I just started experiment with Authzforce Fiware following the docs. I made some RBAC scenarios following the examples given, using the RESTful interface provided.
What I would like to know, is whether any User Interface to manage the Policy Administration part (create, edit, delete policies etc.) exists.
According to this
Authzforce itself does not offer a UI, and is not concerned with generation and management of XACML policies - it assumes that each it receives has already been generated by another component. Full-blown XACML editors are available, but the limited editor within Keyrock is usually sufficient for most access control scenarios.
not any built-in UI solution does exist inside Authzforce and proposes as a solution Keyrock as so as proposed here.
Have I got that right? Could anyone provide me with any guidelines concerning the way I could possibly integrate Keyrock with the existing Authzforce PAP so that I could manage my policies from it's editor?
Thanks in advance.
In order to integrate Keyrock with AuthzForce, check FIWARE-IDM (Keyrock) installation & administration guide > Configuration > Authorization section. You have to change Keyrock's config file, esp:
config.authorization = {
level: "advanced", // basic|advanced
authzforce: {
enabled: true,
host: "localhost",
port: 8080
}
};
Change the host/port to the ones of your AuthzForce Server instance.
You can do the same with Keyrock environment variables (look for 'AuthzForce' on the page).
Then check FIWARE tutorials > Identity Management > Administrating XACML Rules > Update an XACML permission to see how to edit XACML policy. Basically, you define permissions per role for your application(s). Each permission is turned into a XACML Rule, and the set of permissions into a XACML Policy.
Related
I have in my server a Orion Context Broker (https://github.com/telefonicaid/fiware-orion) but i need to add some restrictions to my "consumers" when they use the endpoint(s) e.g(http://myhost:1026/v2/entities). Is possible configure the local/personal Broker with token like https://fiware-orion.readthedocs.io/en/1.11.0/quick_start_guide/index.html#orion-context-broker-quick-start-guide ?
Thank you very much.
The Orion Context Broker does not offer roles and permissions directly.
To add roles and permissions to restrict an endpoint, you will need to use a PEP Proxy - which security mechanism you use to do this is up to you.
There are several OAuth2-based security components found within the FIWARE Catalogue, alternatively you could another open source PEP Proxy such as steelskin which integrates nicely with either Keyrock or Keystone
I am trying to setup Keycloak server for our organisation. I have couple of questions.
How can we use our existing user database to authenticate users - User Federation. Keycloak only has LADP/Kerberos options. Is there any custom plugin which can be used for MySQL user authentication or can we use existing connectors itself (LDAP/Kerberos) via some adapter for the database?
Is it possible to have multiple Identity providers within Keycloak environment - (Have Keycloak as IDP for few services, while Keycloak Google IDP for other services).
I have followed the official documentation, but for some reason not able to view the content of the link. Any helpful links to proper guide would be great.
Check Keycloak Custom User Federation
It means that, to use diffirent datasource (or process) while Keycloak username / password login
see =>
https://github.com/keycloak/keycloak-documentation/blob/master/server_development/topics/user-storage/simple-example.adoc
https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c github => (https://github.com/Smartling/keycloak-user-migration-provider)
First link => explaining how to configure external db to keycloak.
Second link (need changes)=> these examplecan change like that,
you can create a custom federation implementation,
it will be call your service,
your service will be query your db
your service will response your result
Second example(my suggestion) will be abstract your custom code (federation process, your service) and keycloak. Keycloak ony call your service, everything else are your implementation.
You should implement your own user storage SPI to integrate your MySQL db as an external user storage db
https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi
I answered a similar question regarding existing databases user and keycloak authentication (link here)
I published my own solution as a multi RDBMS implementation (oracle, mysql, postgresl, sqlserver) to solve simple database federation needs, supporting bcrypt and several types of hashes.
It is a configurable keycloak custom provider, you will only need the to set some SQL queries and it is ready to use.
It is already compatible with new keycloak quarkus deployment.
Feel free to clone, fork, contribute or do whatever you need to solve your issue.
GitHub repo:
https://github.com/opensingular/singular-keycloak-database-federation
First of all, I'm using the Telefonica implementations of Identity Manager, Authorization PDP and PEP Proxy, instead of the Fiware reference implementations which are Keyrock, AuthZForce and Wilma PEP Proxy. The source code and reference documentation of each component can be found in the following GitHub repos:
Telefonica keystone-spassword:
GitHub /telefonicaid/fiware-keystone-spassword
Telefonica keypass:
GitHub /telefonicaid/fiware-keypass
Telefonica PEP-Proxy:
GitHub /telefonicaid/fiware-pep-steelskin
Besides, I'm working with my own in-house installation of the components, NO Fi-Lab. In addition to security components, I've an IoT Agent-UL instance and an Orion Context Broker instance.
