[keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question
Pedro Igor Silva
psilva at redhat.com
Mon Feb 4 07:41:00 EST 2019
Or just leave "list" and remove the resource from your permission ....
I agree with you, will open a JIRA to make this more intuitive.
Tks
On Mon, Feb 4, 2019 at 10:39 AM Alexey Titorenko <titorenko at dtg.technology>
wrote:
> Hi Pedro.
>
> Ok, I understand. To my opinion it is a bit not intuitive and dangerous,
> as scope based permission opens access to the whole resource. Yes, if I
> specify permissions for all scopes, then it works fine.
>
> Thank you!
>
> Alexey
>
>
> On 4 Feb 2019, at 15:32, Pedro Igor Silva <psilva at redhat.com> wrote:
>
> The main point here is that you are granted with a permission without any
> scope:
>
> 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4]
> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path
> [PathConfig{name='Documents', type='null', path='/documents/{id}',
> scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846',
> enforcerMode='ENFORCING'}]. Permissions [[Permission
> {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]].
>
> The policy enforcer understands that "no scopes" means access to the
> resource itself and that explains why you are able to access that protected
> resource.
>
> The reason why you are granted with permission with no scopes is that the
> policy engine checks whether or not the permission (regardless if scope or
> resource based) is associated with a resource. If so, access to the
> resource is granted.
>
> You can try removing the resource from "List Documents" permission and
> leave only the "list" scope.
>
> Another option is define a scope-based permission to each scope.
>
> For last, I'm wondering if we should only grant access to a resource if
> the permissions ia actually a resource-based permission. So you will none
> of the steps above would be necessary and your configuration will work as
> expected.
>
> Wdyt ?
>
>
> On Mon, Feb 4, 2019 at 7:54 AM Alexey Titorenko <titorenko at dtg.technology>
> wrote:
>
>> Hello guys!
>>
>> Could someone help me with this.
>>
>> I’m playing with policy enforcers in test Spring Boot application trying
>> to find how to apply it to our cases. I’m trying to investigate how
>> 'ENFORCING’ mode is working with scope based permissions.
>>
>> My intuitive understanding of this:
>> if resource does not have any permissions defined on it, then access is
>> denied for any scope requested.
>> if resource has some permissions, then access to scopes, not covered by
>> any existing permissions is always denied.
>>
>> What I see in reality:
>> first case works fine. Access to my service is denied If no permissions
>> defined on it.
>> if the resource has a permission, controlling access to one scope, then
>> access to the other scopes is always GRANTED.
>>
>> In particular, I’ve created demo REST document storage service, which
>> defines CRUD operations, plus one ‘list’ operation to get list of documents
>> for an entity. All these operations are covered by a corresponding scope
>> (create, view, update, delete, list). After that:
>> If I have no permissions defined for this service, then no access is
>> granted whatever scope I request.
>> If I define scope-based permission, let’s say, controlling access to the
>> ‘list’ scope on the resource, then access is automatically granted to
>> requests for all CRUD operations, for example, for ‘create' operation.
>>
>> Is it how this is intended to work or not? My expectation is that
>> everything should be denied (every scope), until explicitly allowed by some
>> permission.
>>
>> Below are debug log messages that might be of some interest, my policy
>> enforcer config, and some screenshots.
>>
>> The first log entry corresponds to ‘create’ operation with ‘create’ scope
>> and the other one — to ‘list’ operation.
>>
>> Thank you,
>> Alexey.
>>
>> From Logs:
>> 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4]
>> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path
>> [PathConfig{name='Documents', type='null', path='/documents/{id}',
>> scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846',
>> enforcerMode='ENFORCING'}]. Permissions [[Permission
>> {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]].
>>
>> 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3]
>> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path
>> [PathConfig{name='Documents', type='null', path='/documents/', scopes=[],
>> id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}].
>> Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846,
>> name=Documents, scopes=[list]}]].
>>
>>
>> Config
>> svc.name=docs-uma
>> server.port = 8085
>> keycloak.realm=DemoApp
>> keycloak.auth-server-url=http://localhost:8180/auth
>> keycloak.ssl-required=external
>> keycloak.resource=docs-svc-uma
>> keycloak.cors=true
>> keycloak.use-resource-role-mappings=true
>> keycloak.verify-token-audience=false
>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
>> keycloak.confidential-port=0
>> keycloak.bearer-only=true
>>
>> keycloak.securityConstraints[0].securityCollections[0].name = secured
>> operation
>> keycloak.securityConstraints[0].authRoles[0] = user
>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
>> /documents
>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
>> /documents/*
>>
>> keycloak.securityConstraints[1].securityCollections[0].name = admin
>> operation
>> keycloak.securityConstraints[1].authRoles[0] = admin
>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] =
>> /admin
>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
>> /admin/
>>
>> logging.level.org.keycloak=DEBUG
>>
>> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>>
>> # policy enforcer
>> keycloak.policy-enforcer-config.enforcement-mode=ENFORCING
>> keycloak.policy-enforcer-config.lazy-load-paths=true
>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>>
>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
>> keycloak.policy-enforcer-config.paths[0].path=/*
>>
>> keycloak.policy-enforcer-config.paths[1].name=Admin Resources
>> keycloak.policy-enforcer-config.paths[1].path=/admin/*
>>
>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri}
>>
>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>>
>> keycloak.policy-enforcer-config.paths[2].name=Documents
>> keycloak.policy-enforcer-config.paths[2].path=/documents/
>> keycloak.policy-enforcer-config.paths[2].methods[0].method=POST
>> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create
>> keycloak.policy-enforcer-config.paths[2].methods[1].method=GET
>> keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list
>> keycloak.policy-enforcer-config.paths[3].name=Documents
>> keycloak.policy-enforcer-config.paths[3].path=/documents/{id}
>> keycloak.policy-enforcer-config.paths[3].methods[0].method=GET
>> keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get
>> keycloak.policy-enforcer-config.paths[3].methods[1].method=POST
>> keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update
>> keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE
>> keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete
>>
>> Client authorisation config:
>> {
>> "allowRemoteResourceManagement": true,
>> "policyEnforcementMode": "ENFORCING",
>> "resources": [
>> {
>> "name": "Admin Resources",
>> "type": "urn:docs-svc-uma:resources:admin",
>> "ownerManagedAccess": false,
>> "attributes": {},
>> "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791",
>> "uris": [
>> "/admin/*",
>> "/admin"
>> ],
>> "icon_uri": ""
>> },
>> {
>> "name": "Documents",
>> "type": "urn:docs-svc-uma:resources:documents",
>> "ownerManagedAccess": false,
>> "attributes": {},
>> "_id": "b14999a7-0853-4063-8fe6-c0469a975846",
>> "uris": [
>> "/documents/{id}",
>> "/documents/"
>> ],
>> "scopes": [
>> {
>> "name": "view"
>> },
>> {
>> "name": "update"
>> },
>> {
>> "name": "delete"
>> },
>> {
>> "name": "create"
>> },
>> {
>> "name": "list"
>> }
>> ]
>> }
>> ],
>> "policies": [
>> {
>> "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788",
>> "name": "Default Policy",
>> "description": "A policy that grants access only for users within
>> this realm",
>> "type": "js",
>> "logic": "POSITIVE",
>> "decisionStrategy": "AFFIRMATIVE",
>> "config": {
>> "code": "// by default, grants any permission associated with
>> this policy\n$evaluation.grant();\n"
>> }
>> },
>> {
>> "id": "b786a8bb-3705-4df6-86cd-c041065d3703",
>> "name": "Never",
>> "type": "js",
>> "logic": "POSITIVE",
>> "decisionStrategy": "UNANIMOUS",
>> "config": {
>> "code": "$evaluation.deny();"
>> }
>> },
>> {
>> "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db",
>> "name": "List Documents",
>> "type": "scope",
>> "logic": "POSITIVE",
>> "decisionStrategy": "UNANIMOUS",
>> "config": {
>> "resources": "[\"Documents\"]",
>> "scopes": "[\"list\"]",
>> "applyPolicies": "[\"Default Policy\"]"
>> }
>> }
>> ],
>> "scopes": [
>> {
>> "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae",
>> "name": "create"
>> },
>> {
>> "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2",
>> "name": "delete"
>> },
>> {
>> "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050",
>> "name": "update"
>> },
>> {
>> "id": "d72a9d39-3750-41c4-954f-0db7853cb964",
>> "name": "list"
>> },
>> {
>> "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402",
>> "name": "view",
>> "iconUri": ""
>> }
>> ]
>> }
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list