Search code examples
fiwareauthzforce

AuthZForce-PEP-IDM Always allow access even when user doesnt have permission for specific resource

I created user and gave him only one role.(Member) Currently this role doesn't have any permission with any Http verb nor path. This is my user:

{
organizations: [1]
0:  {
website: ""
description: "AREAS"
roles: [1]
0:  {
name: "Member"
id: "09dc1bdba42c48de9e15e88816284cbc"
}-
-
enabled: true
id: "363ac390cfc94aa293e02547afa78256"
domain_id: "default"
name: "AREAS"
}-
-
displayName: "root"
roles: [0]
app_id: "aea8f4a70b87422cb48068db9f0c6aea"
email: "root"
id: "root"
}

Now, when i try to do GET request on address: http://localhost/parameters/search_tables/ for which this user don't have permission, it allows me access and redirects me nonetheless. This is log from pep proxy:

2015-11-13 14:55:53.446  - INFO: IDM-Client - Checking token with IDM...
2015-11-13 14:55:53.484  - INFO: AZF-Client - Checking auth with AZF...
2015-11-13 14:55:53.484  - INFO: AZF-Client - Checking authorization
to roles [ '09dc1bdba42c48de9e15e88816284cbc' ] to do  GET  
on  parameters/search_tables/ and app  aea8f4a70b87422cb48068db9f0c6aea
2015-11-13 14:55:53.508  - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "cookie"

My config file regarding authorization is:

config.azf = {
        enabled: true,
    host: '192.168.4.180',
    port: 8080,
    path: '/authzforce/domains/afb096b2-8951-11e5-980f-6bf3c4dac98a/pdp'
};
config.public_paths = [];

config.tokens_engine = 'oauth2';

My Pap policy is:

 <PolicySet PolicySetId="default" Version="1.0" 
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-
algorithm:ordered-permit-overrides">
<Target />
 <Policy PolicyId="permit-all" Version="1.0" 
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-
 algorithm:ordered-permit-overrides">
<Target />
<Rule RuleId="permit-all" Effect="Permit" />
 </Policy>
 </PolicySet>

How should i formulate my PAP policy to enable authorization level2, to use only http verb and resource path for authorization?

Solution

  • By default, Authzforce PAP permits all when no policy is added. Check if your PAP has the right information: 

    GET
/domains/{domainId}/pap/policySet

    Edit 1:

    In order to be able to connect with Authzforce, you need to configure some Authzforce parameters into your IdM instance:

    • ACCESS_CONTROL_URL at fiware-idm/horizon/openstack_dashboard/local/local_settings.py and
    • ACCESS_CONTROL_MAGIC_KEY at fiware-idm/horizon/openstack_dashboard/local/local_settings.py

    Then, just go to IdM, and check that the permissions and roles are well configured. Sometimes, you have to 'trigger' the policy generation in IdM by going to your application -> manage roles and just click 'save' to trigger the XACML generation.