[Fiware-tech-help] [FIWARE-JIRA] (HELP-6964) FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy

Fernando Lopez (JIRA) jira-help-desk at jira.fiware.org
Tue Sep 24 09:42:00 CEST 2019

Previous message: [Fiware-tech-help] [FIWARE-JIRA] (HELP-6964) FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy
Next message: [Fiware-tech-help] [FIWARE-JIRA] (HELP-6964) FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ https://jira.fiware.org/browse/HELP-6964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=54192#comment-54192 ] 

Fernando Lopez edited comment on HELP-6964 at 9/24/19 8:41 AM:
---------------------------------------------------------------

Dear sirs,

Thank you for your response. I have changed the url like so:

# ACCESS CONTROL GE
ACCESS_CONTROL_URL = 'http://idm.dev.babbler.io:8080'
ACCESS_CONTROL_MAGIC_KEY = None

And changed the contents of policy_properties.xacml to this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><pdpPropertiesUpdate xmlns="http://authzforce.gith
ub.io/rest-api-model/xmlns/authz/5"><rootPolicyRefExpression>{{ policy_id }}</rootPolicyRefExpression></p
dpPropertiesUpdate>

And have restarted IDM afterwards.

Next I do the following:
Create a new role in IDM
Create a permission, filling in the HTTP Action (DELETE) and Resource (/test/bla)
Add the permission to the role
Press SAVE

However, I still see only the exact same default domain “A0bdIbmGEeWhFwcKrC9gSQ" with only the default permit-all policy in http://idm.dev.babbler.io:8080/authzforce-ce/domains/A0bdIbmGEeWhFwcKrC9gSQ/pap/policies/root/0.1.0:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:PolicySet xmlns="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns5="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" PolicySetId="root" Version="0.1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
    <ns3:Target/>
    <ns3:Policy PolicyId="permit-all" Version="0.1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
        <ns3:Target/>
        <ns3:Rule RuleId="permit-all" Effect="Permit"/>
    </ns3:Policy>
</ns3:PolicySet>

We still have not seen any sign that the connection between IDM and AuthZForce is working.



was (Author: fw.external.urser):
Comment by e.bon at itude.com : 

Dear sirs,

Thank you for your response. I have changed the url like so:

# ACCESS CONTROL GE
ACCESS_CONTROL_URL = 'http://idm.dev.babbler.io:8080'
ACCESS_CONTROL_MAGIC_KEY = None

And changed the contents of policy_properties.xacml to this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><pdpPropertiesUpdate xmlns="http://authzforce.gith
ub.io/rest-api-model/xmlns/authz/5"><rootPolicyRefExpression>{{ policy_id }}</rootPolicyRefExpression></p
dpPropertiesUpdate>

And have restarted IDM afterwards.

Next I do the following:
Create a new role in IDM
Create a permission, filling in the HTTP Action (DELETE) and Resource (/test/bla)
Add the permission to the role
Press SAVE

However, I still see only the exact same default domain “A0bdIbmGEeWhFwcKrC9gSQ" with only the default permit-all policy in http://idm.dev.babbler.io:8080/authzforce-ce/domains/A0bdIbmGEeWhFwcKrC9gSQ/pap/policies/root/0.1.0:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:PolicySet xmlns="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns5="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" PolicySetId="root" Version="0.1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
    <ns3:Target/>
    <ns3:Policy PolicyId="permit-all" Version="0.1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
        <ns3:Target/>
        <ns3:Rule RuleId="permit-all" Effect="Permit"/>
    </ns3:Policy>
</ns3:PolicySet>

We still have not seen any sign that the connection between IDM and AuthZForce is working.

Met vriendelijke groeten,

Emiel Bon MSc
Software Engineer

  
Lageweg 2
3703 CA Zeist   
■ mob +31(0) 6 29 20 95 40  
■ mail e.bon at itude.com <mailto:e.prins at itude.com>

www.itude.com <http://www.itude.com/> ■ K.v.K. 30146090
_____________________________________________________________________________
***Op deze mail is een disclaimer van toepassing. De inhoud daarvan is te lezen op onze website***

> Op 3 aug. 2016, om 15:05 heeft Help-Desk <jira-help-desk at fi-ware.org> het volgende geschreven:
> 
> 
>



> FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy
> ------------------------------------------------------------------------------
>
>                 Key: HELP-6964
>                 URL: https://jira.fiware.org/browse/HELP-6964
>             Project: Help-Desk
>          Issue Type: extRequest
>          Components: FIWARE-TECH-HELP
>            Reporter: FW External User
>            Assignee: Alvaro Alonso
>         Attachments: 2016-09-05 08_57_48.486 21 INFO eventlet.wsgi.txt, Logs IDM_Horizon after creating permission_HTTP.txt rule in IDM, ParseError at _idm_myApplications_fdae7d987c6a435188a2200e31cac4db_edit_roles_.html
>
>
> Hello,
> We would like to secure out ContextBroker so POSTS are allowed, but a
> DELETE isn't. We've asked you about this and you've said we should do the
> following:
> * You can configure as many PEPs as you want. You have only to modify the
> > listening port.
> > * You can configure an AuthZForce in
> > https://github.com/ging/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L629.
> > You only need to configure the URL in which it is listening
> > * To configure PEP to work with AuthZForce you have to use the Level 2 of
> > security. Here you will find tutorials about this:
> > https://edu.fiware.org/course/view.php?id=131
> We've tried this, but we've had the following problems:
>    - If we pull the docker image of
>    fiware/authzforce-ce-server:release-5.4.0 or release-5.3.0a, the image
>    starts, but shuts down after a few seconds after which the logs state that
>    tomcat 7 can't be started.
>    - When we run fiware/authzforce-ce-server:release-4.4.1b, we get a
>    tomcat with no webapp in the webapps directory other than the default
>    stuff.
>    - Performing a manual installation using this guide
>    <http://authzforce-ce-fiware.readthedocs.io/en/release-5.3.0a/InstallationAndAdministrationGuide.html#installation>
> will
>    have the same result.
> In your previous mail, it is stated that we need AuthZForce. However,
> Keypass seems to do something similar. Can you explain the difference?
> Can you help us with this?



--
This message was sent by Atlassian JIRA
(v6.4.1#64016)

Previous message: [Fiware-tech-help] [FIWARE-JIRA] (HELP-6964) FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy
Next message: [Fiware-tech-help] [FIWARE-JIRA] (HELP-6964) FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Fiware-tech-help mailing list

You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy