Authentication and Authorization
Kura 5 and ESF 7 introduce a centralized authentication and authorization framework based on the OSGi UserAdmin specification. This framework introduce the concepts of identities and permissions:
-
Identity: A Kura identity is related to authentication, an identity has a name and a set of associated credentials, for example a password.
-
Permission: A Kura permission is related to authorization. Zero or more permissions can be assigned to a given identity. Each permission allows to access a set of resources and/or perform certain operations. Permissions can be defined by applications.
Examples of applications that use the new authentication and authorization framework are the Web Console and the REST API framework:
- ESF Web Console provides multi user support, Web Console users are mapped to Kura identities, the Web Console also defines a set of permissions that allow to restrict the operations that a given identity is allowed to perform.
- The ESF REST API framework users are now mapped to Kura identities and REST roles are mapped to Kura permissions. The old
ConfigurationService
based user and role definition mechanism has been dropped.
The authentication and authorization framework only allows to define and store identities and permissions, it does not provide implementation of authentication methods and/or session management. These aspects are left to applications.
Permission and identity representation
Permissions and identities are implemented on top of the UserAdmin User and Group concepts. See OSGi UserAdmin specification for more details on the Role, User and Group concepts.
IdentityService Java APIs
Kura 5.5 introduces a new set of Java APIs that allow to manage Kura identities, the implementation is based on the UserAdmin conventions described in this page, and allows to manipulate Kura identities without interacting directly with the UserAdmin. Please refer to the Javadoc for more details.
The new APIs also provide the capability to implement and register IdentityConfigurationExtensions in the framework.
An IdentityConfigurationExtension can define additional custom configuration parameters for each identity. The custom configuration can be inspected and modified in the Identities section of Kura Web UI and using the identity/v2 rest APIs and MQTT request handler. The IdentityConfigurationExtension implementation can store the additional configuration in the way that is most suitable for the application, for example by adding custom UserAdmin properties or credentials.
Identities
A Kura identity is represented as a UserAdmin User with the following properties:
-
The User name must be in the
kura.user.${identity_name}
form where${identity_name}
is a non empty string representing the identity name. The name of an User representing a Kura identity must start with thekura.user.
prefix. -
A password may be assigned to an identity by defining a property in User credentials with the following format:
- The property name must be
kura.password
- The property value must be a string containing SHA256 hash of the password, as computed by the
String org.eclipse.kura.crypto.CryptoService.sha256Hash(String)
method.
- The property name must be
Starting from ESF 7.1, it is possible to force an identity to change the password at next login by setting the following property in User properties:
kura.need.password.change
:true
encoded as a JSON string.- The property will be cleared automatically after a successful password change on next login.
Starting from ESF 7.5 the following restrictions will be applied by the IdentityService:
- New Identity Names:
- must be at least 3 and at most 255 characters long.
- can only be composed by one or more sequences of alphanumeric characters (
[A-Za-z0-9]+
) separated by the dot or underscore symbols, dot and underscore is not allowed at the beginning or at the end of the permission name, sequences of consecutive dots and/or underscores are not allowed (examples of valid names arefoo1.bAr
,foo
,a.b.c
,foo.bar_baz
).
- New Passwords:
- cannot be empty.
- must satisfy the password strength requirements configured on the system.
- the maximum allowed length is 255 characters.
- cannot contain whitespace characters.
Permissions
A Kura permission is represented as a UserAdmin Group with the following properties:
-
The Group name must be in the
kura.permission.${permission_name}
form where${permission_name}
is a non empty string representing the permission name. The name of a Group representing a Kura permission must start with thekura.permission.
prefix. -
Assigning a permission to a specific identity can be done by adding the User representing the identity to the basic members of the Group representing the permission.
Starting from ESF 7.5 the following restrictions will be applied by the IdentityService to the name new permissions:
- must be at least 3 and at most 255 characters long.
- can only be composed by one or more sequences of alphanumeric characters (
[A-Za-z0-9]+
) separated by the dot symbol, the dot is not allowed at the beginning or at the end of the permission name (examples of valid permission names arefoo1.bAr
,foo
,a.b.c
).
UserAdmin persistence
The org.eclipse.kura.internal.useradmin.store.RoleRepositoryStoreImpl
Kura service allows to persist the UserAdmin state in Kura configuration snapshot, this includes the defined identities and permissions.
The following configuration properties are used to store the UserAdmin concepts in Json format:
-
Role configuration (id roles.config):
Stores the UserAdmin Roles, plain Roles are non used for representing Kura identities and permissions.
The value must be a JSON array of Role elements. -
User configuration (id users.config):
Stores the UserAdmin Users.
The value must be a JSON array of User elements. -
Group configuration (id groups.config):
Stores the UserAdmin Groups.
The value must be a JSON array of Group elements.
JSON representation details
This section describes the JSON format used in org.eclipse.kura.internal.useradmin.store.RoleRepositoryStoreImpl
configuration.
UserAdminDictValue
A value appearing in UserAdmin dictionaries like properties and credentials
-
type :
variant
Variants:- a String property
- type :
string
- type :
- a byte[] property
- type :
array
, element description:
a byte of the array encoded as an unsigned integer- type :
number
- type :
- type :
- a String property
Examples:
"A string property"
[1, 2, 3, 4, 5]
UserAdminDict
A UserAdmin property dictionary, there are no well known property names, property values must be of UserAdminDictValue type
- type :
object
Example:
{
"stringProperty": "A string property",
"byteArrayProperty": [1, 2, 3, 4, 5]
}
Role
An object describing and UserAdmin Role
-
type :
object
Properties: -
name
The role name- type :
string
- type :
-
properties
- optional If the dictionary is empty
User
An object describing and UserAdmin User
-
type :
object
Properties: -
name
The role name- type :
string
- type :
-
properties
- optional If the dictionary is empty
-
credentials
- optional If the dictionary is empty
Example:
{
"name": "kura.user.appadmin",
"credentials": {
"kura.password": "3hPckF8Zc+IF3pVineBvck3zJERUl8itosySULE1hpM="
}
}
Group
An object describing and UserAdmin Group
-
type :
object
Properties: -
name
The role name- type :
string
- type :
-
properties
- optional If the dictionary is empty
-
credentials
- optional If the dictionary is empty
-
basicMembers
- optional If the list is empty
The list of the group basic members- type :
array
, element description:
A role name- type :
string
- type :
- type :
- optional If the list is empty
-
requiredMembers
- optional If the list is empty
The list of the group required members- type :
array
, element description:
A role name- type :
string
- type :
- type :
- optional If the list is empty
Example:
{
"name": "kura.permission.kura.wires.admin",
"basicMembers": ["kura.user.appadmin"]
}
Updated 7 months ago