{"activeVersionTag":"latest","latestAvailableVersionTag":"latest","collection":{"info":{"_postman_id":"59ce8a5e-c01f-4d7b-964e-64dd67f2fce5","name":"FIWARE Administrating XACML","description":"[![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://www.fiware.org/developers/catalogue/)\n\nThis tutorial introduces the administration of level 3 advanced authorization rules into **Keyrock**. The simple verb-resource based permissions are amended to use XACML and new XACML permissions added to the existing roles. The updated ruleset is automatically uploaded to **Authzforce** PDP, so that policy execution points such as the **PEP proxy** are able to apply the latest ruleset.\n\nThe tutorial demonstrates examples of interactions using the **Keyrock** GUI, as\nwell [cUrl](https://ec.haxx.se/) commands used to access the REST\nAPIs of **Keyrock**  and **Authzforce** \n\nThe `docker-compose` files for this tutorial can be found on GitHub: \n\n![GitHub](https://fiware.github.io/tutorials.Administrating-XACML/icon/GitHub-Mark-32px.png) [FIWARE 406: Administrating XACML](https://github.com/Fiware/tutorials.Administrating-XACML)\n\n# Administrating XACML Rules\n\n> **12.3 Central Terminal Area**\n>\n> * Red or Yellow Zone\n>    * No private vehicle shall stop, wait, or park in the red or yellow zone.\n> * White Zone\n>    * No vehicle shall stop, wait, or park in the white zone unless actively\n> engaged in the immediate loading or unloading of passengers\n> and/or baggage.\n>\n> — Los Angeles International Airport Rules and Regulations, Section 12 - Landside Motor Vehicle Operations\n\nBusiness rules change over time, and it is necessary to be able to amend access controls accordingly. The [previous tutorial](https://github.com/Fiware/tutorials.XACML-Access-Rules) included a static XACML `<PolicySet>` loaded into **Authzforce**. This component offers advanced authorization (level 3) access control where every policy decision is calculated on the fly and new rules can be applied under new circumstances.\nThe details of the [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) Policy Decision Point (PDP) were discussed in the [previous tutorial](https://github.com/Fiware/tutorials.XACML-Access-Rules), suffice to say, the **Authzforce** PDP interprets rules according to the\n[XACML standard](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml) and offers a means to adjudicate on any access request provided that sufficient information can be supplied.\n\nFor full flexibility, it must be possible to load, update and activate a new access control XACML `<PolicySet>` whenever necessary. In order to do, this **Authzforce** offers a simple REST Policy Adminstration Point (PAP), an alternative role-based PAP is available within **Keyrock**\n\n## What is XACML\n\neXtensible Access Control Markup Language (XACML) is a vendor neutral\ndeclarative access control policy language. It was created to promote common\naccess control terminology and interoperability. The architectural naming\nconventions for elements such as Policy Execution Point (PEP) and Policy\nDecision Point (PDP) come from the XACML specifications.\n\nXACML policies are split into a hierarchy of three levels - `<PolicySet>`,\n`<Policy>` and `<Rule>`, the `<PolicySet>` is a collection of `<Policy>`\nelements each of which contain one or more `<Rule>` elements.\n\nEach `<Rule>` within a `<Policy>` is evaluated as to whether it should grant\naccess to a resource - the overall `<Policy>` result is defined by the overall\nresult of all `<Rule>` elements processed in turn. Separate `<Policy>` results\nare then evaluated against each other using combining alogorthms define which\n`<Policy>` wins in case of conflict.\n\nFurther information can be found within the [XACML standard](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml)\n\n## PAP - Policy Administration Point\n\nFor the first half of the tutorial, a simple two rule `<PolicySet>` will be administered using the **Authzforce** PAP. Thereafter the **Keyrock** GUI will be used to administer XACML rules within the existing tutorial application  on an individual XACML `<Rule>` level. The policy decision request code within the **PEP-Proxy** may also need to be customized to enable the enforcement of complex XACML rules.\n\n### Authzforce PAP\n\nWithin the **Authzforce** PAP all CRUD actions occur on the `<PolicySet>` level. It is therefore necessary to create a complete, valid XACML file before uploading it to the service. There is no GUI available to ensure the validity of the  `<PolicySet>` prior to uploading the XACML.\n\n### Keyrock PAP\n\n**Keyrock** can create a valid XACML file based on available roles and permissions and pass this to **Authzforce**. Indeed **Keyrock** already does this whenever it combines with **Authzforce** as all its own basic authorization (level 2) permissions must be translated into advanced authorization (level 3) permissions before they can be adjudicated by **Authzforce**.\n\nWithin **Keyrock**, each role corresponds to an XACML `<Policy>`, each permission within that role corresponds to an XACML `<Rule>`. There is a GUI available for uploading and amending the XACML for each `<Rule>` and all CRUD actions occur on the `<Rule>` level.\n\nProvided care is taken when creating `<Rule>` you can use **Keyrock** to simplify the administration of XACML and create a valid `<PolicySet>` for **Authzforce**.\n\n## PEP - Policy Execution Point\n\nWhen using advanced authorization (level 3),  a policy execution point sends the an authorization request to he relevant domain endpoint within **Authzforce**,\nproviding all of the information necessary for **Authzforce** to provide a\njudgement. Details of the interaction can be found in the [previous tutorial](https://github.com/Fiware/tutorials.XACML-Access-Rules).\n\nThe full code to supply each request to **Authzforce** can be found within the\ntutorials'\n[Git Repository](https://github.com/Fiware/tutorials.Step-by-Step/blob/master/context-provider/lib/azf.js)\n\nObviously the definition of _\"all of the information necessary\"_ may change\nover time, applications must therefore be flexible enough to be able to modify the requests sent to ensure that sufficient information is passed.\n\n# Prerequisites\n\n## Docker\n\nTo keep things simple all components will be run using\n[Docker](https://www.docker.com). **Docker** is a container technology which\nallows to different components isolated into their respective environments.\n\n-   To install Docker on Windows follow the instructions\n    [here](https://docs.docker.com/docker-for-windows/)\n-   To install Docker on Mac follow the instructions\n    [here](https://docs.docker.com/docker-for-mac/)\n-   To install Docker on Linux follow the instructions\n    [here](https://docs.docker.com/install/)\n\n**Docker Compose** is a tool for defining and running multi-container Docker\napplications. A\n[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Identity-Management/master/docker-compose.yml)\nis used configure the required services for the application. This means all\ncontainer services can be brought up in a single command. Docker Compose is\ninstalled by default as part of Docker for Windows and Docker for Mac, however\nLinux users will need to follow the instructions found\n[here](https://docs.docker.com/compose/install/)\n\n## Cygwin\n\nWe will start up our services using a simple bash script. Windows users should\ndownload [cygwin](http://www.cygwin.com/) to provide a command-line\nfunctionality similar to a Linux distribution on Windows.\n\n# Architecture\n\nThis application adds OAuth2-driven security into the existing Stock Management\nand Sensors-based application created in\n[previous tutorials](https://github.com/Fiware/tutorials.IoT-Agent/) by using\nthe data created in the first\n[security tutorial](https://github.com/Fiware/tutorials.Identity-Management/)\nand reading it programmatically. It will make use of three FIWARE components -\nthe [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/),the\n[IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/)\nand integrates the use of the\n[Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Generic enabler. Usage\nof the Orion Context Broker is sufficient for an application to qualify as\n_“Powered by FIWARE”_.\n\nBoth the Orion Context Broker and the IoT Agent rely on open source\n[MongoDB](https://www.mongodb.com/) technology to keep persistence of the\ninformation they hold. We will also be using the dummy IoT devices created in\nthe [previous tutorial](https://github.com/Fiware/tutorials.IoT-Sensors/).\n**Keyrock** uses its own [MySQL](https://www.mysql.com/) database.\n\nTherefore the overall architecture will consist of the following elements:\n\n-   The FIWARE\n    [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/) which\n    will receive requests using\n    [NGSI](https://fiware.github.io/specifications/OpenAPI/ngsiv2)\n-   The FIWARE\n    [IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/)\n    which will receive southbound requests using\n    [NGSI](https://fiware.github.io/specifications/OpenAPI/ngsiv2) and convert\n    them to\n    [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual)\n    commands for the devices\n-   FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) offer a\n    complement Identity Management System including:\n    -   An OAuth2 authentication system for Applications and Users\n    -   A site graphical frontend for Identity Management Administration\n    -   An equivalent REST API for Identity Management via HTTP requests\n\n-   FIWARE [Authzforce](https://fiware-pep-proxy.rtfd.io/) is a XACML Server providing an interpretive Policy Decision Point (PDP)\n    access to the **Orion** and/or **IoT Agent** microservices\n-   FIWARE [Wilma](https://fiware-pep-proxy.rtfd.io/) is a PEP Proxy securing\n    access to the **Orion** microservices, it requests authorisation decisions from **Authzforce**\n-   The underlying [MongoDB](https://www.mongodb.com/) database :\n    -   Used by the **Orion Context Broker** to hold context data information\n        such as data entities, subscriptions and registrations\n    -   Used by the **IoT Agent** to hold device information such as device URLs\n        and Keys\n-   A [MySQL](https://www.mysql.com/) database :\n    -   Used to persist user identities, applications, roles and permissions\n-   The **Stock Management Frontend** does the following:\n    -   Displays store information\n    -   Shows which products can be bought at each store\n    -   Allows users to \"buy\" products and reduce the stock count.\n    -   Allows authorized users into restricted areas, it requests authoriation decisions from **Authzforce**\n-   A webserver acting as set of\n    [dummy IoT devices](https://github.com/Fiware/tutorials.IoT-Sensors) using\n    the\n    [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual)\n    protocol running over HTTP - access to certain resources is restricted.\n\nSince all interactions between the elements are initiated by HTTP requests, the\nentities can be containerized and run from exposed ports.\n\n![](https://fiware.github.io/tutorials.Administrating-XACML/img/architecture.png)\n\n\nThe all container configuration values described in the YAML file\nhave been described in previous tutorials\n\n\n\n# Start Up\n\nTo start the installation, do the following:\n\n```console\ngit clone git@github.com:Fiware/tutorials.Administrating-XACML.git\ncd tutorials.Administrating-XACML\n\n./services create\n```\n\n> **Note** The initial creation of Docker images can take up to three minutes\n\nThereafter, all services can be initialized from the command-line by running the\n[services](https://github.com/Fiware/tutorials.Administrating-XACML/blob/master/services)\nBash script provided within the repository:\n\n```console\n./services start\n```\n\n\n> **Note:** If you want to clean up and start over again\n> you can do so with the following command:\n>\n> ```\n> ./services stop\n> ```\n\n### Dramatis Personae\n\nThe following people at `test.com` legitimately have accounts within the\nApplication\n\n-   Alice, she will be the Administrator of the **Keyrock** Application\n-   Bob, the Regional Manager of the supermarket chain - he has several store\n    managers under him:\n    -   Manager1\n    -   Manager2\n-   Charlie, the Head of Security of the supermarket chain - he has several\n    store detectives under him:\n    -   Detective1\n    -   Detective2\n\n| Name       | eMail                     | Password |\n| ---------- | ------------------------- | -------- |\n| alice      | alice-the-admin@test.com  | `test`   |\n| bob        | bob-the-manager@test.com  | `test`   |\n| charlie    | charlie-security@test.com | `test`   |\n| manager1   | manager1@test.com         | `test`   |\n| manager2   | manager2@test.com         | `test`   |\n| detective1 | detective1@test.com       | `test`   |\n| detective2 | detective2@test.com       | `test`   |\n\nThe following people at `example.com` have signed up for accounts, but have no\nreason to be granted access\n\n-   Eve - Eve the Eavesdropper\n-   Mallory - Mallory the malicious attacker\n-   Rob - Rob the Robber\n\n| Name    | eMail               | Password |\n| ------- | ------------------- | -------- |\n| eve     | eve@example.com     | `test`   |\n| mallory | mallory@example.com | `test`   |\n| rob     | rob@example.com     | `test`   |\n\n\n# XACML Administration\n\nTo apply an access control policy, it is necessary to be able to do the following:\n\na) Create a consistent `<PolicySet>`\nb) Supply a Policy Execution Point (PEP) which provides necessary data\n\nAs will be seen, **Keyrock** is able help with the first point, and custom code within the **PEP Proxy** can help with the second. **Authzforce** itself does not offer a UI, and is not concerned with generation and management of XACML policies - it assumes that each `<PolicySet>` it receives has already been generated by another component.\n\nFull-blown XACML editors are available, but the limited editor within **Keyrock** is usually sufficient for most access control scenarios.","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","isPublicCollection":true,"owner":"513743","team":157450,"collectionId":"59ce8a5e-c01f-4d7b-964e-64dd67f2fce5","publishedId":"RznCrzo9","public":true,"publicUrl":"https://documenter-api.postman.tech/view/513743/RznCrzo9","privateUrl":"https://go.postman.co/documentation/513743-59ce8a5e-c01f-4d7b-964e-64dd67f2fce5","customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF7059"},"documentationLayout":"classic-double-column","version":"8.10.0","publishDate":"2020-01-02T11:02:36.000Z","activeVersionTag":"latest","documentationTheme":"light","metaTags":{},"logos":{}},"statusCode":200},"environments":[],"user":{"authenticated":false,"permissions":{"publish":false}},"run":{"button":{"js":"https://run.pstmn.io/button.js","css":"https://run.pstmn.io/button.css"}},"web":"https://www.getpostman.com/","team":{"logo":"https://res.cloudinary.com/postman/image/upload/t_team_logo_pubdoc/v1/team/d7085d490b9144732c65203aa6e3b68b31884d1c33a86b8a00d15da75147ae33","favicon":""},"isEnvFetchError":false,"languages":"[{\"key\":\"csharp\",\"label\":\"C#\",\"variant\":\"HttpClient\"},{\"key\":\"csharp\",\"label\":\"C#\",\"variant\":\"RestSharp\"},{\"key\":\"curl\",\"label\":\"cURL\",\"variant\":\"cURL\"},{\"key\":\"dart\",\"label\":\"Dart\",\"variant\":\"http\"},{\"key\":\"go\",\"label\":\"Go\",\"variant\":\"Native\"},{\"key\":\"http\",\"label\":\"HTTP\",\"variant\":\"HTTP\"},{\"key\":\"java\",\"label\":\"Java\",\"variant\":\"OkHttp\"},{\"key\":\"java\",\"label\":\"Java\",\"variant\":\"Unirest\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"Fetch\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"jQuery\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"XHR\"},{\"key\":\"c\",\"label\":\"C\",\"variant\":\"libcurl\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Axios\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Native\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Request\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Unirest\"},{\"key\":\"objective-c\",\"label\":\"Objective-C\",\"variant\":\"NSURLSession\"},{\"key\":\"ocaml\",\"label\":\"OCaml\",\"variant\":\"Cohttp\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"cURL\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"Guzzle\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"HTTP_Request2\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"pecl_http\"},{\"key\":\"powershell\",\"label\":\"PowerShell\",\"variant\":\"RestMethod\"},{\"key\":\"python\",\"label\":\"Python\",\"variant\":\"http.client\"},{\"key\":\"python\",\"label\":\"Python\",\"variant\":\"Requests\"},{