Moment For Technology

Ory keto

Posted on Dec. 2, 2022, 5:47 p.m. by 黃淑華
Category: The back-end Tag: The back-end architecture

Permission server KEto

Introduce keto

ORY Keto is a permissions server that implements best practice access control mechanisms:

  • Available today: ORY style access control policy with exact, global, and regular expression matching policies
  • Coming soon:
  • Access control list
  • Role-based access control
  • Role-based Access control with context (Google/Kubernetes style)
  • Amazon Web Services Identity and Access Management Policy (AWS IAM Policy)
  • Each mechanism is powered by a decision engine implemented on top of an open policy broker and provides well-defined administration and authorization endpoints

1 Code download

Keto source address download

The official document simply explains

Unzip the instructions

Decompress the downloaded source code and place it locally%GOPATH%/srcdirectory

Note :GOPATH is the runtime workspace location of the project. GOPATH contains the following three subdirectories

  • The SRC directory contains the Go source files, which are organized into packages (one for each directory)
  • The PKG directory contains package objects
  • The bin directory contains executable commands

2. Key Words:

2.1 RBAC

RBAC is introduced

RBAC is role-based Access Control. In RBAC, permissions are associated with roles, and users obtain permissions for these roles by becoming members of appropriate roles. This greatly simplifies the management of permissions. In this way, the management is hierarchically interdependent. Permissions are assigned to roles, and roles are assigned to users. This permission design is clear and easy to manage. . RBAC believes that authorization is actually the relationship between Who, What, and How triples, that is, Who performs How on What, and that "subject" performs operation on "object". Then RBAC is divided into RBAC0, RBAC1, RBAC2, RBAC3, if you don't know what the difference is, you can baidu Encyclopedia: Baidu Encyclopedia -RBAC, you can also look at my introduction.

  • Who: is the owner or principal of the permission (for example, User, Role).
  • What: Is an operation or object (operation, object).
  • How: Privilege (positive authorization and negative authorization).

2.1 ABAC

ABAC is introduced

Attribute Base Access Control (ABAC) Is an Attribute based permission Control. Unlike common methods that associate users with permissions in a certain way, ABAC makes authorization judgment by dynamically calculating one or a group of attributes to determine whether certain conditions are met (simple logic can be written). Attributes generally fall into four categories: user attributes (such as user age), environment attributes (such as current time), operation attributes (such as read), and object attributes (such as an article, also known as resource attributes), so it is theoretically possible to achieve very flexible permission control that can meet almost all types of needs. Access control list (**ACL **) is an access control technology based on packet filtering. It filters packets on an interface according to the specified conditions and allows them to pass through or discard them. Access control list (ACL) is widely used in routers and layer-3 switches. With the help of ACL, users' access to the network can be controlled effectively and the network security can be guaranteed to the greatest extent.

2.3 Pit mining bug modification

The url of the go

Modified to

This problem exists because the application source code to the string parsing problem, you can not write the port, use the default port

3 Project Operation

After downloading the official code, compile it into keto.exe and execute the command directly. A prompt page is displayed

3.1 Code Examples

dsn: Mysql: / / root: minda123 @ TCP (127.0.0.1)/keto? parseTime=truemultiStatements=true 
If the default port is used, do not add port number 3306

secrets:
  system:
    - admin1
    - admin2
    - admin3
Copy the code
keto.exe --config F:/awesomeProject/bin/config.yaml migrate sql -e
      
time="2019-12-25T16:27:28+08:00" level=info msg="Connecting with mysql: / / * : * @ TCP (127.0.0.1)/keto? multiStatements=true"
time="2019-12-25T16:27:28+08:00" level=info msg="Connected to SQL!"
time="2019-12-25T16:27:28+08:00" level=info msg="Applying storage SQL migrations..."
time="2019-12-25T16:27:28+08:00" level=info msg="Successfully applied SQL migrations" applied_migrations=1 migration=name
time="2019-12-25T16:27:28+08:00" level=info msg="Done applying storage SQL migrations"

Copy the code

3.2 Starting Services

serve --config F:/awesomeProject/bin/config.yaml
Copy the code

3.3 projects API

Swagger Setup tutorial

Go to the project root and launch the Swagger service

swagger serve -F=swagger F:\awesomeProject\src\github.com\ory\keto\docs\api.swagger.json
Copy the code

After successful operation, it will prompt the address where the service is running. Click to enter and you can see the following page:

3.4 Refers to the access policy to be used

The ACL:

Access control list

blog_post.create blog_post.delete blog_post.modify blog_post.read
Alice yes yes yes yes
Bob no no no yes
Peter yes no yes yes

RBAC:

4 ORY Access Control Policies

4.1 Policy Preparation

Put request: http://127.0.0.1:4444//engines/acp/ory/glob/policies

{
  "subjects": ["alice"]."resources": ["blog_posts:my-first-blog-post"]."actions": ["delete"]."effect": "allow"
}
Copy the code

Also:

{
  "subjects": ["alice"."bob"]."resources": [
    "blog_posts:my-first-blog-post"."blog_posts:2"."blog_posts:3"]."actions": ["delete"."create"."read"."modify"]."effect": "allow"
}
Copy the code

New records are generated in the database

{
  "subjects": ["peter"]."resources": [
    "blog_posts:my-first-blog-post"."blog_posts:2"."blog_posts:3"]."actions": ["delete"."create"."read"."modify"]."effect": "deny"
}
Copy the code

The : is a delimiter in ORY Access Control Policies. Other supported syntax is:

single symbol wildcard: ? at matches cat and bat but not at wildcard: foo:*:bar matches foo:baz:bar and foo:zab:bar but not foo:bar nor foo:baz:baz:bar super wildcard: foo:**:bar matches foo:baz:baz:bar, foo:baz:bar, and foo:bar, but not foobar or foo:baz character list: [cb]at matches cat and bat but not mat nor at. negated character list: [!cb]at matches tat and mat but not cat nor bat. ranged character list: [a-c]at cat and bat but not mat nor at. negated ranged character list: [!a-c]at matches mat and tat but not cat nor bat. alternatives list: {cat,bat,[mt]at} matches cat, bat, mat, tat and nothing else. backslash: foo\\bar matches foo\bar and nothing else. foo\bar matches foobar and nothing else. foo\*bar matches foo*bar and nothing else. Please note that when using JSON you need to double escape backslashes: foo\\bar becomes {"..." : "foo\\\\bar"}.

The pattern syntax is:

pattern: { term } term: * matches any sequence of non-separator characters ** matches any sequence of characters ? matches any single non-separator character [ [ ! ] { character-range } ] character class (must be non-empty) { pattern-list } pattern alternatives c matches character c (c ! = *, * *,? , \, [, {, }) \ c matches character c character-range: c matches character c (c != \\, -, ]) \ c matches character c lo - hi matches character c for lo = c = hi pattern-list: pattern { , pattern } comma-separated (without spaces) patternCopy the code

4.2 json instance

{
  "description": "One policy to rule them all."."subjects": ["users:maria:*"]."actions": ["delete"."create"."update"."modify"."get"."read"]."effect": "allow"."resources": ["resources:articles:.*"]."conditions": {
    "someKeyName": {
      "type": "StringMatchCondition"."options": {
        "matches": "foo.+"}},"someKey": {
      "type": "StringPairsEqualCondition"."options": {}},"myKey": {
      "type": "StringEqualCondition"."options": {
        "equals": "expected-value"}},"remoteIPAddress": {
      "type": "CIDRCondition"."options": {
        "cidr": "192.168.0.0/16"}},"this-key-will-be-matched-with-the-context": {
      "type": "SomeConditionType"."options": {
        "some": "configuration options set by the condition type"}}},"context": {
    "someKey": [["foo"."foo"], ["bar"."bar"]]}}Copy the code

4.3 Main Requests and their descriptions

Parameters that

Response Parameters

Name Type Required Restrictions Description
code integer(int64) false none none
details [object] false none none
additionalProperties object false none none
message string false none none
reason string false none none
request string false none none
status string false none none

Request Parameters

Parameter In Type Required Description
flavor path string true The ORY Access Control Policy flavor. Can be "regex", "glob", and "exact".

4.4 Checking whether the Request is Approved

Request header

POST /engines/ ACp /ory/{flavor}/allowed HTTP/1.1 Content-type: Application/JSON Accept: Application/JSONCopy the code

body

{
  "action": "string",
  "context": {
    "property1": {},
    "property2": {}
  },
  "resource": "string",
  "subject": "string"
}
Copy the code

4.5 Parameter List

OryAccessControlPolicyAllowedInput*

Name Type Required Restrictions Description
action string false none Action is the action that is requested on the resource.
context object false none Context is the request's environmental context.
additionalProperties object false none none
resource string false none Resource is the resource that access is requested to.
subject string false none Subject is the subject that is requesting access.

response

{"allowed":"true"} or {"allowed":"false"}

5 Access control Policy Operations

5.1 Obtaining the Access Control Policy Set

GET /engines/ ACp /ory/{flavor}/policies HTTP/1.1 Accept: Application /jsonCopy the code

The list of parameters

Parameter In Type Required Description
flavor path string true The ORY Access Control Policy flavor. Can be "regex", "glob", and "exact"
limit query integer(int64) false The maximum amount of policies returned.
offset query integer(int64) false The offset from where to start looking.
subject query string false The subject for whom the policies are to be listed.
resource query string false The resource for which the policies are to be listed.
action query string false The action for which policies are to be listed.

