authorization

command module

v0.0.1 Latest Latest Go to latest Published: Dec 19, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/SENERGY-Platform/authorization

Links

Open Source Insights

README ¶

Access Control Policy Service

Go Web Server, to create access policies and ask for permissions of a subject

Endpoints

/policies - manage access policies

curl -i -X POST --url http://localhost:8080/policies
[
    {
        	"Subject": "admin",
        	"Action": "POST",
        	"Resource": "/iot-repository",
        	"ID": "admin",
        	"Effect": "allow"
    }
]

curl -i -X PUT --url http://localhost:8080/policies
[
    {
        	"Subject": "admin",
        	"Action": "has_access_permission",
        	"Resource": "deviceid"
        	"ID": "admin",
        	"Context": {
        		"type": "device",
        		"owner": "user"
        	}
        	"Effect": "allow"
    }
]

curl -i -X GET --url http://localhost:8080/policies?subject=admin

curl -i -X DELETE --url http://localhost:8080/policies?ids=id1,id2

/check - ask for permission (used with kong middleman plugin)

curl -i -X POST --url http://localhost:8080/access
{
    "headers": {
        "target_method": "GET",
        "target_uri": "/process/schedulerlump",
        "authorization": "Bearer <token>"
    }
}

Requiremnets

for project

for Docker image

docker pull golang

Types of authorization

Subjects:

User
Role

Actions:

HTTP Method
Access

Ressources:

URI
Device Instance ID
Device Type ID

Examples

role admin is allowed to GET on ressource /iot-device-repo
user max is allowed to access device instance iot#22323232332 where owner is thomas

subset generieren bei web ui: checken eigene devices dann instanzen die freigegeben wurde
device instanz verwenden beim process exceuter: entweder im iot-repo nachfragen und ladon

Access Policies

one policy per subject e.g. role admin and ressource e.g /iot-repository
one or multiple actions which can be removed or added later
policy id is tuple of subject and ressource
if permissions of a subject in relation to a ressource should be changed, then the existing policy should be changed and no extra policy be created