“This is the 24th day of my participation in the November Gwen Challenge. See details of the event: The Last Gwen Challenge 2021”.

ORY Keto is a permission server that implements best practice access control mechanisms:

  • Available today: ORY style access control policies with precise, global, and regular expression matching policies
  • Coming soon:
  • Access control list
  • Role-based access control
  • Role-based access control with context (Google/Kubernetes style)
  • Amazon Web Services Identity and Access Management Policy (AWS IAM Policy)
  • Each mechanism is powered by a decision engine implemented on top of an open policy broker and provides well-defined administrative and authorization endpoints

1 Code Download

Keto source address download

Decompress the downloaded source code and place it in the local %GOPATH%/ SRC directory

Note :GOPATH is the runtime workspace location of the project. GOPATH contains three subdirectories as follows

  • The SRC directory contains the Go source files, which are organized into packages (one for each directory)
  • The PKG directory contains package objects
  • The bin directory contains executable commands

: : :

2 Introduction of Keywords

2.1 RBAC

::: tip RBAC Introduction RBAC is role-based Access Control. In RBAC, permissions are associated with roles. Users can obtain the permissions of these roles by becoming members of appropriate roles. This greatly simplifies permission management. In this way, the management is hierarchical and interdependent. Permissions are assigned to roles and roles are assigned to users. In this way, permissions are clearly designed and easily managed. . RBAC believes that authorization is actually the relationship between Who, What and How triples, that is, Who performs How operation on What, that is, “subject” performs operation on “object”. Then RBAC is divided into RBAC0, RBAC1, RBAC2, and RBAC3. If you don’t know the difference between them, you can refer to Baidu Baike: RBAC, or you can read my introduction.

  • Who: indicates the owner or principal (for example, User, Role) of the permission.
  • What: Is an operation or object.
  • How: Specific rights (Privilege, positive authorization and negative authorization).

: : :

2.1 ABAC

: : : Tip ABAC This section describes Attribute Base Access Control (ABAC). Unlike the common method of associating users with permissions, ABAC makes authorization decisions by dynamically calculating whether one or a group of attributes meets a certain condition (you can write simple logic). Attributes are generally divided into four categories: user attributes (such as user age), environment attributes (such as current time), operation attributes (such as read) and object attributes (such as an article, also known as resource attributes), so in theory it can achieve very flexible permission control, almost to meet all types of requirements. Access control list (**ACL **) is an access control technology based on packet filtering. It can filter packets on an interface according to the specified conditions and allow them to pass or discard. Access control Lists (ACLs) are widely used in routers and Layer 3 switches. With access control Lists (ACLs), users’ access to the network can be effectively controlled, thus ensuring network security to the greatest extent. : : :

2.3 Modified the pit mining bug

The url of the go

Modified to

This problem exists because the application source code to the string parsing problem, can not write port, use the default port

3 Project Operation

Official code downloaded after compiling into keto.exe execution, direct execution command appears prompt page

3.1 Code Examples

dsn: Mysql: / / root: minda123 @ TCP (127.0.0.1)/keto? parseTime=true&multiStatements=true 
# if you use the default port, do not add port number: 3306

secrets:
  system:
    - admin1
    - admin2
    - admin3
Copy the code
>keto.exe --config F:/awesomeProject/bin/config.yaml migrate sql -e
      
time="2019-12-25T16:27:28+08:00" level=info msg="Connecting with mysql: / / * : * @ TCP (127.0.0.1)/keto? multiStatements=true"
time="2019-12-25T16:27:28+08:00" level=info msg="Connected to SQL!"
time="2019-12-25T16:27:28+08:00" level=info msg="Applying storage SQL migrations..."
time="2019-12-25T16:27:28+08:00" level=info msg="Successfully applied SQL migrations" applied_migrations=1 migration=name
time="2019-12-25T16:27:28+08:00" level=info msg="Done applying storage SQL migrations"

Copy the code

3.2 Starting the Service

serve --config F:/awesomeProject/bin/config.yaml
Copy the code

3.3 projects API

Swagger installation tutorial

Go to the project root directory and start the Swagger service

swagger serve -F=swagger F:\awesomeProject\src\github.com\ory\keto\docs\api.swagger.json
Copy the code

After successful operation, it will prompt the address where the service is running. Click to enter, you can see the following page:

3.4 Mainly the access policy to be used

The ACL:

