2

I just started experiment with Authzforce Fiware following the docs. I made some RBAC scenarios following the examples given, using the RESTful interface provided.

What I would like to know, is whether any User Interface to manage the Policy Administration part (create, edit, delete policies etc.) exists.

According to this

Authzforce itself does not offer a UI, and is not concerned with generation and management of XACML policies - it assumes that each it receives has already been generated by another component. Full-blown XACML editors are available, but the limited editor within Keyrock is usually sufficient for most access control scenarios.

not any built-in UI solution does exist inside Authzforce and proposes as a solution Keyrock as so as proposed here.

Have I got that right? Could anyone provide me with any guidelines concerning the way I could possibly integrate Keyrock with the existing Authzforce PAP so that I could manage my policies from it's editor?

Thanks in advance.

NickAth
  • 1,089
  • 1
  • 14
  • 35
  • You could use the Eclipse plugin for ALFA - it generates XACML files which you could easily push to AuthzFotce – David Brossard Mar 28 '20 at 20:26
  • Hi @DavidBrossard first of all thank you for your time, the solution you propose seems really interesting but if my understanding is correct targets only on the policy creation part as an intermediate tool, besides that I am looking for a way to give to programming-unaware people the ability to manage the policy administration point through a UI in a foremost way (create, edit, delete policies), is there anything you know but that? – NickAth Mar 28 '20 at 23:31

1 Answers1

1

In order to integrate Keyrock with AuthzForce, check FIWARE-IDM (Keyrock) installation & administration guide > Configuration > Authorization section. You have to change Keyrock's config file, esp:

config.authorization = {
    level: "advanced", // basic|advanced
    authzforce: {
        enabled: true,
        host: "localhost",
        port: 8080
    }
};

Change the host/port to the ones of your AuthzForce Server instance.

You can do the same with Keyrock environment variables (look for 'AuthzForce' on the page).

Then check FIWARE tutorials > Identity Management > Administrating XACML Rules > Update an XACML permission to see how to edit XACML policy. Basically, you define permissions per role for your application(s). Each permission is turned into a XACML Rule, and the set of permissions into a XACML Policy.

cdan
  • 3,470
  • 13
  • 27
  • Thank you! I set up a `keyrock` docker image and integrated it successfully with my authzforce server running on another container. Actually what I am trying to understand now is in which way do authzforce and keyrock interact. I created in the `Manage Roles` section a couple of permissions using XACML option (advanced) and then a new role assigned with these permissions, so I get that role is actually a policy itself since it consists of a set of permissions right? Furthermore, shouldnt I be able to see the existing policies I've already created in my authzforce server in the keyrock console? – NickAth Mar 31 '20 at 23:10
  • 1
    Q1) Yes, the role's set of permissions is [turned into a XACML Policy](https://github.com/ging/fiware-idm/tree/master/templates/authzforce) (template source from Keyrock repo). Q2) [Looking at their code](https://github.com/ging/fiware-idm/blob/master/controllers/web/authzforces.js), it seems Keyrock saves the permissions in its own format/database after pushing to AuthzForce; and in the GUI, it gets them only from this database, *not from AuthzForce*. Therefore, if you update policies in AuthzForce directly (not via Keyrock), I guess you won't see the udpates in Keyrock. – cdan Apr 02 '20 at 17:45