Fiware IDM:动态权限资源 [英] Fiware IDM : Dynamic permission resource
问题描述
我已经在Docker中部署了基于Fiware通用引擎的应用程序。版本为:
I've deployed an application based on Fiware generic enablers, in Docker. The versions are:
- 猎户座1.14
- Authzforce 5.4.1
- Keyrock:最新
- Pep-proxy:7.0.1
- Orion 1.14
- Cygnus 1.9.0
- Authzforce 5.4.1
- Keyrock: the latest
- Pep-proxy: 7.0.1
但是,当我想在Keyrock中创建权限时,我找不到在资源字段中输入动态资源的特定语法或字符序列,例如: / resource1 /< user> / info ,或仅指定资源前缀,例如: / resource2 /&whatever> 。
but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info, or to specify only the resource prefix like: /resource2/<whatever>.
真正存在动态资源的语法,并且authzforce可以创建与动态资源相关联的权限,还是必须创建XACML规则?
Really exists the syntax for the dynamic resource and authzforce can create a permissions asociated to a dynamic resource or is necessary create a XACML rule?
推荐答案
是,必须创建高级XACML规则。例如,您可以查看 XACML规则模板在IDM源代码中,用于生成基本规则(用于静态资源路径);您将不得不对其进行自定义(除了删除模板代码<%...%> ),尤其是修改Target和Condition元素(使用XACML函数字符串-串联以动态创建字符串 / resource1 / {param} / info )。
Yes, it is necessary to create an Advanced XACML Rule. For example, you may look at the XACML Rule template in the IDM source code, which is used to generate a basic Rule (for a static resource path); you would have to customize it (besides removing the template code <%...%>), especially modify the Target and the Condition elements (use XACML function string-concatenate to create the string /resource1/{param}/info dynamically).
另一个困难是获取PEP中的 {param} 值,并确保在XACML请求中将其发送到AuthzForce PDP。从 Pep的Authzforce客户端代码(为简洁起见,名称简称):资源ID,子资源ID,操作ID,主题角色。因此,例如,如果您希望用户ID为 {param} ,则必须修改我刚才提到的Pep代码,即从<$ c中提取用户ID。 $ c> userInfo 变量,然后在请求中添加相应的XACML属性(主题ID)。或使用自己的Pep,当然可以做任何想做的事。
Another difficulty is to get the {param} value in the PEP, and make sure it is sent in the XACML Request to AuthzForce PDP. The Pep-proxy only gets/sends the following XACML attributes as you can see from the Pep's Authzforce client code (names shortened for conciseness): resource-id, sub-resource-id, action-id, subject-role. Therefore, if you want the user-id as {param} for example, you have to modify the Pep code I just mentioned, i.e. extract the user ID from the userInfo variable and add the corresponding XACML Attribute (subject-id) in the Request. Or use your own Pep and do whatever you want of course.
这篇关于Fiware IDM:动态权限资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
