stackoom
  简体   繁体   中英

How can I give permissions based on entity type?

 原文  2019-04-02 11:29:08       fiware/ authzforce/ fiware-keyrock

Question

I'm trying to set permissions based on the types of entities Orion is going to save. As the permissions are associated to "endpoints" I had tried to set as endpoint /entities?type=Truck (for example). The problem is that it tells me (Keyrock through PEP response) that the user is not authorized in the application. I have looked at all the connections in the database and it appears to me that he is authorized, has his role, his permission, and his assigned organization, all within the only application that has been created.

In the tutorial something similar appears with the POST request, but this is because in the body of the message the type of entity is sent. In the case of the GET I don't see it so clear, since it goes in the URL, but trying this hasn't worked.

Is it possible that this should not be done in this way? How should this type of permissions be created?

1 answers

solution1
 0  2019-05-10 12:41:43

It seems like overkill to use Authzforce for this, but you could achieve this using string-starts-with and a string-at-least-one-member-of condition eg:

<Target>
  <AnyOf>
     <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
           <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
       </Match>
    </AllOf>
  </AnyOf>
</Target>
 <Condition>
   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?type=Car</AttributeValue>
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?type=Truck</AttributeValue>
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?type=Bicycle</AttributeValue>
      </Apply>
      <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
   </Apply>
</Condition>

This <target> checks for the GET HTTP Verb, the <condition> ensures - the resource URL will match Truck , Car or Bicycle

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I delete an id-less entity in Orion? How do I change the default behaviour to store the information for each entity in a different table How can I create a history graph in Wirecloud using history measurements? FIWARE Orion-LD access control rules by entity type FIWARE IoT Agent: how to send the location attribut to the contextBroker Entity? How can i list my current subscription? How can I improve socket hang up when connecting many devices? How can I use Mashup-Wirecloud Map Viewer from Orion Context Broker? Can't use parenthesis ( ) in an entity's attribute value How can I Read and Transfer chunks of file with Hadoop WebHDFS?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM