Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

BaSyx / Documentation / Components / Registry / Features / Authorization

Authorization

This feature enables AAS components user to secure the AAS & Submodels descriptors stored on the AAS Registry component.

Feature Overview

An example for the authorization can be found in the scenario with Keycloak.

Feature Configuration

Authorization is disabled by default. Basic authorization can be configured in the aas.properties:

aas.authorization=Enabled
aas.authorization=Disabled

[deprecated] The JWT connectivity can be configured in the context.properties, e.g. by

jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo
jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs
jwtBearerTokenAuthenticationRequiredAud=basyx-demo

[new way] The new way to configure JWT validation is via the "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider" property in [security.properties] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties.

Further configurations for the authorization are done in the [security.properties].

Property Possible values Description Default value
registry.authorization Disabled, Enabled main switch for authorization features, when disabled, all the other fields won't be effective Disabled
registry.authorization.strategy GrantedAuthority, SimpleRbac The basic authorization strategy, see section "Provided Authorization Strategies" GrantedAuthority
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider <class> The class responsible for providing a jwt bearer token authentication configuration, has to implement the IJwtBearerTokenAuthenticationConfigurationProvider interface org.eclipse.basyx.components.aas.authorization.KeycloakJwtBearerTokenAuthenticationConfigurationProvider
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl <url> base url for the keycloak null
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm basyx-demo realm in the keycloak null
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.audience demo-client optional audience the token is for null
registry.authorization.strategy.simpleRbac.rulesFilePath <file path> (json, see schema) relative path to rbac rules for SimpleRbac strategy /rbac_rules.json
registry.authorization.strategy.simpleRbac.subjectInformationProvider <class> class that provides the Authentication object for SimpleRbac strategy, has to implemented ISubjectInformationProvider org.eclipse.basyx.extensions.shared.authorization.JWTAuthenticationContextProvider
registry.authorization.strategy.simpleRbac.roleAuthenticator <class> class that extracts the roles from the Authentication object for SimpleRbac strategy, has to implement IRoleAuthenticator org.eclipse.basyx.extensions.shared.authorization.KeycloakRoleAuthenticator
registry.authorization.strategy.grantedAuthority.subjectInformationProvider <class> class that fetches the Authentication object for GrantedAuthority strategy, hsa to implement ISubjectInformationProvider org.eclipse.basyx.extensions.shared.authorization.AuthenticationContextProvider
registry.authorization.strategy.grantedAuthority.grantedAuthorityAuthenticator <class> class that extracts the granted authorities from Authentication object for GrantedAuthority strategy, has to implement IGrantedAuthorityAuthenticator org.eclipse.basyx.extensions.shared.authorization.AuthenticationGrantedAuthorityAuthenticator
registry.authorization.strategy.custom.authorizersProvider <class> class that provides the authorizers for AAS-Server/Registry respectively for custom strategy, must implement IAuthorizersProvider, thus 3rd party authorization logic can be dynamically loaded
registry.authorization.strategy.custom.subjectInformationProvider <class> class that provides the subject information retrieval logic to go with the custom authorizers, must implement ISubjectInformationProvider

Also see BaSyx_/_Documentation_/_Components_/_Security_/_Authorization.

Back to the top