authorizationrolesfiwarerole-base-authorizationfiware-keyrock

How does roles work in Keyrock?


I want to know how the role based authorization works in FIWARE Keyrock. I have tested a scenario where a user A registers an application appA in Keyrock. The user B that is not on the authorized list for application appA can request a token for another application (appB, for example) and successfully access the appA with the token obtained from appB.

Another test performed was to include user A in the authorized list for appA, but with a role that has no permissions. Again, the user A gets access to appA with credentials from another application.

Can anyone explain me how this work, if it really work?


Solution

  • As @Álvaro said in comments, we can see an example of this configuration at this video.

    When I saw this video, previously, I had ignored the exact part of permission configuration at Keyrock, because it was not of my interest. Now, I am interested in this functionality and I had forgot that this video presents such information.

    Besides, below I put what I had to do for things work:

    Install AZF:

    Configure Wilma PEP (config.js file):

    config.azf = {
            enabled: true,
            protocol: 'http',
            host: '10.30.0.21', //this is your authzforce ip
            port: 8080, //6019,
            custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
    };
    

    Configure Keyrock (local_settings.py file, located in /horizon/openstack_dashboard/local/local_settings.py)

    ACCESS_CONTROL_URL = 'http://10.30.0.21:8080'
    ACCESS_CONTROL_MAGIC_KEY = None # If you have problems, put something instead of None. Currently there is a reported bug related to this.
    

    Remember to restart the services. To let the things work, you need to create the specific permission to the right endpoint of the application you want to secure/access. Once it is created, the AZF will be consulted by the Wilma PEP Proxy.

    I hope it helps someone.