Access control list

blog_post.create blog_post.delete blog_post.modify blog_post.read
Alice yes yes yes yes
Bob no no no yes
Peter yes no yes yes

RBAC:

4 ORY Access Control Policies

4.1 Preparing Policies

Put request: http://127.0.0.1:4444//engines/acp/ory/glob/policies

{
  "subjects": ["alice"]."resources": ["blog_posts:my-first-blog-post"]."actions": ["delete"]."effect": "allow"
}
Copy the code

Also:

{
  "subjects": ["alice"."bob"]."resources": [
    "blog_posts:my-first-blog-post"."blog_posts:2"."blog_posts:3"]."actions": ["delete"."create"."read"."modify"]."effect": "allow"
}
Copy the code

A new record is generated in the database

{
  "subjects": ["peter"]."resources": [
    "blog_posts:my-first-blog-post"."blog_posts:2"."blog_posts:3"]."actions": ["delete"."create"."read"."modify"]."effect": "deny"
}
Copy the code

The : is a delimiter in ORY Access Control Policies. Other supported syntax is:

single symbol wildcard: ? at matches cat and bat but not at wildcard: foo:*:bar matches foo:baz:bar and foo:zab:bar but not foo:bar nor foo:baz:baz:bar super wildcard: foo:**:bar matches foo:baz:baz:bar, foo:baz:bar, and foo:bar, but not foobar or foo:baz character list: [cb]at matches cat and bat but not mat nor at. negated character list: [!cb]at matches tat and mat but not cat nor bat. ranged character list: [a-c]at cat and bat but not mat nor at. negated ranged character list: [!a-c]at matches mat and tat but not cat nor bat. alternatives list: {cat,bat,[mt]at} matches cat, bat, mat, tat and nothing else. backslash: foo\\bar matches foo\bar and nothing else. foo\bar matches foobar and nothing else. foo\*bar matches foo*bar and nothing else. Please note that when using JSON you need to double escape backslashes: foo\\bar becomes {“…” : “foo\\\\bar”}.

The pattern syntax is:

pattern: { term } term: * matches any sequence of non-separator characters ** matches any sequence of characters ? matches any single non-separator character [ [ !  ] { character-range } ] character class (must be non-empty) { pattern-list } pattern alternatives c matches character c  (c ! = *, * *,? , \, [, {, }) \ c matches character c character-range: c matches character c (c ! = \\, -, ]) \ c matches character c lo - hi matches character c for lo <= c <= hi pattern-list: pattern { , pattern } comma-separated (without spaces) patternCopy the code

4.2 json instance

{
  "description": "One policy to rule them all."."subjects": ["users:maria:*"]."actions": ["delete"."create"."update"."modify"."get"."read"]."effect": "allow"."resources": ["resources:articles:<.*>"]."conditions": {
    "someKeyName": {
      "type": "StringMatchCondition"."options": {
        "matches": "foo.+"}},"someKey": {
      "type": "StringPairsEqualCondition"."options": {}},"myKey": {
      "type": "StringEqualCondition"."options": {
        "equals": "expected-value"}},"remoteIPAddress": {
      "type": "CIDRCondition"."options": {
        "cidr": "192.168.0.0/16"}},"this-key-will-be-matched-with-the-context": {
      "type": "SomeConditionType"."options": {
        "some": "configuration options set by the condition type"}}},"context": {
    "someKey": [["foo"."foo"], ["bar"."bar"]]}}Copy the code

4.3 Main request and description

Parameters that

Response Parameter Description

Name Type Required Restrictions Description
code integer(int64) false none none
details [object] false none none
additionalProperties object false none none
message string false none none
reason string false none none
request string false none none
status string false none none

Request Parameters

Parameter In Type Required Description
flavor path string true The ORY Access Control Policy flavor. Can be “regex”, “glob”, and “exact”.

