fiwareauthzfiware-wilmapdpauthzforce

Fiware AuthZForce error: "AZF domain not created for application"


I'm trying to protect Orion Context Broker using KeyRock idm, Wilma PEP-Proxy and AuthZForce PDP over Docker. For now, level 1 security works well and I can deny access to non logged users, but I get this error on Wilma when trying to add level 2.

AZF domain not created for application <applicationID>

Here it is my azf configuration in Wilma's config.js file:

config.azf = {
    enabled: true,
    protocol: 'http',
    host: 'azfcontainer',
    port: 8080,
    custom_policy: undefined
};

And this is how I set the access control configuration on KeyRock:

# ACCESS CONTROL GE
ACCESS_CONTROL_URL = 'http://azfcontainer:8080'
ACCESS_CONTROL_MAGIC_KEY = None

I have created the custom policies on Keyrock, but AuthZForce logs don't show any request from KeyRock or Wilma, so no domain is created on the PDP. I have checked that all containers can see and reach each other and that all ports are up. I may be missing some configuration.

These are the versions I'm using:

keyrock=5.4.1
wilma=5.4
autzforce=6.0.0/5.4.1

This question is the same that “AZF domain not created for application” AuthZforce, but my problem persists even with the shown AuthZForce GE Configuration.


Solution

  • I found the cause of this problem that is present when the AuthZForce is not behind a PEP Proxy and therefore the variable ACCESS_CONTROL_MAGIC_KEY is not modified (None by default).

    It seems horizon reads both ACCESS_CONTROL_URL and ACCESS_CONTROL_MAGIC_KEY parameters in openstack_dashboard/local/local_settings.py when it needs to connect to AuthZForce. Theoretically, the second parameter is optional (it introduces a 'X-Auth-Token' header for the PEP Proxy), but if horizon detects it is None (the default value in local_settings.py) or an empty string, the log shows a Warning and returns inmediatly from the function "policyset_update" in openstack_dashboard/fiware_api/access_control_ge.py. So the communication to AuthZForce never takes place.

    The easier way to solve the problem is to write some text as magic key in: openstack_dashboard/local/local_settings.py:

    # ACCESS CONTROL GE
    ACCESS_CONTROL_URL = 'http://authzforce_url:port'
    ACCESS_CONTROL_MAGIC_KEY = '1234567890' # DO NOT LEAVE None OR EMPTY
    

    Thus, a 'X-Auth-Token' header will be generated, but it shouldn't affect to the communication when the AuthZForce isn't behind a PEP Proxy (the header is simply ignored).

    Notice: Remember to delete the cached bytecode file "openstack_dashboard/local/local_settings.pyc" when making changes to assure the new config is updated after restart horizon service.

    PS: I sent a pull request to https://github.com/ging/horizon with a simple modification that fixes the problem.