如何在 FIWARE 中实现安全级别 3? [英] How to achieve security level 3 in FIWARE?
问题描述
我正在我的计算机中部署 FIWARE 安全 GE(即 Wilma、AuthzForce、Keyrock).安全级别 2(基本授权)运行良好,但现在我需要使用 XACML 的安全级别 3(高级授权).
I am deploying FIWARE security GEs (i.e., Wilma, AuthzForce, Keyrock) in my computer. Security level 2 (Basic Authorization) is working well, but now I need security level 3 (Advanced Authorization) using XACML.
长话短说,我想要一个实现安全级别 3 的教程.但是,据我所知,任何关于安全级别 3 的教程或文档都不存在.
Long story short, I want a tutorial of implementation security level 3. However, as far as I know, any tutorial or document about security level 3 does not exist.
现在,我使用 PAP 的 API 创建我的策略,并将 config.js 中的custom_policy"选项从undefined"更改为policy.js".然后我将policy.js"文件创建到PEP/policies"中,但与其模板文件相比没有任何更改,因为我不知道这段代码究竟做了什么.我想我应该使用 'xml' 变量制作 XACML 请求表单.但就我而言,当我使用xml"变量发出 XACML 请求并返回此变量时,PEP 给了我错误.这是我的 PEP 错误:
For now, I create my policy with PAP's API, and change 'custom_policy' option in config.js from 'undefined' to 'policy.js'. And then I create 'policy.js' file into 'PEP/policies', but don't change anything compared with its template file because I don't know what this code does exactly. I think I should make XACML Request form using 'xml' variable. But in my case, PEP gives me the error when I make the XACML Request using 'xml' variable, and return this variable. Here is my error of PEP:
Error: Root - Error in AZF communication <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/S" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Request'.</message></error>
这是我在 policy.js 中的getPolicy"代码(XACML 请求).我只是提出了一个非常简单的请求是否允许响应,因为我不确定当时我在做什么.:
And here is my 'getPolicy' code (XACML Request) in policy.js. I just made very simple request whether response is permit or not because I'm not sure what I'm doing at that time.:
exports.getPolicy = function (roles, req, app_id) {
var xml = xmlBuilder.create('Request', {
'xmlns': 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
'CombinedDecision': 'false',
'ReturnPolicyIdList': 'false'})
.ele('Attributes', {
'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});
那么,任何人都可以向我提供有关实施安全级别 3 的任何信息吗?
So, anyone can give me any information about implementation of security level 3?
推荐答案
升级到 Wilma 6.2(错误修复).
Upgrade to Wilma 6.2 (bug fixing).
重用 lib/azf 中的代码.js 已知可以工作,并根据您的需要调整请求内容.该变量在那里被错误地称为 XACMLPolicy,但不要误会,这是一个实际的 XACML Request.这是使用 xml2json 包将 JSON 转换为 XML,而在您的代码中,您似乎使用了不同的包,xmlbuilder 可能吗?您没有粘贴完整的代码 - 这个 xmlBuilder 变量从何而来?- 所以我只是猜测.
Reuse the code from lib/azf.js which is known to work, and adapt the Request content to your needs. The variable is wrongly called XACMLPolicy there, but don't be mistaken, this is an actual XACML Request. This is using xml2json package to convert the JSON to XML, whereas in your code you seem to use a different one, xmlbuilder maybe? You didn't paste the full code - where does this xmlBuilder variable come from? - so I'm just guessing.
如果您确实在使用 xmlbuilder 包并想坚持使用它,我注意到在 使用命名空间的示例,xmlns 属性的放置方式不同:
If you are indeed using xmlbuilder package and want to stick with it, I notice that in the example using namespaces, the xmlns attribute is put in a different way:
var xmlBuilder = require('xmlbuilder');
var xml = xmlBuilder.create('Request', { encoding: 'utf-8' })
.att('xmlns', 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17')
.att('CombinedDecision': 'false')
.att('ReturnPolicyIdList': 'false')
.ele('Attributes', {'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});
也许这会有所作为,我没有检查.
Maybe this makes a difference, I didn't check.
也可以随意在 Wilma 的 github 上提出问题从开发团队获得帮助.(我不是他们中的一员,但我们为 AuthzForce 集成合作过.)
Also feel free to create an issue with your question on Wilma's github to get help from the dev team. (I am not one of them but we've worked together for AuthzForce integration.)
这篇关于如何在 FIWARE 中实现安全级别 3?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
