[ https://jira.fiware.org/browse/HELP-8681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fernando Lopez reassigned HELP-8681:
------------------------------------
Assignee: Fermín Galán
> [fiware-stackoverflow] Fiware: How to restrict user access to specific entity for Orion Context Broker API using keystone & keypass
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HELP-8681
> URL: https://jira.fiware.org/browse/HELP-8681
> Project: Help-Desk
> Issue Type: Monitor
> Components: FIWARE-TECH-HELP
> Reporter: Backlog Manager
> Assignee: Fermín Galán
> Labels: fiware, keystone
>
> Created question in FIWARE Q/A platform on 10-05-2017 at 20:05
> {color: red}Please, ANSWER this question AT{color} http://stackoverflow.com/questions/43900428/fiware-how-to-restrict-user-access-to-specific-entity-for-orion-context-broker
> +Question:+
> Fiware: How to restrict user access to specific entity for Orion Context Broker API using keystone & keypass
> +Description:+
> First of all, I'm using the Telefonica implementations of Identity Manager, Authorization PDP and PEP Proxy, instead of the Fiware reference implementations which are Keyrock, AuthZForce and Wilma PEP Proxy. The source code and reference documentation of each component can be found in the following GitHub repos:
> Telefonica keystone-spassword:
> GitHub /telefonicaid/fiware-keystone-spassword
> Telefonica keypass:
> GitHub /telefonicaid/fiware-keypass
> Telefonica PEP-Proxy:
> GitHub /telefonicaid/fiware-pep-steelskin
> Besides, I'm working with my own in-house installation of the components, NO Fi-Lab. In addition to security components, I've an IoT Agent-UL instance and an Orion Context Broker instance.
> Starting from that configuration, I've created a domain in keystone (Fiware-Service) and a project inside the domain (Fiware-ServicePath). Then I've one device connected to the platform, sendding data to the IoT Agent behind the PEP Proxy. The whole device message is represented as a single Entity in Orion Context Broker.
> So, the question is:
> How can I restrict a specific keystone user to access only to the entity associated to this device, at the level of the Orion Context Broker API?
> I know that I can allow/deny user acces to specific API via keystone Roles and XACML Policies but that implies that I should create one Policy per User-Device pair.
> I could use some help with this, to know if I'm on the right way.
--
This message was sent by Atlassian JIRA
(v6.4.1#64016)
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy