Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
External Participants:
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Dear FIWare support employee,
We are facing currently the a operational problem with IDM.
Could you please advise us here how to fix or workaround this issue to accomplish the wanted situation?
High level
When our operational customer users are using IDM (account) they can see other organizations also.
We would like to hide the organizations from anyone visiting the front-end of IDM (Horizon)
Detailed level
We would like to hide the organizations from anyone visiting the front-end of IDM (Horizon).
We tried to hide it by using an .htaccess file, adding an additional PEP-Proxy and changing user roles. However, none of these potential fixes did the job.
The fact that users can see the organization which they are part of, or own, isn’t necessarily the issue. At the /idm/organizations endpoint, there’s a tab called ‘Other Organisations’ which we would like to hide.
This is wanted since we don’t want our customers to see which other costumers are using the application.
Note: We use Docker to build our own IDM and we could overwrite code by changing the Dockerfile, but we feel that this isn’t the right way to fix the issue.
Kind Regards,
Simon Vos
Arthur van Schendelstraat 650
3511 MJ Utrecht
■ mob +31(0) 6 21 49 93 82
■ tel receptie +31(0)30 699 70 20
■ mail s.vos@itude.com <s.vos@itude.com
>
■ linkedIn linkedin.com/in/simonvos <https://linkedin.com/in/simonvos>
www.itude.com <http://www.itude.com/> ■ K.v.K. 30146090
_____________________________________________________________________________
**Op deze mail is een disclaimer van toepassing. De inhoud daarvan is te lezen op onze website**
[Created via e-mail received from: Simon Vos <s.vos@itude.com>]
Activity
The issue has been emailed:
- Time sent: 04/Oct/16 2:32 PM
- To: s.vos@itude.com
- Cc: babbler@itude.com,fefernandez@dit.upm.es
- with subject: *(
HELP-7406) How to hide the organizations from anyone visiting the front-end of IDM *
Dear Simon,
you have to perform two actions to disable those organizations visualization in the Account Portal Interface. The first one consist on code modification and the second one on configuration.
1. Not rendering "Other organizations" tab when serving the corresponding view
2. Disabling the possibility of getting organizations to users that are not owners/authorized.
My colleague Federico (cc'ed) will explain you the details of how to implement them.
BR
Comment by s.vos@itude.com :
Hello Federico,
Thank you for helping us on this issue, so we can move forward.
Als listed below by BR of the JIRA Help Desk, you should be able to inform us in more details on this issue.
What changes should we make to disable the possibility of getting organizations to users that are not owners/authorized?
Many thanks.
Kind Regards,
Simon Vos
Arthur van Schendelstraat 650
3511 MJ Utrecht
■ mob +31(0) 6 21 49 93 82
■ tel receptie +31(0)30 699 70 20
■ mail s.vos@itude.com <s.vos@itude.com>
■ linkedIn linkedin.com/in/simonvos <https://linkedin.com/in/simonvos>
www.itude.com <http://www.itude.com/> ■ K.v.K. 30146090
Comment by fefernandez@dit.upm.es :
Dear Simon,
Thank you for writing. As my colleague Álvaro Alonso stated in a previous
message, two actions should be taken if you are to disable the possibility
of getting "other organizations" to users.
1. In order not to render the "Other organizations tab", all you need to
do is *remove the *OtherOrganizationsTab from the tabs tuple of the
Organizations Tab Group. The module that needs to be modified is inside
horizon/openstack_dashboards/dashboards/idm/organizations. You can find
where the exact line is in this link
<https://github.com/ging/horizon/blob/master/openstack_dashboard/dashboards/idm/organizations/tabs.py#L120>.
The tuple should look like this:
tabs = (OwnedOrganizationsTab, MemberOrganizationsTab)
This way, only owned organizations or those that the user is member of
will be rendered, and they will have no access to the rest of them.
2. If you want also to reject requests to the get_project Keystone API
endpoint (which I recommend if you really want to reject access, not only
via the web interface but also via the API), you have to change the
policy.json file. This file is placed inside the etc folder (take a look
at this link
<https://github.com/ging/keystone/blob/master/etc/policy.json#L44>). You
should change the "identity:get_project" and the "identity:list_projects"
policies to suit your needs.
Hope this works for you. Please, come back to us if we can be of further
help.
