stackoom
  简体   繁体   中英

Orion APIs authorization through Keycloak

 原文  2022-11-07 10:59:28       fiware/ fiware-orion/ fiware-wilma/ fiware-keyrock

Question

After testing authentication in Orion with keycloak ( Orion APIs authentication through Keycloak ) with kong-pep-plugin, I'm interested in the authorization too; in particular, I want to give specific permissions (on path and verb) to users/groups like I used to do with AuthZForce.

Could you help me?

Thank you

1 answers

solution1
 1 ACCPTED  2023-01-12 08:33:59

sorry that I only see your request right now. This is very much tied to configuring Keycloak, but it is possible, yes. The kong-pep-plugin delegates all decisions to Keycloak's Authorization Serivces and just takes its decision. Thus, you should read the documentation on that: https://www.keycloak.org/docs/latest/authorization_services/index.html An example (declarative)configuration for allowing different groups to access different paths can be found in the integration-tests: https://github.com/FIWARE/kong-plugins-fiware/blob/main/it/src/test/k3s/keycloak.yaml#L518-L567 Another, better readable, example is our demo environment:
https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware/keycloak/templates/realmConfigMap.yaml#L139-L203 This combination of resources and policies allows the group "consumer" to access the path "/keycloak/ngsi-ld/v1/ ", while the group "admin" can also access "/keycloak/ ". The authorization services allow for much more fine-grained and powerful configurations, so I really recommend the official documentation on it. Best

As an addition for the GET/POST question:

Thats something you can implement with the javascript policies feature from Keycloak(keycloak.org/docs/latest/authorization_services/…). The kong-plugin forwards the http method as "http.method" claim(see github.com/FIWARE/kong-plugins-fiware/blob/main/kong-pep-plugin/…) An example policy could granting access only for GET requests could look like: 

var context = $evaluation.getContext();
var attributes = context.getAttributes();
var method = attributes.getValue('http.method').asString(0); 
if (method === 'GET')
 {$evaluation.grant();

Combining a resource policy with such a js-policy would give you the access-control you want.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Orion APIs authentication through Keycloak orion Keycloak IDM Calling external APIs through fiware orion context broker to validate using keyrock FIWARE [NGSI] Orion-Cygnus-Hadoop HTTPBadRequestException: 'fiware-servicepath' through an Orion subscription I cannot properly read Southbound commands through Orion to MQTT devices Missing attributes on Orion CB Entity when registering device through IDAS Failing to connect to Orion Context Instance through NGSI Updater Widget What is the best way to send vibration sensor timeseries data through FIWARE Orion Context Broker? Adding headers to ORION inquiries Assign Orion entities to users
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM