3

As part of the FINISH accelerator we are using FIWARE KeyRock and Wirecloud. Currently we are using the Fiware labs global instance to investigate.

We want to restrict our system so that users can only view data that belongs to the organisations of which they are a member.

The following flow seems logical, but correct me if i am wrong:

  1. A user logs into Wirecloud and is directed through a KeyRock login screen.
  2. A Wirecloud Widget gets an access token from Wirecloud environment. The access token was created when the user logged in.
  3. The Wirecloud widget looks up the organisations and roles that a user is member of. Based on this it adds organisation names to its query.
  4. The Wirecloud widget queries a webservice (Orion or otherwise) using the query it just created.
  5. We put the Wilma PEP proxy between the Wirecloud Widget and the webservice to validate that the user is a member of the organisations in the query.

PROBLEM: We can query user information from KeyRock using the https://account.lab.fiware.org/user?access_token=XXXXXXXXXXX call. But that does not contain any information about the organisations that the user is a member of according to the KeyRock web interface. The organisations element is an empty array. We get a bunch of roles in the json response, but none of them is the "members" role that you assign to users from the "Manage your organization members" screen in KeyRock.

Some digging revealed that the Keystone instance running on Fiware labs contains the information (assuming that a Keystone project = KeyRock organisation). However the access token provided by KeyRock is somehow not valid on the Keystone API. The API we used was accessible here: http://cloud.lab.fiware.org:4730/v3/ Getting a new access token from the Keystone API is not what we want, because that would be a different access token than Wirecloud has obtained, which would require some kind of proxy to log in again and retrieve the organisation membership. That rather defeats the point of passing an access token.

This seems to be a bug in the KeyRock API on the fiware labs instance. Or am i missing something here? Or will this problem magically go away if we install keyrock on our own server?

Thanks for any help, Robin

frb
  • 3,738
  • 2
  • 21
  • 51
Robin
  • 103
  • 9
  • I found a link here: [link](https://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/Application_Mashup_-_Wirecloud_-_User_and_Programmer_Guide#getTenants) and a Wirecloud sample widget here: [link](https://wirecloud.conwet.etsiinf.upm.es/slides/3.2.2_Using%20Object%20Storage.html#slide28) that allow retrieval of Tenants (=Keystone projects = KeyRock organisations) from a wirecloud widget. I uploaded the widget to my mashup and although i do not have object storage set up (which causes the widget to complain) i am able to see the organisation of which my user is a member. – Robin Apr 17 '16 at 10:50
  • Although the above comment allows me to sidestep the KeyRock API directly from Wirecloud by using the Keystone API instead, it begs the question whether we should use the KeyRock API at all? – Robin Apr 17 '16 at 10:59
  • did you find the solution? I am also getting an empty list of organizations. Even the owner of the organization receives an empty list. – Dalton Cézane Apr 24 '17 at 15:18

1 Answers1

1

you have to follow the steps explained here but using the specific organization. Probably you have missed the "Authorize" step

Álvaro Alonso
  • 385
  • 1
  • 3
  • 1
    Thanks for answer Alvaro. That adds a filled organisations element in the https://account.lab.fiware.org/user?access_token=xxxx call. However we were expecting the **organisations** element to contain data after we had added users as a member in the **members** tab in the KeyRock user interface. The /user API call does not follow the same structure as the user interface it seems, which is very confusing. Now we are obliged to add a permission in addition to adding a user to an organisation. That may make sense, but the KeyRock UI does not promote understanding. – Robin Apr 19 '16 at 14:30
  • Alvaro, the 'Authorize' button is hidden until a user requests a 'Community Upgrade' in the Settings->Account Status screen. How can we automate a 'Community Upgrade' or bypass it for use on our own installation. Or should we just go ahead and change the [KeyRock server]/user call? If so, which source file should we be looking at? – Robin May 07 '16 at 22:59