[keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question
Pedro Igor Silva
psilva at redhat.com
Mon Feb 4 07:32:56 EST 2019
The main point here is that you are granted with a permission without any
scope:
2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4]
o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path
[PathConfig{name='Documents', type='null', path='/documents/{id}',
scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846',
enforcerMode='ENFORCING'}]. Permissions [[Permission
{id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]].
The policy enforcer understands that "no scopes" means access to the
resource itself and that explains why you are able to access that protected
resource.
The reason why you are granted with permission with no scopes is that the
policy engine checks whether or not the permission (regardless if scope or
resource based) is associated with a resource. If so, access to the
resource is granted.
You can try removing the resource from "List Documents" permission and
leave only the "list" scope.
Another option is define a scope-based permission to each scope.
For last, I'm wondering if we should only grant access to a resource if the
permissions ia actually a resource-based permission. So you will none of
the steps above would be necessary and your configuration will work as
expected.
Wdyt ?
On Mon, Feb 4, 2019 at 7:54 AM Alexey Titorenko <titorenko at dtg.technology>
wrote:
> Hello guys!
>
> Could someone help me with this.
>
> I’m playing with policy enforcers in test Spring Boot application trying
> to find how to apply it to our cases. I’m trying to investigate how
> 'ENFORCING’ mode is working with scope based permissions.
>
> My intuitive understanding of this:
> if resource does not have any permissions defined on it, then access is
> denied for any scope requested.
> if resource has some permissions, then access to scopes, not covered by
> any existing permissions is always denied.
>
> What I see in reality:
> first case works fine. Access to my service is denied If no permissions
> defined on it.
> if the resource has a permission, controlling access to one scope, then
> access to the other scopes is always GRANTED.
>
> In particular, I’ve created demo REST document storage service, which
> defines CRUD operations, plus one ‘list’ operation to get list of documents
> for an entity. All these operations are covered by a corresponding scope
> (create, view, update, delete, list). After that:
> If I have no permissions defined for this service, then no access is
> granted whatever scope I request.
> If I define scope-based permission, let’s say, controlling access to the
> ‘list’ scope on the resource, then access is automatically granted to
> requests for all CRUD operations, for example, for ‘create' operation.
>
> Is it how this is intended to work or not? My expectation is that
> everything should be denied (every scope), until explicitly allowed by some
> permission.
>
> Below are debug log messages that might be of some interest, my policy
> enforcer config, and some screenshots.
>
> The first log entry corresponds to ‘create’ operation with ‘create’ scope
> and the other one — to ‘list’ operation.
>
> Thank you,
> Alexey.
>
> From Logs:
> 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4]
> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path
> [PathConfig{name='Documents', type='null', path='/documents/{id}',
> scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846',
> enforcerMode='ENFORCING'}]. Permissions [[Permission
> {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]].
>
> 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3]
> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path
> [PathConfig{name='Documents', type='null', path='/documents/', scopes=[],
> id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}].
> Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846,
> name=Documents, scopes=[list]}]].
>
>
> Config
> svc.name=docs-uma
> server.port = 8085
> keycloak.realm=DemoApp
> keycloak.auth-server-url=http://localhost:8180/auth
> keycloak.ssl-required=external
> keycloak.resource=docs-svc-uma
> keycloak.cors=true
> keycloak.use-resource-role-mappings=true
> keycloak.verify-token-audience=false
> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
> keycloak.confidential-port=0
> keycloak.bearer-only=true
>
> keycloak.securityConstraints[0].securityCollections[0].name = secured
> operation
> keycloak.securityConstraints[0].authRoles[0] = user
> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
> /documents
> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
> /documents/*
>
> keycloak.securityConstraints[1].securityCollections[0].name = admin
> operation
> keycloak.securityConstraints[1].authRoles[0] = admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
> /admin/
>
> logging.level.org.keycloak=DEBUG
>
> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>
> # policy enforcer
> keycloak.policy-enforcer-config.enforcement-mode=ENFORCING
> keycloak.policy-enforcer-config.lazy-load-paths=true
> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>
> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> keycloak.policy-enforcer-config.paths[0].path=/*
>
> keycloak.policy-enforcer-config.paths[1].name=Admin Resources
> keycloak.policy-enforcer-config.paths[1].path=/admin/*
>
> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri}
>
> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>
> keycloak.policy-enforcer-config.paths[2].name=Documents
> keycloak.policy-enforcer-config.paths[2].path=/documents/
> keycloak.policy-enforcer-config.paths[2].methods[0].method=POST
> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create
> keycloak.policy-enforcer-config.paths[2].methods[1].method=GET
> keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list
> keycloak.policy-enforcer-config.paths[3].name=Documents
> keycloak.policy-enforcer-config.paths[3].path=/documents/{id}
> keycloak.policy-enforcer-config.paths[3].methods[0].method=GET
> keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get
> keycloak.policy-enforcer-config.paths[3].methods[1].method=POST
> keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update
> keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE
> keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete
>
> Client authorisation config:
> {
> "allowRemoteResourceManagement": true,
> "policyEnforcementMode": "ENFORCING",
> "resources": [
> {
> "name": "Admin Resources",
> "type": "urn:docs-svc-uma:resources:admin",
> "ownerManagedAccess": false,
> "attributes": {},
> "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791",
> "uris": [
> "/admin/*",
> "/admin"
> ],
> "icon_uri": ""
> },
> {
> "name": "Documents",
> "type": "urn:docs-svc-uma:resources:documents",
> "ownerManagedAccess": false,
> "attributes": {},
> "_id": "b14999a7-0853-4063-8fe6-c0469a975846",
> "uris": [
> "/documents/{id}",
> "/documents/"
> ],
> "scopes": [
> {
> "name": "view"
> },
> {
> "name": "update"
> },
> {
> "name": "delete"
> },
> {
> "name": "create"
> },
> {
> "name": "list"
> }
> ]
> }
> ],
> "policies": [
> {
> "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788",
> "name": "Default Policy",
> "description": "A policy that grants access only for users within
> this realm",
> "type": "js",
> "logic": "POSITIVE",
> "decisionStrategy": "AFFIRMATIVE",
> "config": {
> "code": "// by default, grants any permission associated with this
> policy\n$evaluation.grant();\n"
> }
> },
> {
> "id": "b786a8bb-3705-4df6-86cd-c041065d3703",
> "name": "Never",
> "type": "js",
> "logic": "POSITIVE",
> "decisionStrategy": "UNANIMOUS",
> "config": {
> "code": "$evaluation.deny();"
> }
> },
> {
> "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db",
> "name": "List Documents",
> "type": "scope",
> "logic": "POSITIVE",
> "decisionStrategy": "UNANIMOUS",
> "config": {
> "resources": "[\"Documents\"]",
> "scopes": "[\"list\"]",
> "applyPolicies": "[\"Default Policy\"]"
> }
> }
> ],
> "scopes": [
> {
> "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae",
> "name": "create"
> },
> {
> "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2",
> "name": "delete"
> },
> {
> "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050",
> "name": "update"
> },
> {
> "id": "d72a9d39-3750-41c4-954f-0db7853cb964",
> "name": "list"
> },
> {
> "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402",
> "name": "view",
> "iconUri": ""
> }
> ]
> }
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list