Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
External Participants:
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Hi,
I am trying to use FIWARE security Generic Enablers: PEP Proxy, IDM KeyRock and AuthZForce. Specifically, I am using the instances available to trial users in the url https://account.lab.fiware.org.
My problem is related with level 1 of authorization. I have configured PEP proxy to check permissions using AuthZForce as you can see below:
config.azf =
{ enabled: true, protocol: 'https', host: 'auth.lab.fiware.org', port: 6019, custom_policy: undefined // use undefined to default policy checks (HTTP verb + path). };
My application only has an authorized user. When I send requests to PEP proxy with an authorized user's token, everything goes OK:
2017-05-09 08:56:29.958 - INFO: AZF-Client - Checking authorization to roles [ '106' ] to do GET on and app 43bb03d87eb742918aaef19fcd41a002
2017-05-09 08:56:29.963 - INFO: AZF-Client - Checking auth with AZF...
2017-05-09 08:56:30.388 - INFO: Root - Access-token OK. Redirecting to app...
Nevertheless, if I use a token for an unauthorized user, the result is the same:
2017-05-09 08:58:09.501 - INFO: AZF-Client - Checking authorization to roles [] to do GET on and app 43bb03d87eb742918aaef19fcd41a002
2017-05-09 08:58:09.502 - INFO: AZF-Client - Checking auth with AZF...
2017-05-09 08:58:09.876 - INFO: Root - Access-token OK. Redirecting to app...
As you can see in the output of PEP Proxy, the user does not have a role in the app but the request is approved.
Daniel Calvo Alonso
Energy and Transport Market
Atos Research and Innovation
Tel: +34 946 66 20 82
daniel.calvo@atos.net<daniel.calvo@atos.net
>
C/Real Consulado s/n,
Polígono Industrial Candina
39011 Santander
https://atos.net/en/insights-and-innovation/innovation-labs
Feel free to download our booklet at
https://atos.net/wp-content/uploads/2017/01/atos-ari-2016.pdf
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.
__________________________________________________________________________________________
You can get more information about our cookies and privacy policies on the following links:
- http://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/FIWARE_Privacy_Policy
- http://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/Cookies_Policy_FIWARE
Fiware-lab-help mailing list
Fiware-lab-help@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-lab-help
[Created via e-mail received from: "Calvo Alonso, Daniel" <daniel.calvo@atos.net>]
Activity
Comment by daniel.calvo@atos.net :
Hi,
As you can see in the pep proxy configuration file, we are using the AZF instance of the 'auth.lab.fiware.org'. I guess that with a trial account is not possible to enable debug logs, is it?
BR and thanks in advance,
Daniel
Daniel Calvo Alonso
Energy and Transport Market
Atos Research and Innovation
Tel: +34 946 66 20 82
daniel.calvo@atos.net
C/Real Consulado s/n,
Polígono Industrial Candina
39011 Santander
https://atos.net/en/insights-and-innovation/innovation-labs
Feel free to download our booklet at
https://atos.net/wp-content/uploads/2017/01/atos-ari-2016.pdf
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.
-
Sorry, I meant in AZF module of PEP Proxy.
BR
Comment by daniel.calvo@atos.net :
Hi,
This is the output I get:
2017-05-31 16:29:07.631 - INFO: Server - Starting PEP proxy in port 1338. Keystone authentication ...
2017-05-31 16:29:08.289 - INFO: Server - Success authenticating PEP proxy. Proxy Auth-token: 80772ce1399548e997443f77f80ada41
2017-05-31 16:29:21.467 - INFO: IDM-Client - Checking token with IDM...
2017-05-31 16:29:21.619 - INFO: AZF-Client - Checking auth with AZF...
2017-05-31 16:29:21.621 - INFO: AZF-Client - Checking authorization to roles [] to do GET on and app 43bb03d87eb742918aaef19fcd41a002
2017-05-31 16:29:21.636 - DEBUG: AZF-Client - XML: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">43bb03d87eb742918aaef19fcd41a002</AttributeValue></Attribute><Attribute AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue></Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"></Attributes></Request>
2017-05-31 16:29:21.637 - INFO: AZF-Client - Checking auth with AZF...
2017-05-31 16:29:21.929 - DEBUG: AZF-Client - AZF response status: 200
2017-05-31 16:29:21.929 - DEBUG: AZF-Client - AZF response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns5:Response xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns4="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:ns5="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns6="http://www.w3.org/2005/Atom"><ns5:Result><ns5:Decision>Permit</ns5:Decision></ns5:Result></ns5:Response>
2017-05-31 16:29:21.965 - DEBUG: AZF-Client - AZF response parsing result (JSON): { Response:
{ '$':
,
Result: [ [Object] ] } }
2017-05-31 16:29:21.968 - DEBUG: AZF-Client - AZF response parsing error ('null' means no error): null
2017-05-31 16:29:21.969 - DEBUG: AZF-Client - Decision: Permit
2017-05-31 16:29:21.971 - INFO: Root - Access-token OK. Redirecting to app..
Daniel Calvo Alonso
Energy and Transport Market
Atos Research and Innovation
Tel: +34 946 66 20 82
daniel.calvo@atos.net
C/Real Consulado s/n,
Polígono Industrial Candina
39011 Santander
https://atos.net/en/insights-and-innovation/innovation-labs
Feel free to download our booklet at
https://atos.net/wp-content/uploads/2017/01/atos-ari-2016.pdf
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.
-
Comment by daniel.calvo@atos.net :
Do you have some updates regarding this issue? We have already integrated IDM KeyRock in our project and the next step is to protect our endpoints with the Authorization GE.
Thanks in advance and BR,
P.S. We have an upgraded FIWARE account, I don't know if this can be helpful to give you more information to solve the problem.
Daniel Calvo Alonso
Energy and Transport Market
Atos Research and Innovation
Tel: +34 946 66 20 82
daniel.calvo@atos.net
C/Real Consulado s/n,
Polígono Industrial Candina
39011 Santander
https://atos.net/en/insights-and-innovation/innovation-labs
Feel free to download our booklet at
https://atos.net/wp-content/uploads/2017/01/atos-ari-2016.pdf
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.
-
Hi, could you please enable debug level in AZF logs and share the output?
Thanks!