Roles¶
Overview¶
Role is used for determining if the operation is allowed. You can specify which operations should be permitted or denied by specifying operation key regex patterns. Operation is a key with structure like: api.{operation type}.{object}.{operation name}
. Operation keys can be found here.
Requirements¶
In this example you should use Keycloak as authorization provider. You can install Keycloak by yourself (here you can find more information about it) our you can use docker compose file with our Keycloak image.
Docker compose with Keycloak¶
First, you need to go to download page. Then, you need to modify your docker compose file. First, you need to add Keycloak image.
Now you need to configure Onteon Control Center Authorization Provider to Keycloak. Configuration parameters can be passed in three ways:
- in configuration file
- in env variable
- in jvm parameter
In this example, the best solution will be to pass configuration parameters via environment variables. Modify
onteoncc-master
by adding the environment
fields.
onteoncc-master:
image: onteon/control-center:1.3.3
ports:
- "8050:8050"
- "9096:9096"
- "27017:27017"
- "27018:27018"
- "27019:27019"
environment:
ONTEON_MONITORING_ENABLED: "false"
ONTEON_AUTH_PROVIDER_NAME: "keycloak"
ONTEON_AUTH_PROVIDER_PARAMS_CONFIGURATIONURL: "http://keycloak:8080/auth/realms/master/.well-known/openid-configuration"
volumes:
- '/opt/onteoncc/onteon-control-center/storage'
command: [ "./start-master.sh" ]
Now you should be ready to start docker compose. Execute docker-compose up
.
Then you can use your own OnteonCLI, or you can run docker-compose run --rm onteoncli
and start container with preinstalled cli.
Now login to Onteon Control Center. Execute onteoncli login --cluster-url <cluster-address>
. If you are using cli from container, you can execute onteoncli login --cluster-url http://onteoncc-master:8050
. Then open link in your browser, confirm the code and login with user onteon_admin and password admin. Now you should be ready for next steps.
Introduction¶
In this example you will create role that allows all read operations and all operations on application instances, except action operations. As a result, you need to:
- Allow all read operation:
api.read.*
- Allow all operations for application instances:
api.*.application_instance.*
- Deny action operations for application instances:
api.action.application_instances.*
Role File¶
Role can be created from file. Here is a role file for this example:
name: custom_role
allowedOperationsKeyIdPatterns:
- ^api\.read\..*$
- ^api\..*\.application_instances\..*$
deniedOperationsKeyIdPatterns:
- ^api\.action\.application_instances\..*$
name
is a name of Role. Name must be unique and cannot be empty.
allowedOperationsKeyIdPatterns
is a list of patterns that allows operations. It is not obligatory to add this field.
deniedOperationsKeyIdPatterns
is a list of patterns that denies operations. It is not obligatory to add this field.
Creating role¶
Role can be created by executing onteoncli role create-from-file <role-file>
, then you can list roles by executing
onteoncli role list
.
$ onteoncli role create-from-file role.yml
id: 616938b5d2bf9e4d1f8a0ef3
createdAT: 2021-10-15T08:15:49.364Z
updatedAt: 2021-10-15T08:15:49.364Z
name: custom_role
allowedOperationsKeyIdPatterns:
0: ^api\\.read\\..*$
1: ^api\\..*\\.application_instances\\..*$
deniedOperationsKeyIdPatterns:
0: ^api\\.action\\.application_instances\\..*$
$ onteoncli role list
id createdAt updatedAt name
616938b5d2bf9e4d1f8a0ef3 2021-10-15T08:15:49.364Z 2021-10-15T08:15:49.364Z custom_role
616924dbd2bf9e4d1f8a0ec4 2021-10-15T06:51:07.19Z 2021-10-15T06:51:07.19Z super_admin
Keycloak¶
Now you need to create Keycloak user and assign new role to new user.
Go to users and click Add user
.
Fill the form and click save. Now go to credentials and set password.
Go to clients > onteon (or your custom client) > roles and click 'add role'. Role name need to match role name that you created in previous steps. Click save.
Now go to users > (your new user) > Role Mappings, and select 'onteon' or your client in 'Client Roles'. Then, assign your new role (custom_role) to the user. Next, you need to add two realm roles: offline_access and uma_authorization.
Test¶
Let's test if your role works. First, you need to login as new user. Execute onteoncli login --cluster-url <cluster-url>
and login as new user.
Now you can test if new role works.
# Read operation
$ onteoncli node list
id createdAt updatedAt ipAddress nodeApiPort zoneId status
82292538e6725c2f2741462d 2021-10-14T10:22:03.826Z 2021-10-14T10:44:00.562Z 172.30.0.3 8030 null available
# Non read operation
$ onteoncli node disconnect 123123
Error occurred while disconnecting node due to: Operation not permitted.
# Application instance operation
onteoncli application-instance create 6168135068378c3a666161e5 82292538e6725c2f2741462d
id: 5644f06b4b4539840e70f3db
createdAt: 2021-10-14T11:24:30.951Z
applicationName: fridge
applicationVersion: 1.0.0
applicationId: 6168135068378c3a666161e5
nodeId: 82292538e6725c2f2741462d
status: created
# Application instance action operation
$ onteoncli application-instance start 5644f06b4b4539840e70f3db
Error occurred while starting application instance due to: Operation not permitted.