[ https://jira.fiware.org/browse/HELP-6964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=55426#comment-55426 ]
Fernando Lopez edited comment on HELP-6964 at 9/24/19 8:49 AM:
---------------------------------------------------------------
Dear Ilknur, dear FInish FIWARE coach(es),
one of the FInish teams has an issue with securing Orion using AuthZForce (see the two parts marked in green below).
In short they want to prevent DELETE calls to Orion by implementing permissions/rules.
I’m not sure whether using AuthZForce is the correct approach anyway, since only Wilma is mentioned in the Orion documentation:
http://fiware-orion.readthedocs.io/en/develop/user/security/
Do you have an advice?
was (Author: fw.external.urser):
Comment by einramhof at atb-bremen.de :
Dear Ilknur, dear FInish FIWARE coach(es),
one of the FInish teams has an issue with securing Orion using AuthZForce (see the two parts marked in green below).
In short they want to prevent DELETE calls to Orion by implementing permissions/rules.
I’m not sure whether using AuthZForce is the correct approach anyway, since only Wilma is mentioned in the Orion documentation:
http://fiware-orion.readthedocs.io/en/develop/user/security/
Do you have an advice?
Kind regards,
Peter on behalf of FInish.
***FROM ONE OF THE PREVIOUS EMAILS***
We are really struggling to secure the ContextBroker to prevent DELETE
calls. So much that this has become an impediment to successfully finish
our sprint.
Von: Simon Vos [mailto:s.vos at itude.com]
Gesendet: Montag, 19. September 2016 15:23
An: Peter Einramhof <einramhof at atb-bremen.de<mailto:einramhof at atb-bremen.de>>
Cc: FInish-Technology at FInish-Project.eu<mailto:FInish-Technology at FInish-Project.eu>
Betreff: Re: [FInish-Technology] Help on issue HELP-6964
Dear Peter,
We have also sent an email to FIWARE JIRA (Avaro Alonso is involved here).
Indeed we are trying to use HORIZON/IDM to implement http verb-rules to secure the contexbroker by allowing specific calls to the contextbroker.
Creating the rules still fails.
We have not yet tried to implement this by adding an extra PEP-Proxy.
Summary until now:
- We installed the AuthZForce service on our IDM instance
- We tried to create HTTP verb rules (permission) in IDM.
- In IDM we see that the permissions has successfully created
- Linking a role to this permission has succeeded as well.
- However this permission is not visible in AuthZForce when doing a call doing a request-tool
- In the IDM log we saw a message stating “…failed to create policy in AuthZForce…”.
Hope you will be able to help us further quickly.
If you will need more information, please reply.
Kind regards,
Simon Vos
[cid:image001.png at 01D21293.559CAF30]
Arthur van Schendelstraat 650
3511 MJ Utrecht
■ mob +31(0) 6 21 49 93 82
■ tel receptie +31(0)30 699 70 20
■ mail s.vos at itude.com<mailto:s.vos at itude.com>
■ linkedIn linkedin.com/in/simonvos<https://linkedin.com/in/simonvos>
www.itude.com<http://www.itude.com/> ■ K.v.K. 30146090
> FIWARE.Request.Tech.Security.AuthorizationPDP.Securing verbs via the PEP proxy
> ------------------------------------------------------------------------------
>
> Key: HELP-6964
> URL: https://jira.fiware.org/browse/HELP-6964
> Project: Help-Desk
> Issue Type: extRequest
> Components: FIWARE-TECH-HELP
> Reporter: FW External User
> Assignee: Alvaro Alonso
> Attachments: 2016-09-05 08_57_48.486 21 INFO eventlet.wsgi.txt, Logs IDM_Horizon after creating permission_HTTP.txt rule in IDM, ParseError at _idm_myApplications_fdae7d987c6a435188a2200e31cac4db_edit_roles_.html
>
>
> Hello,
> We would like to secure out ContextBroker so POSTS are allowed, but a
> DELETE isn't. We've asked you about this and you've said we should do the
> following:
> * You can configure as many PEPs as you want. You have only to modify the
> > listening port.
> > * You can configure an AuthZForce in
> > https://github.com/ging/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L629.
> > You only need to configure the URL in which it is listening
> > * To configure PEP to work with AuthZForce you have to use the Level 2 of
> > security. Here you will find tutorials about this:
> > https://edu.fiware.org/course/view.php?id=131
> We've tried this, but we've had the following problems:
> - If we pull the docker image of
> fiware/authzforce-ce-server:release-5.4.0 or release-5.3.0a, the image
> starts, but shuts down after a few seconds after which the logs state that
> tomcat 7 can't be started.
> - When we run fiware/authzforce-ce-server:release-4.4.1b, we get a
> tomcat with no webapp in the webapps directory other than the default
> stuff.
> - Performing a manual installation using this guide
> <http://authzforce-ce-fiware.readthedocs.io/en/release-5.3.0a/InstallationAndAdministrationGuide.html#installation>
> will
> have the same result.
> In your previous mail, it is stated that we need AuthZForce. However,
> Keypass seems to do something similar. Can you explain the difference?
> Can you help us with this?
--
This message was sent by Atlassian JIRA
(v6.4.1#64016)
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy