- Go Web Server, to create access policies and ask for permissions of a subject
- /policies - create access policies
curl -i -X POST --url http://localhost:8080/policies
{
"Subject": "admin",
"Action": "POST",
"Resource": "/iot-repository",
"ID": "admin",
"Effect": "allow"
}curl -i -X POST --url http://localhost:8080/policies
{
"Subject": "admin",
"Action": "has_access_permission",
"Resource": "deviceid"
"ID": "admin",
"Context": {
"type": "device",
"owner": "user"
}
"Effect": "allow"
}curl -i -X GET --url http://localhost:8080/policies?subject=admin- /access - ask for permission
curl -i -X POST --url http://localhost:8080/access
{
"Subject": "admin",
"Action": "POST",
"Resource": "/iot-repository"
}- /share - ask for shared not owned resources, e.g. for what devices does the subject admin got permissions to use
curl -i -X GET --url http://localhost:8080/share?userid=admin&type=devicesdocker pull golang
- Subjects:
- User
- Role
- Actions:
- HTTP Method
- Access
- Ressources:
- URI
- Device Instance ID
- Device Type ID
- role admin is allowed to GET on ressource /iot-device-repo
- user max is allowed to access device instance iot#22323232332 where owner is thomas
- subset generieren bei web ui: checken eigene devices dann instanzen die freigegeben wurde
- device instanz verwenden beim process exceuter: entweder im iot-repo nachfragen und ladon
- one policy per subject e.g. role admin and ressource e.g /iot-repository
- one or multiple actions which can be removed or added later
- policy id is tuple of subject and ressource
- if permissions of a subject in relation to a ressource should be changed, then the existing policy should be changed and no extra policy be created
with Docker
docker build -t ladon .with docker-compose (with database and port 8080)
docker-compose up - run ladon-test.go for unit tests
- run for api tests
- extra endpoint um share policy zu erstellen, um resource "device:" oder "devicetype:" am server nicht am client zu setzen