5.2 Updating an Access Control Policy

PUT /engines/acp/ory/{flavor}/policies HTTP/1.1
Content-Type: application/json
Accept: application/json
Copy the code

The list of parameters

Parameter Type Required Restrictions Description
actions [string] false none Actions is an array representing all the actions this ORY Access Policy applies to.
conditions object false none Conditions represents a keyed object of conditions under which this ORY Access Policy is active.
additionalProperties object false none none
description string false none Description is an optional, human-readable description.
effect string false none Effect is the effect of this ORY Access Policy. It can be "allow" or "deny".
id string false none The unique identifier of an access policy that can be queried, updated, or deleted
resources [string] false none Resources is an array representing all the resources this ORY Access Policy applies to.
subjects [string] false none Subjects is an array representing all the subjects this ORY Access Policy applies to.

5.3 Querying a Specific Policy

GET /engines/ ACp /ory/{flavor}/policies/{id} HTTP/1.1 Accept: Application /jsonCopy the code

5.4 Deleting an Access Control Policy

DELETE /engines/ ACp /ory/{flavor}/policies/{id} HTTP/1.1 Accept: Application /jsonCopy the code

6 Access control Policy Role Operations

6.1 Querying an Access Control Role Set

GET /engines/ ACp /ory/{flavor}/roles HTTP/1.1 Accept: Application /jsonCopy the code

Parameter description:

Parameter In Type Required Description
flavor path string true The ORY Access Control Policy flavor. Can be "regex", "glob", and "exact"
limit query integer(int64) false The maximum amount of policies returned.
offset query integer(int64) false The offset from where to start looking.
member query string false The member for which the roles are to be listed.

6.2 Adding an Access Control Role

PUT /engines/ ACp /ory/{flavor}/roles HTTP/1.1 Content-type: Application /json Accept: Application /jsonCopy the code

Example:

{
  "id": "string",
  "members": ["string"]
}
Copy the code

The list of parameters

Parameter Type Required Description
id string false ID is the role's unique id.
members [string] false Members is who belongs to the role.

6.3 Obtaining Access Control Role Information

GET /engines/ ACp /ory/{flavor}/roles/{id} HTTP/1.1 Accept: Application /jsonCopy the code

6.4 Deleting an Access Control Role

DELETE /engines/acp/ory/{flavor}/roles/{id} HTTP/1.1 Accept: Application /jsonCopy the code

6.5 Adding Users for A Role

PUT /engines/acp/ory/{flavor}/roles/{id}/members HTTP/1.1 Content-type: Application /json Accept: {"members": ["string"]}Copy the code

6.6 Deleting a User from a Role

DELETE /engines/acp/ory/{flavor}/roles/{id}/members/{member} HTTP/1.1 Accept: Application /jsonCopy the code

7 Health Check

7.1 Checking the Survival Status

GET/Health/Alive HTTP/1.1 Accept: Application/JSONCopy the code

Results :(official instructions are always ok)

{  "status": "ok" }
Copy the code

7.2 Checking that preparations are ready

GET/Health/Ready HTTP/1.1 Accept: Application/JSONCopy the code

7.3 Obtaining the Current Version

GET/Version HTTP/1.1 Accept: Application/JSONCopy the code

8 Test example

Put http://127.0.0.1:4444/engines/acp/ory/glob/policies {" actions ":" get ", "create", "modify", "delete"], "the conditions" : {"optionAccess": {"type": "CIDRCondition", "options": {"cidr": "192.168.0.0/16"}}}, "description": "test q", "effect": "allow", "id": "string", "resources": [ "blog_posts:my-first-blog-post", "blog_posts:2", "blog_posts:3"], "subjects": ["admin","admin1","admin2"] }Copy the code

ation/json

## 8 Test sampleCopy the code

Put http://127.0.0.1:4444/engines/acp/ory/glob/policies

{ "actions": ["get","create","modify","delete"], "conditions": { "optionAccess": { "type": "CIDRCondition", "options": {" cidr ":" 192.168.0.0/16 "}}}, "description" : "test q," "effect" : "allow", "id" : "string", "resources" : [ "blog_posts:my-first-blog-post", "blog_posts:2", "blog_posts:3"], "subjects": ["admin","admin1","admin2"] }




  






Copy the code
Search
About
mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.