通过 fiware orion 上下文代理调用外部 API 以使用 keyrock 进行验证

Question

I am a student working on a project and exploring viability of using fiware for that. So far I've learnt that to call external APIs we can use registrations for an entity to fetch dynamic data.

Here is the situation:

In my project, I am calling external APIs for fetching some data at frontend.

I want to add access control for users so that they are restricted from calling the APIs if not permitted. For this reason I am trying to find out a way such that keyrock can validate the requests so that I don't have to manually validate these external APIs. Since these aren't related to any entity I don't want to use registration for this purpose.

I intend to do user management through keyrock itself. Currently keyrock can restrict based on resources (ie URL path) of the application and permission. I am very confused at this point that if I add an API call at any page to fetch data from external API, how can I make use of keyrock access control in this situation.

Also, can I make orion call the external API somehow and make the data an entity?

Any help and hint is greatly appreciated. Thanks in Advance.

Answer 1

A registration is a contract to return a series of attributes connected to an entity, how that is connected to an external API is up to you. There is an annotated example in the NGSI v2 tutorials - the code is also available for NGSI-LD but the documentation for NGSI-LD needs updating to reflect certain recent changes and clarifications made in NGSI-LD 1.6.1.

Regardless of the version of NGSI you use, the steps to call an external API are the same.

1. Create a proxy service with a handler to deal with one or more NGSI endpoints - for NGSI-v2 this will usually be the batch endpoint /op/query , for NGSI-LD I would recommend /ngsi-ld/v1/entities/<id> .

2. Create a registration from your context broker to this proxy eg for NGSI-v2:

curl -iX POST \
  'http://localhost:1026/v2/registrations' \
  -H 'Content-Type: application/json' \
  -d '{
  "description": "Random Weather Conditions",
  "dataProvided": {
    "entities": [
      {
        "id": "urn:ngsi-ld:Store:001",
        "type": "Store"
      }
    ],
    "attrs": [
      "relativeHumidity"
    ]
  },
  "provider": {
    "http": {
      "url": "http://location/of/the/proxy/interface"
    }
  }
}'

Note that you can also pass additional custom information using custom headers or annotating the path of the URL or whatever.

3. Within the proxy code make a request to the third party API and convert the response back to NGSI format. The tutorial example explains how to connect to Twitter or Cat Facts as examples.

I want to add access control for users so that they are restricted from calling the APIs if not permitted.

This is purely a matter of placing a PEP proxy in front of the call to the registrant. Imagine a context broker request like this one to Kong :

curl -X GET \
  http://localhost:8000/orion/v2/entities/urn:ngsi-ld:Store:001?options=keyValues \
  -H 'Authorization: Bearer {{X-Access-token}}'

Either you place the PEP in front of the context broker (in which case the entity is only returned if you have appropriate permissions, or you place a PEP in front of your registrant webservice, in which case the attributes are only appended to the entity if you have appropriate permissions. Note that the context broker Registration needs to be configured to ensure that the Authorization header will be passed on to the registrant as well.