fiwareauthzfiware-wilmaauthzforce

Authzforce does not store policies?


I am developing a new application using Fiware and I am interested in adding a security layer using the specific Fiware GE for this:

I started by setting up my own local installation of these components, starting from this tutorial. After a few minutes I was able to successfully install all three components up & running.

Then I started to create applications, roles, permissions, assign roles to user and so on. The thing is after a while playing with the components AuthZforce crashed and I had to re boot it. After that I noticed that all policies and domains was erased from AuthZForce.

I did some digging and discovered that all stuff are maintained in memory for AuthZForce and also in to IdM database, so if your AuthZForce crashes then you lose all your policies and application domains unless you recover it from IdM database.

The problem is when you restart AuthZForce all policies and application that are stored in IdM databases are not automatically synchronized with AuthZForce. To force the synchronization you must perform some change to your Application, for example using the IdM Web interface to change the application description. Then IdM re-create application domain and all application policies.

Is there any reason why this is so? Why the synchronization is not done automatically? Can the AuthZForce itself be responsible for the persistence of the policies?


Solution

  • As far as AuthzForce is concerned, all the policies pushed successfully by the IdM to Authzforce are persisted to disk in AuthzForce server's /opt/authzforce-ce-server/data directory. There is no reason that I know of for AuthzForce Server to erase data from there unless it is requested via the REST API, e.g. by the IdM. If you check the content of this directory at some point and it is empty, one of the reasons may be that the IdM didn't push any policy to AuthzForce at all. If you actually find a case when an AuthzForce crash erases all files in /opt/authzforce-ce-server/data (assuming obviously that there were some files before), then please report this issue to AuthzForce team with relevant server logs and enough info to reproduce the issue.

    Back to the last question, again, AuthzForce persists policies received from the IdM to disk. However, on the one hand, the IdM uses its own simplified format for managing role permissions from the GUI, whereas AuthzForce uses the XACML standard. The IdM GUI does not support the full expressiveness of XACML at the moment, far from it. So when you click Save in the role permission editor, the IdM GUI converts from its own format to XACML (using simple template processing) before pushing to AuthzForce, and this is only one-way. Therefore, IdM cannot recover policies in its own format from AuthzForce (the XACML-to-IdM format translation is not implemented as far as I know) and therefore the IdM cannot rely only on AuthzForce for policy storage. I cannot go further into the details and why because I am not part of the IdM dev team. So please ask them if you want a better answer.