WSO2 API 管理器和 XACML 权利 [英] WSO2 API Manager and XACML Entitlement
问题描述
我正在研究使用 WSO2 API Manager 1.0 来创建供我公司内部使用的 API 商店的可能性;我想弄清楚它是否符合所有要求.
I'm investigating the possibility to use WSO2 API Manager 1.0 for creating an API Store to be used internally in my company; and I'm trying to figure out if it fits all requirements.
特别是我想了解是否可以使用基于 XACML 策略的 API 访问权限机制:我找到了几篇文章,描述了如何使用 WSO2 ESB 和 WSO2 实现XACML 细粒度授权"是.
In particular I would like to understand if it is possible to use a mechanism of entitlement of the API access based on XACML policies: I found several articles describing how to implement "XACML Fine Grained Authorization" using the WSO2 ESB and the WSO2 IS.
所以我的问题是,是否有可能(以及如何)配置 WSO2 API 管理器以使用 XACML 策略强制执行 API 访问,或者如何配置它以使用 WSO2 IS 作为授权服务(作为 APIManager 似乎几乎基于 ESB).
So my question is if it possible (and how) to configure the WSO2 API Manager to enforce the API access using XACML policies or, in alternative, how it is possible to configure it to use WSO2 IS as entitlement service (as API Manager seems to be pretty much based on ESB).
谢谢!
推荐答案
无法将 WSO2 API Manager 配置为 XACML 引擎,但您当然可以将其配置为 Policy Enforcement点 (PEP) 与 WSO2 身份服务器 (IS) 通信,后者将充当政策决策点 (PDP/XACML 引擎)并检索授权决策.
It is not possible to configure WSO2 API Manager to work as a XACML engine, but certainly you can configure it to be a Policy Enforcement Point (PEP) that communicates with WSO2 Identity Server (IS) which will act as the Policy Decision Point (PDP/XACML engine) and retrieve authorization decisions.
正如您所指出的,WSO2 API 管理器网关基于 WSO2 企业服务总线 (ESB).在 ESB 中,通过将 Entitlement Mediator 添加到 inSequence 来实现策略实施(因为您必须在你提到的文章中).在 API 管理器中执行策略的方式或多或少是相同的.
As you pointed out the WSO2 API Manager gateway is based on WSO2 Enterprise Service Bus (ESB). In the ESB, policy enforcement is achieved by adding an Entitlement Mediator to the inSequence (as you must have come across in the articles you mentioned). The way to do policy enforcement in the API Manager will be more or less the same.
但是,目前不支持在 WSO2 API 管理器中向序列添加介体的 UI.因此,您必须使用 WSO2 API 管理器管理控制台 UI 中的源代码视图来编辑配置文件.一种更简单的方法是首先尝试使用 WSO2 ESB 中的管理控制台 UI 添加权利中介,然后将相关配置从其源代码视图复制粘贴到WSO2 API 管理器中的 api 元素的 inSequence.
However currently there is no UI support to add mediators to sequences in WSO2 API Manager. So you will have to edit the configuration file using the source view in the WSO2 API Manager Management Console UI. A easier way of doing it would be to first try adding an entitlement mediator using the Management Console UI in the WSO2 ESB and then copy-n-paste the relevant configuration from its source view into the api elements' inSequence in the WSO2 API Manager.
还有一个称为 api 处理程序 的概念,它可以在 API 级别使用.如果您认为默认权利调解器不足以/适合您的要求,这可能对您有用.这种方法的优点是您可以灵活地编写具有任何逻辑的自定义 PEP 并将其放入请求流中,但另一方面是您必须编写自己的代码.
There is also a concept called api handlers which can be engaged at the API level. This could be useful to you if you think the default entitlement mediator is not enough/suitable for your requirement. The advantage in this approach would be that you have the flexibility of writing a custom PEP with any logic and putting it into the request flow, however the flip side of it is you have to write your own code.
这篇关于WSO2 API 管理器和 XACML 权利的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
