Orion API 通过 Keycloak 授权
[英]Orion APIs authorization through Keycloak
问题描述
After testing authentication in Orion with keycloak ( Orion APIs authentication through Keycloak ) with kong-pep-plugin, I'm interested in the authorization too;
在使用 kong-pep-plugin 使用 keycloak( 通过 Keycloak 的 Orion API 身份验证)在 Orion 中测试身份验证后,我对授权也很感兴趣; in particular, I want to give specific permissions (on path and verb) to users/groups like I used to do with AuthZForce.特别是,我想像我以前对 AuthZForce 所做的那样,向用户/组授予特定权限(路径和动词)。
Could you help me?你可以帮帮我吗?
Thank you谢谢
1 个解决方案
解决方案1
1 已采纳 2023-01-12 08:33:59
sorry that I only see your request right now.抱歉,我现在只看到您的请求。 This is very much tied to configuring Keycloak, but it is possible, yes.这与配置 Keycloak 密切相关,但这是可能的,是的。 The kong-pep-plugin delegates all decisions to Keycloak's Authorization Serivces and just takes its decision. kong-pep-plugin 将所有决定委托给 Keycloak 的授权服务,并只接受它的决定。 Thus, you should read the documentation on that: https://www.keycloak.org/docs/latest/authorization_services/index.html An example (declarative)configuration for allowing different groups to access different paths can be found in the integration-tests: https://github.com/FIWARE/kong-plugins-fiware/blob/main/it/src/test/k3s/keycloak.yaml#L518-L567 Another, better readable, example is our demo environment:因此,您应该阅读相关文档: https://www.keycloak.org/docs/latest/authorization_services/index.html允许不同组访问不同路径的示例(声明性)配置可以在集成中找到-测试: https://github.com/FIWARE/kong-plugins-fiware/blob/main/it/src/test/k3s/keycloak.yaml#L518-L567另一个可读性更好的示例是我们的演示环境:
https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware/keycloak/templates/realmConfigMap.yaml#L139-L203 This combination of resources and policies allows the group "consumer" to access the path "/keycloak/ngsi-ld/v1/ ", while the group "admin" can also access "/keycloak/ ". https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware/keycloak/templates/realmConfigMap.yaml#L139-L203这种资源和策略的组合允许组“消费者”访问路径“/keycloak/ngsi-ld/v1/ ”,而组“admin”也可以访问“/keycloak/ ”。 The authorization services allow for much more fine-grained and powerful configurations, so I really recommend the official documentation on it.授权服务允许更细粒度和更强大的配置,所以我真的推荐它的官方文档。 Best最好
As an addition for the GET/POST question:作为 GET/POST 问题的补充:
Thats something you can implement with the javascript policies feature from Keycloak(keycloak.org/docs/latest/authorization_services/…).这就是您可以使用 Keycloak (keycloak.org/docs/latest/authorization_services/...) 的 javascript 策略功能实现的东西。 The kong-plugin forwards the http method as "http.method" claim(see github.com/FIWARE/kong-plugins-fiware/blob/main/kong-pep-plugin/…) An example policy could granting access only for GET requests could look like: kong-plugin 将 http 方法转发为“http.method”声明(请参阅 github.com/FIWARE/kong-plugins-fiware/blob/main/kong-pep-plugin/…)示例策略可以仅授予 GET 访问权限请求可能看起来像:
var context = $evaluation.getContext();
var attributes = context.getAttributes();
var method = attributes.getValue('http.method').asString(0);
if (method === 'GET')
{$evaluation.grant();
Combining a resource policy with such a js-policy would give you the access-control you want.将资源策略与此类 js 策略相结合将为您提供所需的访问控制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.