How can Fiware services and service paths be used in XACML rules?

2
votes

We are looking into Keyrock + Wilma + AuthZForce to secure our FIWARE system running Orion and Quantum Leap. The entities in our system are under services and service paths. These are accessed with appropriate headers, namely Fiware-Service and Fiware-Servicepath.

I am trying to create XACML rules for AuthZForce that would include the services and service paths, but haven't been successful yet. If anyone has been able to do so, I would appreciate the help. Also, if this approach is wrong, I would appreciate other suggestions on how services and service paths can be used with FIWARE access control.

1
fiwareauthzforce
Coud you give an XACML rule that you tried but didn't work for you? Just to have something to start with.cdan
@CyrilDangerville: thank you very much for your comment! I am just getting started with AuthZForce, been working with a system that has Orion behind a PEP proxy, based on FIWARE "Securing Microservices" tutorial (fiware-tutorials.readthedocs.io/en/latest/pep-proxy/index.html). The XACML policies and requests I use are from "Ruleset-based Permissons" tutorial (fiware-tutorials.readthedocs.io/en/latest/xacml-access-rules/…). I have tried editing the policies with Policy Editors from WSO2 Identity Server, but those experiments are too embarrassing to post here. :-)minimalisti

1 Answers

2
votes

Dealing with FIWARE headers isn't a problem for Authzforce , it is the just not the default behaviour of the PEP Proxy.

Authzforce is an entirely generic PDP, if you providethe right set of XACML policies and send the appropriate data it will adjudicate for you. The following <Rule> will permit all access to /v2/entities when the fiware-header = "smartgondor"

<?xml version="1.0" encoding="UTF-8"?>
<Rule RuleId="ccxsx-xs-xsx-xsxs-xs" Effect="Permit">
   <Description>Context Broker Access with Header=SmartGondor</Description>
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities</AttributeValue>
               <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </Match>
         </AllOf>
      </AnyOf>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">smartgondor</AttributeValue>
               <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="fiware-header" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
</Rule>

Unfortunately the issue is that by default the PEP Proxy code when making a request to Authzforce, only passses the following values out-of-the-box:

  • roles
  • action
  • resourceURL
  • appId

As you can see no header information is passed by default.

To include information about the FIWARE headers. You're going to have to alter the file to read the headers from the request sent to the PEP Proxy and add another attribute sent with the request to Authzforce. A simpler example of this sort of custom request can be found within the Administrating-XACML Tutorial

Security Staff Can only ring the alarm bell before 9 a.m. or after 5 p.m., except for Charlie who can ring the bell at any time

The custom code to send a request to Authzforce can be found in the tutorial codebase - Charlie's username is included in the request.