Hi Kirstie, I already answered this question in the Help desk question you opened. BR -- Álvaro > El 11 jul 2016, a las 11:12, Kirstie Patenaude <k.patenaude at itude.com> escribió: > > Dear Sirs, > > We have the current architecture: > Own Keyrock instance (server 1) - Ubuntu > Orion ContextBroker service (running on server 2) - CentOS > PEP Proxy that redirects to our own API (server 2) - CentOS > It is currently possible to make HTTP calls such as DELETE attribute/entity directly to the Context Broker using any API testing tool, such as Postman. We want to prohibit this. > > We have some trouble understanding how to go about this. > > This is what we think needs to be done: > Create a PEP Proxy for ContextBroker app in Idm > Configure a PEP Proxy on server 2 (and run next to the current PEP Proxy that we already have) > Create a new role and permission (HTTP verb and resource URL) in the PEP Proxy for ContextBroker > Link the two (this is by default not possible, however, the individual role and permission are created in the Keystone database) > Assign the role to a user (or perhaps an organization?) > Install and configure a AuthZForce server which deals with the configured permissions in Idm and transforms them to XACML > We would like to know if this is the correct way to achieve prohibiting certain calls to the Context Broker. > > Our questions are: > How can we run a second PEP Proxy next to our already existing PEP Proxy on the same server? PEP Proxy 1 is configured in config.js and PEP Proxy 2 (for the Context Broker) is configured in config_context_broker.js (see config file attached to this e-mail) > Does Idm already have a default AuthZForce server, if so, how can we activate it? > Why can't we link a role to a permission in the user interface (perhaps this is because the AuthZForce server is not yet implemented?) > How can we configure the PEP Proxy for ContextBroker to work with AuthZForce? > How can we configure AuthZForce? > How can we prohibit certain calls for non-FIWARE users (random people that make the calls)?, are the rules only applicable to FIWARE users? > Hopefully you guys can shed some light on the situation or forward this e-mail to the relevant contact person responsible for PEP Proxy, Orion Context Broker or AuthZForce. We hope you will get back to us asap. Thanks in advance. I also attached an example of a call that can be made to our Context Broker to change data. > > Met vriendelijke groet/Kind regards, > > Kirstie Patenaude > Mobile Software Engineer > > Lageweg 2 > 3703 CA Zeist > ■ Mob: +31(0)6 51 13 56 18 > ■ Tel. receptie: +31(0)30 699 70 20 > ■ Mail: k.patenaude at itude.com <mailto:k.patenaude at itude.com> > > www.itude.com <http://www.itude.com/> ■ K.v.K. 30146090 > <contextBroker_Pep_config.rtf><Append_call_example.rtf> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20160715/a871c578/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy