Authentication and Authorization
Kura 5 and ESF 7 introduce a centralized authentication and authorization framework based on the OSGi UserAdmin specification. This framework introduce the concepts of identities and permissions:
-
Identity: A Kura identity is related to authentication, an identity has a name and a set of associated credentials, for example a password.
-
Permission: A Kura permission is related to authorization. Zero or more permissions can be assigned to a given identity. Each permission allows to access a set of resources and/or perform certain operations. Permissions can be defined by applications.
Examples of applications that use the new authentication and authorization framework are the Web Console and the REST API framework:
- ESF Web Console provides multi user support, Web Console users are mapped to Kura identities, the Web Console also defines a set of permissions that allow to restrict the operations that a given identity is allowed to perform.
- The ESF REST API framework users are now mapped to Kura identities and REST roles are mapped to Kura permissions. The old
ConfigurationService
based user and role definition mechanism has been dropped.
The authentication and authorization framework only allows to define and store identities and permissions, it does not provide implementation of authentication methods and/or session management. These aspects are left to applications.
Permission and identity representation
Permissions and identities are implemented on top of the UserAdmin User and Group concepts. See OSGi UserAdmin specification for more details on the Role, User and Group concepts.
Identities
A Kura identity is represented as a UserAdmin User with the following properties:
-
The User name must be in the
kura.user.${identity_name}
form where${identity_name}
is a non empty string representing the identity name. The name of an User representing a Kura identity must start with thekura.user.
prefix. -
A password may be assigned to an identity by defining a property in User credentials with the following format:
- The property name must be
kura.password
- The property value must be a string containing SHA256 hash of the password, as computed by the
String org.eclipse.kura.crypto.CryptoService.sha256Hash(String)
method.
- The property name must be
-
Starting from ESF 7.1, it is possible to force an identity to change the password at next login by setting the following property in User properties:
kura.need.password.change
:true
encoded as a JSON string.- The property will be cleared automatically after a successful password change on next login.
Permissions
A Kura permission is represented as a UserAdmin Group with the following properties:
-
The Group name must be in the
kura.permission.${permission_name}
form where${permission_name}
is a non empty string representing the permission name. The name of a Group representing a Kura permission must start with thekura.permission.
prefix. -
Assigning a permission to a specific identity can be done by adding the User representing the identity to the basic members of the Group representing the permission.
UserAdmin persistence
The org.eclipse.kura.internal.useradmin.store.RoleRepositoryStoreImpl
Kura service allows to persist the UserAdmin state in Kura configuration snapshot, this includes the defined identities and permissions.
The following configuration properties are used to store the UserAdmin concepts in Json format:
-
Role configuration (id roles.config):
Stores the UserAdmin Roles, plain Roles are non used for representing Kura identities and permissions.
The value must be a JSON array of Role elements. -
User configuration (id users.config):
Stores the UserAdmin Users.
The value must be a JSON array of User elements. -
Group configuration (id groups.config):
Stores the UserAdmin Groups.
The value must be a JSON array of Group elements.
JSON representation details
This section describes the JSON format used in org.eclipse.kura.internal.useradmin.store.RoleRepositoryStoreImpl
configuration.
UserAdminDictValue
A value appearing in UserAdmin dictionaries like properties and credentials
-
type :
variant
Variants:- a String property
- type :
string
- type :
- a byte[] property
- type :
array
, element description:
a byte of the array encoded as an unsigned integer- type :
number
- type :
- type :
- a String property
Examples:
"A string property"
[1, 2, 3, 4, 5]
UserAdminDict
A UserAdmin property dictionary, there are no well known property names, property values must be of UserAdminDictValue type
- type :
object
Example:
{
"stringProperty": "A string property",
"byteArrayProperty": [1, 2, 3, 4, 5]
}
Role
An object describing and UserAdmin Role
-
type :
object
Properties: -
name
The role name- type :
string
- type :
-
properties
- optional If the dictionary is empty
User
An object describing and UserAdmin User
-
type :
object
Properties: -
name
The role name- type :
string
- type :
-
properties
- optional If the dictionary is empty
-
credentials
- optional If the dictionary is empty
Example:
{
"name": "kura.user.appadmin",
"credentials": {
"kura.password": "3hPckF8Zc+IF3pVineBvck3zJERUl8itosySULE1hpM="
}
}
Group
An object describing and UserAdmin Group
-
type :
object
Properties: -
name
The role name- type :
string
- type :
-
properties
- optional If the dictionary is empty
-
credentials
- optional If the dictionary is empty
-
basicMembers
- optional If the list is empty
The list of the group basic members- type :
array
, element description:
A role name- type :
string
- type :
- type :
- optional If the list is empty
-
requiredMembers
- optional If the list is empty
The list of the group required members- type :
array
, element description:
A role name- type :
string
- type :
- type :
- optional If the list is empty
Example:
{
"name": "kura.permission.kura.wires.admin",
"basicMembers": ["kura.user.appadmin"]
}
Updated almost 3 years ago