Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
HD-Chapter:Security
-
HD-Enabler:AuthZForce
Description
Hello,
We would like to secure out ContextBroker so POSTS are allowed, but a
DELETE isn't. We've asked you about this and you've said we should do the
following:
- You can configure as many PEPs as you want. You have only to modify the
> listening port.
> * You can configure an AuthZForce in
> https://github.com/ging/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L629.
> You only need to configure the URL in which it is listening
> * To configure PEP to work with AuthZForce you have to use the Level 2 of
> security. Here you will find tutorials about this:
> https://edu.fiware.org/course/view.php?id=131
We've tried this, but we've had the following problems:
- If we pull the docker image of
fiware/authzforce-ce-server:release-5.4.0 or release-5.3.0a, the image
starts, but shuts down after a few seconds after which the logs state that
tomcat 7 can't be started. - When we run fiware/authzforce-ce-server:release-4.4.1b, we get a
tomcat with no webapp in the webapps directory other than the default
stuff. - Performing a manual installation using this guide
<http://authzforce-ce-fiware.readthedocs.io/en/release-5.3.0a/InstallationAndAdministrationGuide.html#installation>
will
have the same result.
In your previous mail, it is stated that we need AuthZForce. However,
Keypass seems to do something similar. Can you explain the difference?
Can you help us with this?
Activity
Policies are created in AuthZForce when you assign a permission to a role and click in the button "Save". Are you doing this? It seems you are only creating the permission.
I linked a permission to a role and clicked on save to generate the
rule/policy but do not see what you describe in my logs (these are the logs
we previously sent up).
I do see:
ACCESS_CONTROL_MAGIC_KEY setting is not set.
WARNING:idm_logger:ACCESS_CONTROL_MAGIC_KEY setting is not set.
Met vriendelijke groet/Kind regards
Just to be sure:
Do we need to configure a Wilma PEP proxy and specify the Authorization PDP
GE URL in the config file? We are only configuring IDM with the AuthZForce
service.
Because we don't specific a our AuthZForce domain maybe the system doesn't
know where to write the policy? I saw that we do have to define this in the
PEP config file if we were to use this in combination with IDM and the
AuthZForce service.
Met vriendelijke groet/Kind regards,
Hi,
you have to use your own AuthZForce instance an set its address in Horizon configuration. PEP Proxy is not necessary.
Hello Help-Desk/Alvaro Alonso,
Thank you for your reply and possibile fixes. Unfortunately it still does not work yet.
To move forward on the security, we have decided to change our software-architecture.
In this new architecture we do not need to secure the Contextbroker anymore since it will listen to our local API only.
I would like to thank you al for the support on this issue. From our perspective, you may close this issue.
Dear Sir/Madam,
We are really struggling to secure the ContextBroker to prevent DELETE
calls. So much that this has become an impediment to successfully finish
our sprint. As Scrum master of this team I would like to ask you kindly to
respond to the e-mail below. An indication of when we can expect a response
would also really be helpful.
We look forward to your response.