Sincerely,
Federico Fernández
2016-10-06 16:48 GMT+02:00 Simon Vos <s.vos@itude.com>:
> Hello Federico,
>
> Thank you for helping us on this issue, so we can move forward.
> Als listed below by BR of the JIRA Help Desk, you should be able to inform
> us in more details on this issue.
> What changes should we make to disable the possibility of getting
> organizations to users that are not owners/authorized?
> Many thanks.
>
>
> Kind Regards,
>
> Simon Vos
>
>
>
> Arthur van Schendelstraat 650
> 3511 MJ Utrecht
> ■ *mob *+31(0) 6 21 49 93 82
> ■ tel receptie +31(0)30 699 70 20
> ■ mail s.vos@itude.com
> ■ *linkedIn *linkedin.com/in/simonvos
>
>
> www.itude.com ■ K.v.K. 30146090
>
Comment by s.vos@itude.com :
Dear Federico,
We have analyzed the implementing guidelines for hinding the organizations for other users.
We implemented this and it works fine for us.
Many thanks.
Kind Regards,
Simon Vos
Arthur van Schendelstraat 650
3511 MJ Utrecht
■ mob +31(0) 6 21 49 93 82
■ tel receptie +31(0)30 699 70 20
■ mail s.vos@itude.com <s.vos@itude.com>
■ linkedIn linkedin.com/in/simonvos <https://linkedin.com/in/simonvos>
www.itude.com <http://www.itude.com/> ■ K.v.K. 30146090
Comment by fefernandez@dit.upm.es :
Dear Simon,
We're so happy to see that the guidelines worked for your use case. Please
don't hesitate to contact us in the future if we can be of further help.
Sincerely,
Federico Fernández
2016-10-14 9:56 GMT+02:00 Simon Vos <s.vos@itude.com>:
> Dear Federico,
>
> We have analyzed the implementing guidelines for hinding the organizations
> for other users.
> We implemented this and it works fine for us.
> Many thanks.
>
> Kind Regards,
>
> Simon Vos
>
>
>
> Arthur van Schendelstraat 650
> 3511 MJ Utrecht
> ■ *mob *+31(0) 6 21 49 93 82
> ■ tel receptie +31(0)30 699 70 20
> ■ mail s.vos@itude.com
> ■ *linkedIn *linkedin.com/in/simonvos
>
>
> www.itude.com ■ K.v.K. 30146090
>
Comment by s.vos@itude.com :
Hello,
We sent last week an issue on FIWARE.
Could you please assign a JIRA issue on this?
Is there any progress on this issue. We are eager to solve this issue?
Many thanks, kinds Regards, Simon Vos
**Op deze mail is een disclaimer van toepassing. De inhoud daarvan is te lezen op onze website**
> Op 30 sep. 2016, om 09:03 heeft Simon Vos <s.vos@itude.com> het volgende geschreven:
>
>
> Dear FIWare support employee,
>
> We are facing currently the a operational problem with IDM.
> Could you please advise us here how to fix or workaround this issue to accomplish the wanted situation?
>
>
> High level
> When our operational customer users are using IDM (account) they can see other organizations also.
> We would like to hide the organizations from anyone visiting the front-end of IDM (Horizon)
>
> Detailed level
> We would like to hide the organizations from anyone visiting the front-end of IDM (Horizon).
> We tried to hide it by using an .htaccess file, adding an additional PEP-Proxy and changing user roles. However, none of these potential fixes did the job.
> The fact that users can see the organization which they are part of, or own, isn’t necessarily the issue. At the /idm/organizations endpoint, there’s a tab called ‘Other Organisations’ which we would like to hide.
> This is wanted since we don’t want our customers to see which other costumers are using the application.
>
>
> Note: We use Docker to build our own IDM and we could overwrite code by changing the Dockerfile, but we feel that this isn’t the right way to fix the issue.
>
>
>
>
> Kind Regards,
>
> Simon Vos
>
>
> <PastedGraphic-2.png>
> Arthur van Schendelstraat 650
> 3511 MJ Utrecht
> ■ mob +31(0) 6 21 49 93 82
> ■ tel receptie +31(0)30 699 70 20
> ■ mail s.vos@itude.com <s.vos@itude.com
> ■ linkedIn linkedin.com/in/simonvos <https://linkedin.com/in/simonvos>
>
>
> www.itude.com <http://www.itude.com/> ■ K.v.K. 30146090
>