Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IDD 5.0 review discussion - Authorization Management #82

Open
AlexChiquito opened this issue Feb 19, 2024 · 10 comments
Open

IDD 5.0 review discussion - Authorization Management #82

AlexChiquito opened this issue Feb 19, 2024 · 10 comments
Labels
5.0 Core Specification The issue concerns fundamental Arrowhead specifications or documentation Core System: Authorization System The issue concerns the Core Authorization system

Comments

@AlexChiquito
Copy link
Contributor

n this Issue we will collect the comments about the authorization-management-http-json interface definition.
@AlexChiquito AlexChiquito changed the title IDD 5.0 Review Discussion - Authorization Management IDD 5.0 review discussion - Authorization Management Feb 19, 2024
@emanuelpalm emanuelpalm added 5.0 Core System: Authorization System The issue concerns the Core Authorization system Core Specification The issue concerns fundamental Arrowhead specifications or documentation labels Feb 19, 2024
@emanuelpalm
Copy link
Contributor

Link to reviewed document: eu.arrowhead.authorization-management-http-json.yml.

@borditamas
Copy link
Member

AITIA review comments

  • The IDD should use the Arrowhead terminology (consumer, provider, service etc...) instead of NGAC (subject, resource, user-attributes, association etc...) terms. The implementation itself can be NGAC, but this shouldn't be visible in the service interface level. To being inline with the goal of "lowering the entry steps", the interface should be way more simple to understand and use we think.
  • There should be only 3 operation. Bulk grant, bulk revoke and bulk validation.
  • Too much type of 4xx response codes are used. 400, 401, 403 should be enough for the sake of simplicity.
  • Event types not considered by this IDD.

We believe that the NGAC concept is way more general than what Arrowhead needs at this point. Of course under the hood an implementation could use an NGAC engine but Arrowhead authorization should not be bounded to the general NGAC concept.

We think that Arrowhead 5.0 should support the following policies/rules:

  • consumer can use a specific provider's service
  • consumer can use a specific provider's service operation
  • consumer can use a specific provider's service operation on a specific resource (eg. file)
  • (subscriber can receive specific publisher's event with a specific type)
  • instead of a specific consumer we can use various wildcards (like everybody, everybody in a cloud, everybody in a whitelist, everybody that not on a blacklist)

roadmap/5.0 Draft/IDD/IDDs Authorization System/eu.arrowhead.authorization-management-http-json.yml

Line 41 in 5a4f4b2

/ping:

"ping" (or echo) operation should not be part of this service, but a different "monitor" service.

@borditamas
Copy link
Member

@AlexChiquito @emanuelpalm @PerOlofsson-Sinetiq
Could you please provide Sinetiq's feedback before the next RoadMap (05.02) in order to being able to discuss it there?
As you know, last time the 14th of May (before AIMS 5.0 GA) was agreed to target the specification being finalized, so we don't have so much time.

@emanuelpalm
Copy link
Contributor

emanuelpalm commented May 23, 2024
edited
Loading

  • The IDD should use the Arrowhead terminology (consumer, provider, service etc...) instead of NGAC (subject, resource, user-attributes, association etc...) terms. The implementation itself can be NGAC, but this shouldn't be visible in the service interface level. To being inline with the goal of "lowering the entry steps", the interface should be way more simple to understand and use we think.

@borditamas

I agree, to the extent where the concept we are working with maps to an Arrowhead concept.

See also:

@emanuelpalm
Copy link
Contributor

  • There should be only 3 operation. Bulk grant, bulk revoke and bulk validation.

If we can get it down to that, I'd be happy. :)

@emanuelpalm
Copy link
Contributor

emanuelpalm commented May 23, 2024
edited
Loading

  • Too much type of 4xx response codes are used. 400, 401, 403 should be enough for the sake of simplicity.

I agree.

@emanuelpalm
Copy link
Contributor

  • Event types not considered by this IDD.

How would they fit in this IDD?

@emanuelpalm
Copy link
Contributor

We believe that the NGAC concept is way more general than what Arrowhead needs at this point. Of course under the hood an implementation could use an NGAC engine but Arrowhead authorization should not be bounded to the general NGAC concept.

We think that Arrowhead 5.0 should support the following policies/rules:

  • consumer can use a specific provider's service
  • consumer can use a specific provider's service operation
  • consumer can use a specific provider's service operation on a specific resource (eg. file)
  • (subscriber can receive specific publisher's event with a specific type)
  • instead of a specific consumer we can use various wildcards (like everybody, everybody in a cloud, everybody in a whitelist, everybody that not on a blacklist)

All of these use cases should be possible with the triplets we have proposed. I need to look in more detail at this IDD to be able to tell if it can facilitate all of them, however.

@emanuelpalm
Copy link
Contributor

roadmap/5.0 Draft/IDD/IDDs Authorization System/eu.arrowhead.authorization-management-http-json.yml

Line 41 in 5a4f4b2

/ping:

"ping" (or echo) operation should not be part of this service, but a different "monitor" service.

I agree.

@AlexChiquito
Copy link
Contributor Author

AlexChiquito commented May 24, 2024
edited
Loading

We believe that the NGAC concept is way more general than what Arrowhead needs at this point. Of course under the hood an implementation could use an NGAC engine but Arrowhead authorization should not be bounded to the general NGAC concept.

We think that Arrowhead 5.0 should support the following policies/rules:

  • consumer can use a specific provider's service
  • consumer can use a specific provider's service operation
  • consumer can use a specific provider's service operation on a specific resource (eg. file)
  • (subscriber can receive specific publisher's event with a specific type)
  • instead of a specific consumer we can use various wildcards (like everybody, everybody in a cloud, everybody in a whitelist, everybody that not on a blacklist)

All of these use cases should be possible with the triplets we have proposed. I need to look in more detail at this IDD to be able to tell if it can facilitate all of them, however.

What I tried to propose is rather the "Attribute-based" concept, as otherwise having object-level authorization may become a mess just with rules. The triples that are considered in the IDD can cover those use cases, except that is always with the use of attributes, or wildcards.

For rules such as:

consumer can use a specific provider's service

We must have the consumer be part of an attribute, and the service be part of another attribute, and that a rule exists between them. It can be possible to add the possibility of expressing rules for subject-resource access in addition to attribute-rules, if really needed. We can discuss that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
5.0 Core Specification The issue concerns fundamental Arrowhead specifications or documentation Core System: Authorization System The issue concerns the Core Authorization system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@emanuelpalm @AlexChiquito @borditamas