I've deployed an application based on Fiware generic enablers, in Docker. The versions are:
- Orion 1.14
- Cygnus 1.9.0
- Authzforce 5.4.1
- Keyrock: the latest
- Pep-proxy: 7.0.1
but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info, or to specify only the resource prefix like: /resource2/<whatever>.
Really exists the syntax for the dynamic resource and authzforce can create a permissions asociated to a dynamic resource or is necessary create a XACML rule?
Yes, it is necessary to create an Advanced XACML Rule. For example, you may look at the XACML Rule template in the IDM source code, which is used to generate a basic Rule (for a static resource path); you would have to customize it (besides removing the template code
<%...%>), especially modify the Target and the Condition elements (use XACML function string-concatenate to create the string/resource1/{param}/infodynamically).Another difficulty is to get the
{param}value in the PEP, and make sure it is sent in the XACML Request to AuthzForce PDP. The Pep-proxy only gets/sends the following XACML attributes as you can see from the Pep's Authzforce client code (names shortened for conciseness): resource-id, sub-resource-id, action-id, subject-role. Therefore, if you want the user-id as{param}for example, you have to modify the Pep code I just mentioned, i.e. extract the user ID from theuserInfovariable and add the corresponding XACML Attribute (subject-id) in the Request. Or use your own Pep and do whatever you want of course.