具有keycloak的ABAC-在策略中使用资源属性 [英] ABAC with keycloak - Using Resource attributes in policy

问题描述

我要实现的目标

使用以下策略保护Keycloak中的资源:

Protect a resource in Keycloak with policy like:

if (resource.status == 'draft') $evaluation.grant(); 
else $evaluation.deny();

遵循其官方文档和邮件列表响应，看来基于属性的访问控制是但是，我找不到使它正常工作的方法.

Going by their official documents and mailing list responses, it seems attribute based access control is possible, however, I could not find a way of getting it to work.

我尝试过的事情

• 使用授权服务:无法弄清楚我可以在哪里以及如何从资源实例中注入属性.
• 使用授权上下文:我希望获得与资源和范围相关联的策略，以便我自己进行评估.

• Using Authorization Services: I was unable to figure out where and how I can inject the attributes from the resource instance.
• Using Authorization Context: I was hoping to get the policies associated with a resource and a scope so that I could evaluate them my self.

到目前为止，两种方法都无济于事.老实说，授权服务中使用的术语使我不知所措.

So far, I have managed to get no where with both approaches. To be honest, I have been overwhelmed by the terminology used in the Authorization services.

问题 在keycloak中定义策略时如何使用资源实例的属性?

Question How can I use attributes of a resource instance while defining a policy in keycloak?

推荐答案

我通过创建JavaScript策略在Keycloak 4.3中解决了此问题，因为属性策略尚不存在.这是我正在工作的代码示例(请注意，属性值是一个列表，因此您必须与列表中的第一项进行比较):

I solved this problem in Keycloak 4.3 by creating a JavaScript policy because Attribute policies don't exist (yet). Here is an example of the code I got working (note that the attribute values are a list, so you have to compare against the first item in the list):

var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();

if (attributes.status !== null && attributes.status[0] == "draft") {
    $evaluation.grant();
} else {
    $evaluation.deny();
}

这篇关于具有keycloak的ABAC-在策略中使用资源属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！