Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-6895

FIWARE.Request.Tech.Security.PEP-Proxy.Question about prevention of certain calls to Orion Context Broker using HTTP Verb and Resource in Idm

        Details

        • Type: extRequest
        • Status: Closed
        • Priority: Major
        • Resolution: Done
        • Fix Version/s: 2021
        • Component/s: FIWARE-TECH-HELP
        • Labels:
          None
        • HD-Chapter:
          Security
        • HD-Enabler:
          Wilma

          Description

          Dear Sirs,

          We have the current architecture:

          • Own Keyrock instance (server 1) - Ubuntu
          • Orion ContextBroker service (running on server 2) - CentOS
          • PEP Proxy that redirects to our own API (server 2) - CentOS

          It is currently possible to make HTTP calls such as DELETE attribute/entity
          directly to the Context Broker using any API testing tool, such as Postman.
          We want to prohibit this.

          We have some trouble understanding how to go about this.

          This is what we think needs to be done:

          1. Create a PEP Proxy for ContextBroker app in Idm
          2. Configure a PEP Proxy on server 2 (and run next to the current PEP
          Proxy that we already have)
          3. Create a new role and permission (HTTP verb and resource URL) in the
          PEP Proxy for ContextBroker
          4. Link the two (this is by default not possible, however, the
          individual role and permission are created in the Keystone database)
          5. Assign the role to a user (or perhaps an organization?)
          6. Install and configure a AuthZForce server which deals with the
          configured permissions in Idm and transforms them to XACML

          We would like to know if this is the correct way to achieve prohibiting
          certain calls to the Context Broker.

          Our questions are:

          • How can we run a second PEP Proxy next to our already existing PEP
            Proxy on the same server? PEP Proxy 1 is configured in config.js and PEP
            Proxy 2 (for the Context Broker) is configured in config_context_broker.js
            (see config file attached to this e-mail)
          • Does Idm already have a default AuthZForce server, if so, how can we
            activate it?
          • Why can't we link a role to a permission in the user interface
            (perhaps this is because the AuthZForce server is not yet implemented?)
          • How can we configure the PEP Proxy for ContextBroker to work with
            AuthZForce?
          • How can we configure AuthZForce?
          • How can we prohibit certain calls for non-FIWARE users (random people
            that make the calls)?, are the rules only applicable to FIWARE users?

          Hopefully you guys can shed some light on the situation or forward this
          e-mail to the relevant contact person responsible for PEP Proxy, Orion
          Context Broker or AuthZForce. We hope you will get back to us asap. Thanks
          in advance. I also attached an example of a call that can be made to our
          Context Broker to change data.

          1. File
            Append_call_example.rtf
            1 kB
            FW External User
          2. File
            contextBroker_Pep_config.rtf
            2 kB
            FW External User

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            aalonsog Alvaro Alonso added a comment -

            Hi, I try to answer the questions related with Wilma and Keyrock:

            Show
            aalonsog Alvaro Alonso added a comment - Hi, I try to answer the questions related with Wilma and Keyrock: You can configure as many PEPs as you want. You have only to modify the listening port. You can configure an AuthZForce in https://github.com/ging/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L629 . You only need to configure the URL in which it is listening To configure PEP to work with AuthZForce you have to use the Level 2 of security. Here you will find tutorials about this: https://edu.fiware.org/course/view.php?id=131
            Hide
            Permalink
            fw.ext.user FW External User added a comment - - edited

            I already answered this question in the Help desk question you opened.

            Show
            fw.ext.user FW External User added a comment - - edited I already answered this question in the Help desk question you opened.

              People

              • Assignee:
                aalonsog Alvaro Alonso
                Reporter:
                fw.ext.user FW External User
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: