[keycloak-user] ABAC policy, attributes not avialable

Wed Jul 18 08:28:01 EDT 2018

I run a quick test where I define an attribute to an user in admin console.
Then I used "print" to check for this attribute when accessing members of
the group in the "Users" UI. It worked for me.

I'm probably missing something in order to get the same behavior. If you
could create a JIRA and provide the steps to reproduce the issue (without a
custom SPI), I appreciate.

On Wed, Jul 18, 2018 at 5:50 AM, Nicolas Gillet <
nicolas.gillet at market-ip.com> wrote:

> Hello Pedro,
>
>
>
> To check if my SPI could be the problem, I created a user directly in KC
> admin and disabled my user federation.
>
> In the javascript I print all available attributes like follow :
>
>
>
> identity.getAttributes().toMap().keySet()
>
>
>
> My custom attributes are not there :-/
>
> All the attributes I have are :
>
>
>
> sub, kc.realm.roles, kc.client.account.roles, iss, typ,
> preferred_username, given_name, kc.client.realm-management.roles, aud,
> acr, nbf, azp, auth_time, name, exp, session_state, iat, family_name, jti,
> email
>
>
>
> Could this be a bug or a misconfiguration of keycloak ?
>
>
>
> Regards,
>
>
>
> Nicolas.
>
>
>
>
>
> *De :* Pedro Igor Silva <psilva at redhat.com>
> *Envoyé :* mardi 17 juillet 2018 17:39
>
> *À :* Nicolas Gillet <nicolas.gillet at market-ip.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] ABAC policy, attributes not avialable
>
>
>
>
>
>
>
> On Tue, Jul 17, 2018 at 12:32 PM, Nicolas Gillet <
> nicolas.gillet at market-ip.com> wrote:
>
> Hello Pedro,
>
>
>
> Thank you for your quick reply,
>
>
>
> For the user’s attributes, I have access to ‘general’ attributes like
> email, but not the ‘custom’ one. (My users are loaded from an home-made
> SPI, if that’s relevant)
>
> Any hint how I can debug why my other user’s attributes that are not there
> ?
>
>
>
> Hard to say, but I can tell you how it works. When evaluating permissions,
> the "identity" is basically an wrapper to the "user model". So, when you
> call "identity.getAttributes" you are basically accessing the attributes
> defined to the user. Maybe your implementation of the SPI is not setting
> the attributes correctly ?
>
>
>
>
>
> For the group, can you think of a workaround so that I can base my access
> decision on the group ?
>
>
>
> Are the limitations for javascript only ? Maybe writing a drool rule would
> do ?
>
>
>
> For this one we need to change how we pass the "resource" instance to
> policies. One solution would be to pass a wrapper to the group (just like
> we do for identity/usermodel) so you can have access to the attributes.
>
>
>
>
>
> Many thanks,
>
>
>
> Nicolas.
>
>
>
> *De :* Pedro Igor Silva <psilva at redhat.com>
> *Envoyé :* mardi 17 juillet 2018 17:06
> *À :* Nicolas Gillet <nicolas.gillet at market-ip.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] ABAC policy, attributes not avialable
>
>
>
> You should be able to obtain any attribute defined to the user.
>
>
>
> But regarding group attributes from the resource instance, it won't work
> because this functionality is not exposing group's attributes via the
> resource instance.
>
>
>
> There are other things we need to improve in this functionality of
> fine-grained permissions to admin console. There are a few things missing
> or too complicated to be done ...
>
>
>
> On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <
> nicolas.gillet at market-ip.com> wrote:
>
> Hello
>
> I am trying to write a javascript Attribute Based Access Control (ABAC)
> policy.
> I want to control the access to group resource using the authenticated
> user's attributes and the attributes configured on the group.
> So I configured the policy via Groups > myGroup > permissions >
> view-members and select my javascript policy.
>
> Problem: in the script, neither my identity nor my group attributes are
> available.
> Here is my script:
>
> var context = $evaluation.getContext();
> var resourcePermission = $evaluation.getPermission();
> var identity = context.getIdentity();
> var idAttributes = identity.getAttributes();
> var ctxAttributes = context.getAttributes();
> var resource = resourcePermission.getResource();
>
> print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_
> PROP'));
> print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('
> CUSTOM_PROP'));
> print('resource.getAttributes: ' + resource.getAttributes);
>
>
> $evaluation.grant();
>
> When I use the API end point as follow :
> http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
> It triggers the script and prints the following in wildfly console :
>
> ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3)
> idAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> ctxAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> resource.getAttributes: undefined
>
> So my custom attribute is null. And worse, the resource does not even
> seems to have a getAttributes() method at all ?!
> I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined
> with value "test" and my group has attributes as well.
>
> The documentation says the resource I retrieve that way should be an
> instance of org.keycloak.authorization.model.Resource
> which, according to the javadoc, must define a getAttributes() methods.
> However it's ... undefined ?!
>
> The keycloak version I use is 4.0.0.
>
> Can anyone help me find what's wrong with my script ?
>
> Many thanks,
>
>
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>