Authorization
Authorization with Access Control List
Casbin is a powerful and efficient open-source access control library and
proxy-auth
uses the Access Control List (ACL) Model to authorize the API access based on user's group(role).
The default allow-and-deny model is defined in /res/model.conf:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = r.sub == p.sub && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
The default policy is defined in /res/policy.csv:
p, gateway-group, *, (GET)|(POST)|(PUT)|(PATCH)|(DELETE), allow
To update the default role policy, first verify the policy result with the online editor and override the default /res/policy.csv in docker-compose-security.yml:
services:
proxy-auth:
volumes:
- <path_to_custom_policy.csv>:/res/policy.csv
Note
You can directly modify the default /etc/edgexpert/docker-compose-security.yml or keep the local docker-compose-security.yml and leverage docker-compose override mechanism
Role Policy API
There are /api/v2/rolepolicy
API that allow user to update the policy rules during runtime:
Invoke the Proxy Auth Add Policy API to update the policy
curl -X POST '<proxy-auth-ip>:59842/api/v2/rolepolicy' \
--header 'Content-Type: application/json' \
--data-raw '{
"role": "group1",
"path": "/core-data/api/v2/*",
"method": "(GET)",
"effect": "allow"
}'
Invoke the Proxy Auth Delete Policy API to update the policy
curl -X DELETE '<proxy-auth-ip>:59842/api/v2/rolepolicy' \
--header 'Content-Type: application/json' \
--data-raw '{
"role": "group1",
"path": "/core-data/api/v2/*",
"method": "(GET)",
"effect": "allow"
}'