JSON from a PEP, so Wilma can be configured to use that endpoint instead. Keyrock 的/pdp/xacml处理程序接受来自 PEP 的 XACML JSON,因此可以将 Wilma 配置为使用该端点。
PEP_PROXY_PDP=xacml
PEP_PROXY_PDP_PROTOCOL=https
PEP_PROXY_PDP_HOST=<hostname_of_keyrock>
PEP_PROXY_PDP_PORT=<port of keyrock>
PEP_PROXY_PDP_PATH=pdp/xacml
Of course this is just an example, the PDP could just as easily be pointed towards Authzforce for adjudication and send over XACML XML.当然这只是一个例子,PDP 可以很容易地指向 Authzforce 进行裁决并通过 XACML XML 发送。 The point is that whichever PDP you decide to use, the PEP needs to be able to extract the right info and pass on a request to your chosen PDP.关键是,无论您决定使用哪个 PDP,PEP 都需要能够提取正确的信息并将请求传递给您选择的 PDP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.