[keycloak-user] ABAC policy, attributes not avialable

Pedro Igor Silva psilva at redhat.com
Tue Jul 17 11:06:08 EDT 2018 

You should be able to obtain any attribute defined to the user.

But regarding group attributes from the resource instance, it won't work
because this functionality is not exposing group's attributes via the
resource instance.

There are other things we need to improve in this functionality of
fine-grained permissions to admin console. There are a few things missing
or too complicated to be done ...

On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <
nicolas.gillet at market-ip.com> wrote:

> Hello
>
> I am trying to write a javascript Attribute Based Access Control (ABAC)
> policy.
> I want to control the access to group resource using the authenticated
> user's attributes and the attributes configured on the group.
> So I configured the policy via Groups > myGroup > permissions >
> view-members and select my javascript policy.
>
> Problem: in the script, neither my identity nor my group attributes are
> available.
> Here is my script:
>
> var context = $evaluation.getContext();
> var resourcePermission = $evaluation.getPermission();
> var identity = context.getIdentity();
> var idAttributes = identity.getAttributes();
> var ctxAttributes = context.getAttributes();
> var resource = resourcePermission.getResource();
>
> print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_
> PROP'));
> print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('
> CUSTOM_PROP'));
> print('resource.getAttributes: ' + resource.getAttributes);


> $evaluation.grant();
>
> When I use the API end point as follow :
> http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
> It triggers the script and prints the following in wildfly console :
>
> ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3)
> idAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> ctxAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> resource.getAttributes: undefined
>
> So my custom attribute is null. And worse, the resource does not even
> seems to have a getAttributes() method at all ?!
> I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined
> with value "test" and my group has attributes as well.
>
> The documentation says the resource I retrieve that way should be an
> instance of org.keycloak.authorization.model.Resource
> which, according to the javadoc, must define a getAttributes() methods.
> However it's ... undefined ?!
>
> The keycloak version I use is 4.0.0.
>
> Can anyone help me find what's wrong with my script ?
>
> Many thanks,
>
>
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list