Fiware-Orion:基于每个订阅的访问控制 [英] Fiware-Orion: Access control on a per subscription basis
问题描述
我想知道以下场景是否可行:
I would like to know if the following scenario is possible:
一个 Fiware Orion Context Broker 实例,不同的数据提供者连接到该实例以发布他们的数据.对于每个数据项(上下文),特定的数据提供者应该能够控制允许哪个应用程序或数据消费者订阅该上下文.Orion 可以做到这一点吗?这怎么办?
A Fiware Orion Context Broker instance, to which different data providers connect to publish their data. For each data item (context), the particular data provider should be able to control which application or data consumer is allowed to subscribe to this context. Is this possible with Orion? How can this be done?
我已经研究了多租户模型,但我想这不是执行此操作的正确方法.我对吗?有没有其他选择?您可以使用 PEP 代理保护 Orion 实例,但我猜它不允许基于每个订阅进行访问控制.
I've looked into the multitenant model, but I guess that is not the proper way to do this. Am I right? Are there any alternatives? You can protect the Orion instance with a PEP proxy, but I guess it does not allow access control on a per subscription basis.
任何提示将不胜感激.
推荐答案
如果我理解正确,可以使用 Steelskin PEP 代理和多租户机制(但有一些问题)来实现您提出的方案.
The scenario that you propose can be implemented, if I understood correctly, with Steelskin PEP Proxy and the multitenant mechanism (but with some concerns).
在您的场景中,您的整个应用程序将是一个服务(在与 fiware-service 的所有事务中指示),并且每个数据提供者将拥有一个专用的子服务(由 fiwareservicepath 标头指示).所有用户(来自数据提供商的管理员以及最终用户和应用程序)都将成为该服务的用户.使用 XACML,可以为每个可能的操作和不同角色的用户分配不同的权限.例如:您可以在其子服务下创建一个具有完全权限的 dataProvider 角色和一个应该只能订阅和读取的 dataConsumer 角色.
In your scenario, your whole application would be a service (indicated in all transactions with the fiware-service), and each data-provider would own a dedicated subservice (indicated with the fiwareservicepath header). All the users (both administrator from the data-providers and final user and applications) would be users of that service. Using XACML, different permissions can be assigned to each possible action and user in different roles. E.g.: you can create a dataProvider role with full permissions under its subservice and a dataConsumer role that should be able just to subscribe and read.
这个场景存在一些问题,主要是关于谁创建用户和角色以及为用户分配角色.为了使用 Steelskin,您必须将服务映射到 Keystone Domains 并将子服务映射到 Keystone Projects;和用户属于域.负责创建用户的是域(服务)管理员,因此,在您的情况下,数据提供商将无法创建新用户(甚至可能将他们分配为子服务客户).
This scenario has some problems, mainly concerning who creates the users and roles and assign roles to users. In order to use Steelskin, you have to map services to Keystone Domains and subservices to Keystone Projects; and users belong to the domain. It's the domain (service) administrator the one in charge of creating the users, so, in your case, data providers would not be able to create new users (and probably, even assigning them as subservice customers).
如果您需要有关如何将这些部分连接在一起以实现此目的的示例,请查看:
If you need an example on how to connect these pieces together to achieve this, take a look at:
https://github.com/telefonicaid/fiware-pep-steelskin/blob/master/keystoneInstallation.md
希望能帮到你
这篇关于Fiware-Orion:基于每个订阅的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