Starting from that configuration, I've created a domain in keystone (Fiware-Service) and a project inside the domain (Fiware-ServicePath). Then I've one device connected to the platform, sendding data to the IoT Agent behind the PEP Proxy. The whole device message is represented as a single Entity in Orion Context Broker.
So, the question is:
How can I restrict a specific keystone user to access only to the entity associated to this device, at the level of the Orion Context Broker API?
I know that I can allow/deny user acces to specific API via keystone Roles and XACML Policies but that implies that I should create one Policy per User-Device pair.
I could use some help with this, to know if I'm on the right way.
I do not think Access Control can be done to Orion without Security GEs. Each GE has a specific purpose and access control is not one of the Orion's purposes.
As stated in the Security Considerations from Orion documentation:
Orion doesn't provide "native" authentication nor any authorization mechanisms to enforce access control. However, authentication/authorization can be achieved the access control framework provided by FIWARE GEs.
Also, there is something related in another link:
Orion itself has no security. It’s designed to be run behind a proxy server which provides security and access control. Used within the FIWARE Lab, they run another service build on node.js, “PEP Proxy Wilma”, in front of it. Wilma checks that you have obtained a token from the FIWARE lab and put it in the headers.
Besides, the link below can endorse my opinion about Orion and access control:
Fiware-Orion: Access control on a per subscription basis
My opinion is that you are in the right way using the other security components.
About "create one Policy per User-Device pair" as you mention, maybe it would be better you thought about "group policies" instead.
We want to use the FIWARE IdM, both Keystone and Horizon. Specifically during sign-up we want to
create a user
add that user to an organisation
authorise the user for an application
We have installed Keystone and Horizon using the latest KeyRock docker image on the docker hub.
When a new user signs up:
a 'cloud organisation' is created.
By default, the 'provider' and 'purchaser' roles are present
and the 'Store' application is assigned to the user (although i cannot verify this).
We can add the user to an organisation by hand, and authorise the user for an application by hand in the KeyRock UI.
However this does not make any sense for our local installation.
How can we prevent Horizon from creating the cloud organisation upon user sign-up?
How can we assign a default application authorization upon user sign-up?
-- Edit --
It’s becoming increasingly clear to me that the way KeyRock is implemented is primarily useful for setting up your own Fiware labs environment, as opposed to setting up a generic Identity management service. If we use KeyRock, we will be stuck with cloud organisations, stores etc. Far from being a Generic Enabler (GE), KeyRock seems to be a “Fiware Labs” specific enabler.
All the GE documentation references KeyRock as the reference Identity Management GE. Therefore we (and i assume others too) have followed the documented architecture and configuration to link to KeyRock from:
Wilma PEP Proxy GE
Wirecloud Application Mashup GE
Because of the inbuilt Fiware Labs functions of KeyRock, we are having a really hard time applying Wilma PEP Proxy and Wirecloud Application Mashup to our use cases.
If we decide to use Keystone instead, we will lose
OAuth2 support
Permissions
sign-up, admin and login screens.
Is anyone else having this problem?
How have they tackled it?
-- SCIM API --
Attempt at using the SCIM API is described here: Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'
We're developing a smart cities service and want to use KeyRock for our users authentication. We don't want to use existing FIWARE Lab instance though, but create our own. The FIWARE catalogue states:
It can be integrated with any development, specially with any Cloud service.
I would expect that KeyRock would be a generic component, that would allow us to add Single Sign-On authentication to our services. After KeyRock installation, however, I can see it's highly tied to FIWARE Lab:
there is a FIWARE Lab menu at the top,
I can see FIWARE-related content on logging in page,
as an admin I can set users' FIWARE Lab account type (trial, community).
Is my assumption, that KeyRock can be used outside of FIWARE Lab context correct? Is there a way to brand it to my own purposes and turn off the FIWARE Lab-related functionalities? Or should it only be used as a part of FIWARE Lab instance?
yes, the front end component (Horizon) is fixed to FIWARE look and field and FIWARE Lab user account policies. If you want to use it with your own GUI design you have to modify it yourself.
On the other hand the backend component (Keystone) can be used without changes as an "universal" idm.
BR