4.4 Checking whether requests are Allowed to Pass

Request header

POST /engines/ ACp /ory/{flavor}/allowed HTTP/1.1 Content-Type: application/json Accept: application/jsonCopy the code

body

{
  "action": "string",
  "context": {
    "property1": {},
    "property2": {}
  },
  "resource": "string",
  "subject": "string"
}
Copy the code

4.5 Parameter List

OryAccessControlPolicyAllowedInput*

Name Type Required Restrictions Description
action string false none Action is the action that is requested on the resource.
context object false none Context is the request’s environmental context.
additionalProperties object false none none
resource string false none Resource is the resource that access is requested to.
subject string false none Subject is the subject that is requesting access.

response

{"allowed":"true"} or {"allowed":"false"}

5 Perform operations on access control policies

5.1 Obtaining an Access Control Policy Set

GET /engines/acp/ory/{flavor}/policies HTTP/1.1
Accept: application/json
Copy the code

The list of parameters

Parameter In Type Required Description
flavor path string true The ORY Access Control Policy flavor. Can be “regex”, “glob”, and “exact”
limit query integer(int64) false The maximum amount of policies returned.
offset query integer(int64) false The offset from where to start looking.
subject query string false The subject for whom the policies are to be listed.
resource query string false The resource for which the policies are to be listed.
action query string false The action for which policies are to be listed.

5.2 Updating an Access control Policy

PUT /engines/acp/ory/{flavor}/policies HTTP/1.1
Content-Type: application/json
Accept: application/json
Copy the code

The list of parameters

Parameter Type Required Restrictions Description
actions [string] false none Actions is an array representing all the actions this ORY Access Policy applies to.
conditions object false none Conditions represents a keyed object of conditions under which this ORY Access Policy is active.
additionalProperties object false none none
description string false none Description is an optional, human-readable description.
effect string false none Effect is the effect of this ORY Access Policy. It can be “allow” or “deny”.
id string false none A unique identifier for an access policy that can be queried, updated, and deleted
resources [string] false none Resources is an array representing all the resources this ORY Access Policy applies to.
subjects [string] false none Subjects is an array representing all the subjects this ORY Access Policy applies to.

5.3 Querying specific Policies

GET /engines/acp/ory/{flavor}/policies/{id} HTTP/1.1
Accept: application/json
Copy the code

5.4 Deleting an Access Control Policy

DELETE /engines/acp/ory/{flavor}/policies/{id} HTTP/1.1
Accept: application/json
Copy the code

6 Perform operations on access control policy roles

6.1 Querying The Set of Access control Roles

GET /engines/acp/ory/{flavor}/roles HTTP/1.1
Accept: application/json
Copy the code

Parameter Description:

Parameter In Type Required Description
flavor path string true The ORY Access Control Policy flavor. Can be “regex”, “glob”, and “exact”
limit query integer(int64) false The maximum amount of policies returned.
offset query integer(int64) false The offset from where to start looking.
member query string false The member for which the roles are to be listed.

6.2 Adding an Access Control Role

PUT /engines/acp/ory/{flavor}/roles HTTP/1.1
Content-Type: application/json
Accept: application/json

Copy the code

Example:

{
  "id": "string",
  "members": ["string"]
}
Copy the code

The list of parameters

Parameter Type Required Description
id string false ID is the role’s unique id.
members [string] false Members is who belongs to the role.

6.3 Obtaining Access Control Role Information

GET /engines/acp/ory/{flavor}/roles/{id} HTTP/1.1
Accept: application/json
Copy the code

6.4 Deleting Access Control Role Information

DELETE  /engines/acp/ory/{flavor}/roles/{id} HTTP/1.1
Accept: application/json
Copy the code

6.5 Adding Users for a Role

PUT /engines/acp/ory/{flavor}/roles/{ID}/members HTTP/1.1 Content-type: application/json Accept: {"members": ["string"]}Copy the code

6.6 Deleting a User From a Role

DELETE /engines/acp/ory/{flavor}/roles/{id}/members/{member} HTTP/1.1 Accept: application/json
Copy the code

7 Health Check

7.1 Checking the Survival Status

GET /health/alive HTTP/1.1
Accept: application/json
Copy the code

Results :(official instructions are always ok)

{  "status": "ok" }
Copy the code

7.2 Checking Preparations

GET /health/ready HTTP/1.1
Accept: application/json
Copy the code

7.3 Obtaining the Current Version

GET /version HTTP/1.1 
Accept: application/json
Copy the code

8 Test Example

Put http://127.0.0.1:4444/engines/acp/ory/glob/policies {" actions ":" get ", "create", "modify", "delete"], "the conditions" : {"optionAccess": {"type": "CIDRCondition", "options": {" cidR ": "192.168.0.0/16"}}}, "description": "test q", "effect": "allow", "id": "string", "resources": [ "blog_posts:my-first-blog-post", "blog_posts:2", "blog_posts:3"], "subjects": ["admin","admin1","admin2"] }Copy the code