Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-13354

FIWARE.Question.Tech.How to configure access control in Orion NGSI API for tenant isolation using Wilma PEP Proxy and IdM Keyrock?.

        Details

          Description

          Created question in FIWARE Q/A platform on 29-06-2017 at 22:06
          Please, ANSWER this question AT https://stackoverflow.com/questions/44834629/how-to-configure-access-control-in-orion-ngsi-api-for-tenant-isolation-using-wil

          Question:
          How to configure access control in Orion NGSI API for tenant isolation using Wilma PEP Proxy and IdM Keyrock?

          Description:
          I want to provide access control at the Orion Context Broker NGSI API level to ensure real data isolation. I want to make sure that a tenant can only query/update their contexts and NOT those of another tenant.

          To do so, I started putting an instance of Wilma PEP Proxy in front of Orion Context Broker. Then I configured my own Identity Manager keyrock GE instance based on official IdM Keyrock docker image and my own Authorozation PDP GE based on official AuthZForce docker image.

          After a few days of configurations and many tries, finally I could have these three security Generic Enablers working fine, authenticating and authorizating requests for the Orion Context Broker NGSI API using PEP Proxy level 2.

          How ever, level 2 of authorization is not enough to ensure what I want, because service (tenant) and sub service (application path) information are in the headers of the request. Particullarly in Fiware-Service and Fiware-ServicePath headers. In order to build headers based authorization policies you need to use level 3: XACML authorization.

          The problem is that I made some digging in official documentation of Fiware and I could not find any example of an XACML policy. Besides official documentation of Wilma PEP Proxy (see here) says that you may have to modify PEP Proxy source code in order to get this level of authorization.

          As this case is thought to check advanced parameters of the request such us the body or custom headers, it depends on the specific use case. So the programmer should modify the PEP Proxy source code in order to include the specific requirements.

          It it's that possible?

          Do I really have to modify the PEP Proxy source code to achieve something as simple as a tenant can only access his data?

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2018-01-12 19:51|CREATED monitor | # answers= 1, accepted answer= True

            Show
            backlogmanager Backlog Manager added a comment - 2018-01-12 19:51|CREATED monitor | # answers= 1, accepted answer= True
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2018-01-12 19:54|UPDATED status: transition Answer| # answers= 1, accepted answer= True

            Show
            backlogmanager Backlog Manager added a comment - 2018-01-12 19:54|UPDATED status: transition Answer| # answers= 1, accepted answer= True
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2018-01-12 20:03|UPDATED status: transition Finish| # answers= 1, accepted answer= True

            Show
            backlogmanager Backlog Manager added a comment - 2018-01-12 20:03|UPDATED status: transition Finish| # answers= 1, accepted answer= True

              People

              • Assignee:
                jmcantera Jose Manuel Cantera
                Reporter:
                backlogmanager Backlog Manager
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: