Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Current »

Authorization

Gateway provides different mechanisms to manage authorization in secured environments. One of the most effective and powerful methods is secured endpoints allowing MOC administrators to restrict access to internal MOC endpoints though configuration properties at the Gateway.

Securing endpoints through the gateway

This configuration requires two components:

  1. Rule base authorities

  2. Protected endpoints.

1- Rule base authorities:

Allow mappings between OAuth2 token claims and Granted Authorities.

These rules are defined under:

 oauth2:
  resource-server:
    authorization:
      rule-based-authorities:

Each rule is defined by:

- authority-name: GrantedAuthorityNameToBeAssigned
    claim-value-condition:
        claims: token_claim_name_one,token_claim_name_two
        values: expected_value_one,expected_value_two

Which can be translated to:

If token claims contains any of the next keys: token_claim_name_one OR token_claim_name_two, and the value equals any of expected_value_one OR expected_value_two then request will get GrantedAuthorityNameToBeAssigned as Granted Authority.

Sample configurations:

oauth2:
  resource-server:
    authorization:
      rule-based-authorities:
        - authority-name: modelopEngineOnlyModelManage
          claim-value-condition:
            claims: user_id,client_id
            values: model-manage
        - authority-name: modelopEngineOnlyModelManageAndMlc
          claim-value-condition:
            claims: user_id,client_id
            values: model-manage,mlc-service
        - authority-name: modelop-monitor
          claim-value-condition:
            claims: user_id,client_id
            values: model-manage,mlc-service

If Gateway receives a token containing any of the predefined rules, then that user will get the authority-name added as granted authority.

As an example:

Using the above configurations and receiving a token with the next claims:

{
  "issuer":"",
  "client_id": "model-manage",
  "created_date":"09/10/1986",
  "memberOf":"modelop"
}

The resulting Granted authorities will be:

modelopEngineOnlyModelManage,modelopEngineOnlyModelManageAndMlc,modelop-monitor

2- Protected endpoints

These protected endpoints are defined under:

gateway:
  security:
    protectedEndpoints:

Each protected endpoint is defined by:

-
  grantedAuthorityName: required_granted_authority_name
  endpoints: comma_separated_list_of_endpoints

Sample configurations:

gateway:
  security:
    # List of protected endpoints only available for Users with predefined grantedAuthorities
    protectedEndpoints:

      ## NOTE: The Order is KEY to have it working as expected , generic rules should be at the BOTTOM.
      ## Protected ModelOp engine TEST allowing access ONLY to ModelManage
      -
        grantedAuthorityName: modelopEngineOnlyModelManage
        endpoints: /engine-protected-modelop-test/api/roundtrip/0/1

      ## Protected ModelOp engine with wildcard allowing access to ModelManage and mlc-service
      -
        grantedAuthorityName: modelopEngineOnlyModelManageAndMlc
        endpoints: /engine-protected-modelop-**/api/roundtrip/0/1

Example 1:

Using the above configurations and receiving a token that generates the next granted authorities:

modelopEngineOnlyModelManage,modelopEngineOnlyModelManageAndMlc,modelop-monitor

Result:

The request will be able to access all endpoints.

Example 2:

Using the above configurations and receiving a token that generates the next granted authorities:

modelopEngineOnlyModelManageAndMlc,modelop-monitor

Result:

The request wont be able to access: /engine-protected-modelop-test/api/roundtrip/0/1 , but will be able to access: /engine-protected-modelop-**/api/roundtrip/0/1

  • No labels