3

First of all, I'm using the Telefonica implementations of Identity Manager, Authorization PDP and PEP Proxy, instead of the Fiware reference implementations which are Keyrock, AuthZForce and Wilma PEP Proxy. The source code and reference documentation of each component can be found in the following GitHub repos:

  • Telefonica keystone-spassword:

GitHub /telefonicaid/fiware-keystone-spassword

  • Telefonica keypass:

GitHub /telefonicaid/fiware-keypass

  • Telefonica PEP-Proxy:

GitHub /telefonicaid/fiware-pep-steelskin

Besides, I'm working with my own in-house installation of the components, NO Fi-Lab. In addition to security components, I've an IoT Agent-UL instance and an Orion Context Broker instance.

Starting from that configuration, I've created a domain in keystone (Fiware-Service) and a project inside the domain (Fiware-ServicePath). Then I've one device connected to the platform, sendding data to the IoT Agent behind the PEP Proxy. The whole device message is represented as a single Entity in Orion Context Broker.

So, the question is:

How can I restrict a specific keystone user to access only to the entity associated to this device, at the level of the Orion Context Broker API?

I know that I can allow/deny user acces to specific API via keystone Roles and XACML Policies but that implies that I should create one Policy per User-Device pair.

I could use some help with this, to know if I'm on the right way.

4

1 回答 1

1

我认为没有安全 GE 就无法对 Orion 进行访问控制。每个 GE 都有特定的目的,访问控制不是 Orion 的目的之一。

如Orion 文档的安全注意事项中所述:

Orion 不提供“本机”身份验证,也不提供任何授权机制来实施访问控制。但是,认证/授权可以通过FIWARE GE提供的访问控制框架来实现。

此外,另一个链接中有相关内容:

猎户座本身没有安全保障。它被设计为在提供安全和访问控制的代理服务器后面运行。在 FIWARE 实验室中使用,他们在 node.js 上运行另一个服务构建,“PEP Proxy Wilma”,在它前面。Wilma 检查您是否已从 FIWARE 实验室获得令牌并将其放入标头中。

此外,下面的链接可以支持我对 Orion 和访问控制的看法:

Fiware-Orion:基于每个订阅的访问控制

我的观点是,您使用其他安全组件的方式是正确的。

正如您所提到的,也许您考虑一下"create one Policy per User-Device pair"会更好"group policies"

于 2017-05-10T21:51:00.613 回答