如何使用Wilma PEP代理和IdM Keyrock在Orion NGSI API中配置访问控制以实现租户隔离? [英] How to configure access control in Orion NGSI API for tenant isolation using Wilma PEP Proxy and IdM Keyrock?

问题描述

我想在Orion Context Broker NGSI API级别上提供访问控制，以确保真正的数据隔离.我想确保租户只能查询/更新其上下文，而不能查询/更新其他租户的上下文.

为此，我开始放置 Wilma PEP代理在Orion Context Broker之前.然后，我根据官方 IdM Keyrock docker镜像配置了自己的Identity Manager keyrock GE实例和我自己的基于官方 AuthzForce Docker映像的授权PDP GE.

经过几天的配置和多次尝试，终于可以使这三个安全性通用启动器正常工作，使用 PEP代理级别2 对Orion Context Broker NGSI API的请求进行身份验证和授权./p>

但是，由于请求的标头中包含服务(租户)和子服务(应用程序路径)信息，所以2级授权不足以确保我想要的东西.特别是在Fiware-Service和Fiware-ServicePath标头中.为了构建基于标头的授权策略，您需要使用 3级:XACML授权.

问题是我在Fiware的正式文档中进行了一些挖掘，但找不到XACML策略的任何示例.除了Wilma PEP Proxy的官方文档(请参见此处)表示您可能必须修改PEP代理源代码才能获得此级别的授权.

由于这种情况被认为是检查请求的高级参数(例如正文或自定义标头)，因此这取决于特定的用例.因此，程序员应修改PEP代理源代码以包含特定要求.

有可能吗?

我真的需要修改PEP代理源代码来实现像租户只能访问其数据那样简单的事情吗?

解决方案

很好的问题.有其他GEis可以完美地支持您所指的用例.请检查此演示文稿

https://es.slideshare.net/FI-WARE/使用fiware-geis构建自己的iot平台

谢谢，最好

I want to provide access control at the Orion Context Broker NGSI API level to ensure real data isolation. I want to make sure that a tenant can only query/update their contexts and NOT those of another tenant.

To do so, I started putting an instance of Wilma PEP Proxy in front of Orion Context Broker. Then I configured my own Identity Manager keyrock GE instance based on official IdM Keyrock docker image and my own Authorization PDP GE based on official AuthzForce docker image.

After a few days of configurations and many tries, finally I could have these three security Generic Enablers working fine, authenticating and authorizing requests for the Orion Context Broker NGSI API using PEP Proxy level 2.

However, level 2 of authorization is not enough to ensure what I want, because service (tenant) and sub service (application path) information are in the headers of the request. Particularly in Fiware-Service and Fiware-ServicePath headers. In order to build header-based authorization policies you need to use level 3: XACML authorization.

The problem is that I made some digging in official documentation of Fiware and I could not find any example of an XACML policy. Besides official documentation of Wilma PEP Proxy (see here) says that you may have to modify PEP Proxy source code in order to get this level of authorization.

As this case is thought to check advanced parameters of the request such us the body or custom headers, it depends on the specific use case. So the programmer should modify the PEP Proxy source code in order to include the specific requirements.

It it's that possible?

Do I really have to modify the PEP Proxy source code to achieve something as simple as a tenant can only access his data?

解决方案

very good question. There are alternative GEis that support perfectly the use cases you are referring to. Please check this presentation

https://es.slideshare.net/FI-WARE/building-your-own-iot-platform-using-fiware-geis

thanks, best

这篇关于如何使用Wilma PEP代理和IdM Keyrock在Orion NGSI API中配置访问控制以实现租户隔离?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！