- Go Web Server, to create access policies and ask for permissions of a subject
- /policies - manage access policies
curl -i -X POST --url http://localhost:8080/policies
[
{
"Subject": "admin",
"Action": "POST",
"Resource": "/iot-repository",
"ID": "admin",
"Effect": "allow"
}
]
curl -i -X PUT --url http://localhost:8080/policies
[
{
"Subject": "admin",
"Action": "has_access_permission",
"Resource": "deviceid"
"ID": "admin",
"Context": {
"type": "device",
"owner": "user"
}
"Effect": "allow"
}
]
curl -i -X GET --url http://localhost:8080/policies?subject=admin
curl -i -X DELETE --url http://localhost:8080/policies?ids=id1,id2
- /check - ask for permission (used with kong middleman plugin)
curl -i -X POST --url http://localhost:8080/access
{
"headers": {
"target_method": "GET",
"target_uri": "/process/schedulerlump",
"authorization": "Bearer <token>"
}
}
docker pull golang
- Subjects:
- User
- Role
- Actions:
- HTTP Method
- Access
- Ressources:
- URI
- Device Instance ID
- Device Type ID
- role admin is allowed to GET on ressource /iot-device-repo
- user max is allowed to access device instance iot#22323232332 where owner is thomas
- subset generieren bei web ui: checken eigene devices dann instanzen die freigegeben wurde
- device instanz verwenden beim process exceuter: entweder im iot-repo nachfragen und ladon
- one policy per subject e.g. role admin and ressource e.g /iot-repository
- one or multiple actions which can be removed or added later
- policy id is tuple of subject and ressource
- if permissions of a subject in relation to a ressource should be changed, then the existing policy should be changed and no extra policy be created
with Docker
docker build -t ladon .
with docker-compose (with database and port 8080)
docker-compose up