Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-6909

FIWARE.Question.Tech.Security.PEP-Proxy.How to prohibit/allow certain calls (DELETE/APPEND/UPDATE) to the FIWARE Orion Context Broker

        Details

          Description

          Created question in FIWARE Q/A platform on 11-07-2016 at 11:07
          Please, ANSWER this question AT http://stackoverflow.com/questions/38303469/how-to-prohibit-allow-certain-calls-delete-append-update-to-the-fiware-orion-c

          Question:
          How to prohibit/allow certain calls (DELETE/APPEND/UPDATE) to the FIWARE Orion Context Broker

          Description:
          This is our current architecture:

          Own Keyrock instance (server 1) - Ubuntu
          Orion ContextBroker service (running on server 2) - CentOS
          PEP Proxy that redirects to our own API (server 2) - CentOS

          It is currently possible to make HTTP calls such as DELETE attribute/entity directly to the Context Broker using any API testing tool, such as Postman. We want to prohibit this.

          We have some trouble understanding how to go about this.

          This is what we think needs to be done:

          Create a PEP Proxy for ContextBroker app in Idm
          Configure a PEP Proxy on server 2 (and run next to the current PEP Proxy that we already have)
          Create a new role and permission (HTTP verb and resource URL) in the PEP Proxy for ContextBroker
          Link the two (this is by default not possible, however, the individual role and permission are created in the Keystone database)
          Assign the role to a user (or perhaps an organization?)
          Install and configure an AuthZForce server which deals with the configured permissions in Idm and transforms them to XACML

          We would like to know if this is the correct way to achieve prohibiting certain calls to the Context Broker.

          Our questions are:

          How can we run a second PEP Proxy next to our already existing PEP Proxy on the same server? PEP Proxy 1 is configured in config.js and PEP Proxy 2 (for the Context Broker) is configured in config_context_broker.js
          Does Idm already have a default AuthZForce server, if so, how can we activate it?
          Why can't we link a role to a permission in the user interface (perhaps this is because the AuthZForce server is not yet implemented?)
          How can we configure the PEP Proxy for ContextBroker to work with AuthZForce?
          How can we configure AuthZForce?
          How can we prohibit/allow certain calls for non-FIWARE users (random people that make HTTP calls)?, are the configured rules only applicable to FIWARE users?

          I hope someone can shed some light on the situation .

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2016-07-12 21:05|CREATED monitor | # answers= 0, accepted answer= False

            Show
            backlogmanager Backlog Manager added a comment - 2016-07-12 21:05|CREATED monitor | # answers= 0, accepted answer= False
            Hide
            Permalink
            aalonsog Alvaro Alonso added a comment -

            Duplicated HELP-6895

            Show
            aalonsog Alvaro Alonso added a comment - Duplicated HELP-6895

              People

              • Assignee:
                aalonsog Alvaro Alonso
                Reporter:
                backlogmanager Backlog Manager
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: