[keycloak-user] ABAC policy, attributes not avialable

Nicolas Gillet nicolas.gillet at market-ip.com
Tue Jul 17 11:32:00 EDT 2018


Hello Pedro,

Thank you for your quick reply,

For the user’s attributes, I have access to ‘general’ attributes like email, but not the ‘custom’ one. (My users are loaded from an home-made SPI, if that’s relevant)
Any hint how I can debug why my other user’s attributes that are not there ?

For the group, can you think of a workaround so that I can base my access decision on the group ?

Are the limitations for javascript only ? Maybe writing a drool rule would do ?

Many thanks,

Nicolas.

De : Pedro Igor Silva <psilva at redhat.com>
Envoyé : mardi 17 juillet 2018 17:06
À : Nicolas Gillet <nicolas.gillet at market-ip.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] ABAC policy, attributes not avialable

You should be able to obtain any attribute defined to the user.

But regarding group attributes from the resource instance, it won't work because this functionality is not exposing group's attributes via the resource instance.

There are other things we need to improve in this functionality of fine-grained permissions to admin console. There are a few things missing or too complicated to be done ...

On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <nicolas.gillet at market-ip.com<mailto:nicolas.gillet at market-ip.com>> wrote:
Hello

I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.

Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:

var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();

print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);

$evaluation.grant();

When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :

ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) resource.getAttributes: undefined

So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.

The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!

The keycloak version I use is 4.0.0.

Can anyone help me find what's wrong with my script ?

Many thanks,


Nicolas GILLET
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list