\"key\":\"r\",\"label\":\"R\",\"variant\":\"httr\"},{\"key\":\"r\",\"label\":\"R\",\"variant\":\"RCurl\"},{\"key\":\"ruby\",\"label\":\"Ruby\",\"variant\":\"Net::HTTP\"},{\"key\":\"shell\",\"label\":\"Shell\",\"variant\":\"Httpie\"},{\"key\":\"shell\",\"label\":\"Shell\",\"variant\":\"wget\"},{\"key\":\"swift\",\"label\":\"Swift\",\"variant\":\"URLSession\"}]","languageSettings":[{"key":"csharp","label":"C#","variant":"HttpClient"},{"key":"csharp","label":"C#","variant":"RestSharp"},{"key":"curl","label":"cURL","variant":"cURL"},{"key":"dart","label":"Dart","variant":"http"},{"key":"go","label":"Go","variant":"Native"},{"key":"http","label":"HTTP","variant":"HTTP"},{"key":"java","label":"Java","variant":"OkHttp"},{"key":"java","label":"Java","variant":"Unirest"},{"key":"javascript","label":"JavaScript","variant":"Fetch"},{"key":"javascript","label":"JavaScript","variant":"jQuery"},{"key":"javascript","label":"JavaScript","variant":"XHR"},{"key":"c","label":"C","variant":"libcurl"},{"key":"nodejs","label":"NodeJs","variant":"Axios"},{"key":"nodejs","label":"NodeJs","variant":"Native"},{"key":"nodejs","label":"NodeJs","variant":"Request"},{"key":"nodejs","label":"NodeJs","variant":"Unirest"},{"key":"objective-c","label":"Objective-C","variant":"NSURLSession"},{"key":"ocaml","label":"OCaml","variant":"Cohttp"},{"key":"php","label":"PHP","variant":"cURL"},{"key":"php","label":"PHP","variant":"Guzzle"},{"key":"php","label":"PHP","variant":"HTTP_Request2"},{"key":"php","label":"PHP","variant":"pecl_http"},{"key":"powershell","label":"PowerShell","variant":"RestMethod"},{"key":"python","label":"Python","variant":"http.client"},{"key":"python","label":"Python","variant":"Requests"},{"key":"r","label":"R","variant":"httr"},{"key":"r","label":"R","variant":"RCurl"},{"key":"ruby","label":"Ruby","variant":"Net::HTTP"},{"key":"shell","label":"Shell","variant":"Httpie"},{"key":"shell","label":"Shell","variant":"wget"},{"key":"swift","label":"Swift","variant":"URLSession"}],"languageOptions":[{"label":"C# - HttpClient","value":"csharp - HttpClient - C#"},{"label":"C# - RestSharp","value":"csharp - RestSharp - C#"},{"label":"cURL - cURL","value":"curl - cURL - cURL"},{"label":"Dart - http","value":"dart - http - Dart"},{"label":"Go - Native","value":"go - Native - Go"},{"label":"HTTP - HTTP","value":"http - HTTP - HTTP"},{"label":"Java - OkHttp","value":"java - OkHttp - Java"},{"label":"Java - Unirest","value":"java - Unirest - Java"},{"label":"JavaScript - Fetch","value":"javascript - Fetch - JavaScript"},{"label":"JavaScript - jQuery","value":"javascript - jQuery - JavaScript"},{"label":"JavaScript - XHR","value":"javascript - XHR - JavaScript"},{"label":"C - libcurl","value":"c - libcurl - C"},{"label":"NodeJs - Axios","value":"nodejs - Axios - NodeJs"},{"label":"NodeJs - Native","value":"nodejs - Native - NodeJs"},{"label":"NodeJs - Request","value":"nodejs - Request - NodeJs"},{"label":"NodeJs - Unirest","value":"nodejs - Unirest - NodeJs"},{"label":"Objective-C - NSURLSession","value":"objective-c - NSURLSession - Objective-C"},{"label":"OCaml - Cohttp","value":"ocaml - Cohttp - OCaml"},{"label":"PHP - cURL","value":"php - cURL - PHP"},{"label":"PHP - Guzzle","value":"php - Guzzle - PHP"},{"label":"PHP - HTTP_Request2","value":"php - HTTP_Request2 - PHP"},{"label":"PHP - pecl_http","value":"php - pecl_http - PHP"},{"label":"PowerShell - RestMethod","value":"powershell - RestMethod - PowerShell"},{"label":"Python - http.client","value":"python - http.client - Python"},{"label":"Python - Requests","value":"python - Requests - Python"},{"label":"R - httr","value":"r - httr - R"},{"label":"R - RCurl","value":"r - RCurl - R"},{"label":"Ruby - Net::HTTP","value":"ruby - Net::HTTP - Ruby"},{"label":"Shell - Httpie","value":"shell - Httpie - Shell"},{"label":"Shell - wget","value":"shell - wget - Shell"},{"label":"Swift - URLSession","value":"swift - URLSession - Swift"}],"layoutOptions":[{"value":"classic-single-column","label":"Single Column"},{"value":"classic-double-column","label":"Double Column"}],"versionOptions":[],"environmentOptions":[{"value":"0","label":"No Environment"}],"canonicalUrl":"https://documenter.gw.postman.com/view/metadata/RznCrzo9"}