AuthZForce-PEP-IDM 即使用户没有特定资源的权限也始终允许访问
AuthZForce-PEP-IDM Always allow access even when user doesnt have permission for specific resource
我创建了用户,只给了他一个角色。(会员)
目前此角色没有任何 Http 动词或路径的权限。
这是我的用户:
{
organizations: [1]
0: {
website: ""
description: "AREAS"
roles: [1]
0: {
name: "Member"
id: "09dc1bdba42c48de9e15e88816284cbc"
}-
-
enabled: true
id: "363ac390cfc94aa293e02547afa78256"
domain_id: "default"
name: "AREAS"
}-
-
displayName: "root"
roles: [0]
app_id: "aea8f4a70b87422cb48068db9f0c6aea"
email: "root"
id: "root"
}
现在,当我尝试对地址执行 GET 请求时:http://localhost/parameters/search_tables/
该用户没有权限,
尽管如此,它仍允许我访问并重定向我。
这是来自 pep 代理的日志:
2015-11-13 14:55:53.446 - INFO: IDM-Client - Checking token with IDM...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking auth with AZF...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking authorization
to roles [ '09dc1bdba42c48de9e15e88816284cbc' ] to do GET
on parameters/search_tables/ and app aea8f4a70b87422cb48068db9f0c6aea
2015-11-13 14:55:53.508 - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "cookie"
我的授权配置文件是:
config.azf = {
enabled: true,
host: '192.168.4.180',
port: 8080,
path: '/authzforce/domains/afb096b2-8951-11e5-980f-6bf3c4dac98a/pdp'
};
config.public_paths = [];
config.tokens_engine = 'oauth2';
我的 Pap 政策是:
<PolicySet PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-
algorithm:ordered-permit-overrides">
<Target />
<Policy PolicyId="permit-all" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-
algorithm:ordered-permit-overrides">
<Target />
<Rule RuleId="permit-all" Effect="Permit" />
</Policy>
</PolicySet>
我应该如何制定我的 PAP 策略以启用授权级别 2,仅使用 http 动词和资源路径进行授权?
默认情况下,Authzforce PAP 在未添加策略时允许所有。检查您的 PAP 是否有正确的信息:
GET
/domains/{domainId}/pap/policySet
编辑 1:
为了能够连接到 Authzforce,您需要将一些 Authzforce 参数配置到您的 IdM 实例中:
ACCESS_CONTROL_URL 在 fiware-idm/horizon/openstack_dashboard/local/local_settings.py
和ACCESS_CONTROL_MAGIC_KEY 在 fiware-idm/horizon/openstack_dashboard/local/local_settings.py
然后,进入IdM,检查权限和角色是否配置好。有时,您必须 'trigger' IdM 中的策略生成,方法是转到您的应用程序 -> 管理角色,然后只需单击 'save' 即可触发 XACML 生成。
我创建了用户,只给了他一个角色。(会员) 目前此角色没有任何 Http 动词或路径的权限。 这是我的用户:
{
organizations: [1]
0: {
website: ""
description: "AREAS"
roles: [1]
0: {
name: "Member"
id: "09dc1bdba42c48de9e15e88816284cbc"
}-
-
enabled: true
id: "363ac390cfc94aa293e02547afa78256"
domain_id: "default"
name: "AREAS"
}-
-
displayName: "root"
roles: [0]
app_id: "aea8f4a70b87422cb48068db9f0c6aea"
email: "root"
id: "root"
}
现在,当我尝试对地址执行 GET 请求时:http://localhost/parameters/search_tables/ 该用户没有权限, 尽管如此,它仍允许我访问并重定向我。 这是来自 pep 代理的日志:
2015-11-13 14:55:53.446 - INFO: IDM-Client - Checking token with IDM...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking auth with AZF...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking authorization
to roles [ '09dc1bdba42c48de9e15e88816284cbc' ] to do GET
on parameters/search_tables/ and app aea8f4a70b87422cb48068db9f0c6aea
2015-11-13 14:55:53.508 - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "cookie"
我的授权配置文件是:
config.azf = {
enabled: true,
host: '192.168.4.180',
port: 8080,
path: '/authzforce/domains/afb096b2-8951-11e5-980f-6bf3c4dac98a/pdp'
};
config.public_paths = [];
config.tokens_engine = 'oauth2';
我的 Pap 政策是:
<PolicySet PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-
algorithm:ordered-permit-overrides">
<Target />
<Policy PolicyId="permit-all" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-
algorithm:ordered-permit-overrides">
<Target />
<Rule RuleId="permit-all" Effect="Permit" />
</Policy>
</PolicySet>
我应该如何制定我的 PAP 策略以启用授权级别 2,仅使用 http 动词和资源路径进行授权?
默认情况下,Authzforce PAP 在未添加策略时允许所有。检查您的 PAP 是否有正确的信息:
GET
/domains/{domainId}/pap/policySet
编辑 1:
为了能够连接到 Authzforce,您需要将一些 Authzforce 参数配置到您的 IdM 实例中:
ACCESS_CONTROL_URL在fiware-idm/horizon/openstack_dashboard/local/local_settings.py和ACCESS_CONTROL_MAGIC_KEY在fiware-idm/horizon/openstack_dashboard/local/local_settings.py
然后,进入IdM,检查权限和角色是否配置好。有时,您必须 'trigger' IdM 中的策略生成,方法是转到您的应用程序 -> 管理角色,然后只需单击 'save' 即可触发 XACML 生成。