具有keycloak的ABAC-在策略中使用资源属性 [英] ABAC with keycloak - Using Resource attributes in policy
问题描述
我要实现的目标
使用以下策略保护Keycloak中的资源:
Protect a resource in Keycloak with policy like:
if (resource.status == 'draft') $evaluation.grant();
else $evaluation.deny();
遵循其官方文档和邮件列表响应,看来基于属性的访问控制是但是,我找不到使它正常工作的方法.
Going by their official documents and mailing list responses, it seems attribute based access control is possible, however, I could not find a way of getting it to work.
我尝试过的事情
- Using Authorization Services: I was unable to figure out where and how I can inject the attributes from the resource instance.
- Using Authorization Context: I was hoping to get the policies associated with a resource and a scope so that I could evaluate them my self.
到目前为止,两种方法都无济于事.老实说,授权服务中使用的术语使我不知所措.
So far, I have managed to get no where with both approaches. To be honest, I have been overwhelmed by the terminology used in the Authorization services.
问题 在keycloak中定义策略时如何使用资源实例的属性?
Question How can I use attributes of a resource instance while defining a policy in keycloak?
推荐答案
我通过创建JavaScript策略在Keycloak 4.3中解决了此问题,因为属性策略尚不存在.这是我正在工作的代码示例(请注意,属性值是一个列表,因此您必须与列表中的第一项进行比较):
I solved this problem in Keycloak 4.3 by creating a JavaScript policy because Attribute policies don't exist (yet). Here is an example of the code I got working (note that the attribute values are a list, so you have to compare against the first item in the list):
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();
if (attributes.status !== null && attributes.status[0] == "draft") {
$evaluation.grant();
} else {
$evaluation.deny();
}
这篇关于具有keycloak的ABAC-在策略中使用资源属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!