How does roles work in Keyrock?

Question

I want to know how the role based authorization works in FIWARE Keyrock. I have tested a scenario where a user A registers an application appA in Keyrock. The user B that is not on the authorized list for application appA can request a token for another application (appB, for example) and successfully access the appA with the token obtained from appB.

Another test performed was to include user A in the authorized list for appA, but with a role that has no permissions. Again, the user A gets access to appA with credentials from another application.

Can anyone explain me how this work, if it really work?

I recommend you to take a look to the GE courses. There you will find a working example of that configuration — Álvaro Alonso
Thanks. I had ignored the exact part of permission configuration at Keyrock previously, some months ago, because it was not of my interest. Now, I am interested in this functionality and I had forgot that this video presents such information. — Dalton Cézane

Dalton Cézane Dalton Cézane · Accepted Answer · 2017-04-03T17:24:25

As @Álvaro said in comments, we can see an example of this configuration at this video.

When I saw this video, previously, I had ignored the exact part of permission configuration at Keyrock, because it was not of my interest. Now, I am interested in this functionality and I had forgot that this video presents such information.

Besides, below I put what I had to do for things work:

Install AZF:

sudo apt-get install openjdk-7-jdk (if you dont have)
sudo apt-get install tomcat7
wget http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/5.4.1/authzforce-ce-server-dist-5.4.1.deb (authzforce)
sudo apt-get install gdebi curl
sudo gdebi authzforce-ce-server-dist-5.4.1.deb

Configure Wilma PEP (config.js file):

config.azf = {
        enabled: true,
        protocol: 'http',
        host: '10.30.0.21', //this is your authzforce ip
        port: 8080, //6019,
        custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

Configure Keyrock (local_settings.py file, located in /horizon/openstack_dashboard/local/local_settings.py)

ACCESS_CONTROL_URL = 'http://10.30.0.21:8080'
ACCESS_CONTROL_MAGIC_KEY = None # If you have problems, put something instead of None. Currently there is a reported bug related to this.

Remember to restart the services. To let the things work, you need to create the specific permission to the right endpoint of the application you want to secure/access. Once it is created, the AZF will be consulted by the Wilma PEP Proxy.

I hope it helps someone.

How does roles work in Keyrock?

1 Answers