Access Control Service
A microservice for access control part of the Restorecommerce.
Features
-
Attribute-based access control inspired by XACML.
-
Implementing the PAP (partially), PDP, PRP.
-
Supports arbitrary policies based on arbitrary attributes such as scoped roles as supported. by the Identity Service.
-
Control access to distributed resources centrally using. Rule, Policy and PolicySet.
-
Authorization policies can be updated at run time.
-
Emits events to trigger cache invalidation of the acs-client via
flushCacheCommandevent. -
Mechanism to calculate hierarchical scopes for subject using Kafka, caching of subject and hierarchical scopes and invalidating the cache.
-
Support for access control list.
A detailed description on how ABAC is implemented in Restorecommerce.
Configuration
A GraphQL adapter has been integrated into the service for executing context queries
io.restorecommerce.rule.ContextQuery
to obtain required information to make the access decision.
This GraphQL endpoint can be configured using adapter.graphql.url property in the
configuration.
API
This microservice exposes the following gRPC endpoints:
Rule
A Rule resource.
io.restorecommerce.rule.Rule
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Rule ID |
name |
string |
optional |
Rule name |
description |
string |
optional |
Rule description |
target |
|
optional |
Rule target |
context_query |
|
optional |
GraphQL query which can be performed to obtain required info for request |
condition |
string |
optional |
Custom Javascript code to check if rule is applicable |
effect |
|
optional |
Rule effect; possible values are |
io.restorecommerce.access_control.Target
| Field | Type | Label | Description |
|---|---|---|---|
subjects |
|
optional |
Entity requesting access |
resources |
|
optional |
Resources to be accessed |
actions |
|
optional |
Action to be performed on resources |
io.restorecommerce.attribute.Attribute
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Attribute ID |
value |
string |
optional |
Attribute value |
attributes |
[ ] |
optional |
Nested Attributes |
io.restorecommerce.rule.ContextQuery
| Field | Type | Label | Description |
|---|---|---|---|
query |
string |
required |
Query to retrieve external resources |
filters |
|
optional |
List of argument keys to be passed from |
Policy
A Policy resource consisting of set of Rules.
io.restorecommerce.policy.Policy
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Policy ID |
name |
string |
optional |
Policy name |
description |
string |
optional |
Policy description |
target |
|
optional |
Policy target |
rules |
[ ] |
optional |
List of rules bounded to a policy |
combining_algorithm |
string |
optional |
Combining algorithm to be applied to the rules set |
PolicySet
A PolicySet resource consisting of set of Policies.
io.restorecommerce.policy_set.PolicySet
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Policy ID |
name |
string |
optional |
Policy name |
description |
string |
optional |
Policy description |
target |
|
optional |
Policy target |
policies |
[ ] |
optional |
List of policies binded to a policy set |
combining_algorithm |
string |
optional |
Combining algorithm to be applied to the policy set |
IsAllowed
This operation is used when the target resource is known and it decides the outcome of an access control request.
The policy or policy set is found to apply to a given request, its rules are evaluated to determine the access decision
and response. Requests are performed providing io.restorecommerce.access_control.Request protobuf message as input
and responses are a io.restorecommerce.access_control.Response message.
io.restorecommerce.access_control.Request
| Field | Type | Label | Description |
|---|---|---|---|
target |
|
required |
Request target |
context |
|
required |
Context variables for access control decisions based on custom scripts |
io.restorecommerce.access_control.Context
| Field | Type | Label | Description |
|---|---|---|---|
subject |
|
required |
Subject requesting access |
resources |
|
required |
Resources to access |
security |
|
optional |
security context |
io.restorecommerce.access_control.Response
| Field | Type | Label | Description |
|---|---|---|---|
decision |
|
required |
Access decision; possible values are |
obligation |
optional |
list of Obligation attached to decision |
|
operation_status |
required |
operation status code and message |
WhatIsAllowed
This operation is used when there is not a specific target resource for a request. It returns a reverse query containing
only the policies and rules applicable to a given request. They can then be used on the client side to infer permissions.
Requests are performed providing io.restorecommerce.access_control.Request protobuf message as input and responses are
a io.restorecommerce.access_control.ReverseQuery message.
NOTE : For IsAllowed and WhatIsAllowed operations if context contains the subject token and identifier, then the service will emit a message
to Kafka-topic with event name hierarchicalScopesRequest
and service resonsible for creating the hierarchical scopes will consume this message and send back hierarchicalScopesResponse which is then saved
to redis subject cache by this service.
If the Subject role associations are modified then this service invalidates both the subject cache and acs-client cache.
This cache for storing subject and hierarchical scopes is mandatory for optimal performance of the service.
io.restorecommerce.access_control.Request
| Field | Type | Label | Description |
|---|---|---|---|
target |
|
required |
Request target |
context |
|
required |
Context variables for access control decisions based on custom scripts |
io.restorecommerce.access_control.ReverseQuery
| Field | Type | Label | Description |
|---|---|---|---|
policy_sets |
|
optional |
List of applicable policy sets |
obligations |
optional |
Obligations attached to rules / policies |
|
operation_status |
required |
operation status code and message |
io.restorecommerce.policy_set.PolicySetRQ
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Policy Set ID |
target |
|
optional |
Policy set target |
combining_algorithm |
string |
optional |
Combining algorithm |
effect |
|
optional |
A policy target’s effect (only applicable if there are no rules) |
policies |
|
optional |
List of policies bound to a policy set |
io.restorecommerce.policy.PolicyRQ
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Policy ID |
target |
|
optional |
Policy target |
combining_algorithm |
string |
optional |
Combining algorithm |
effect |
|
optional |
A policy’s effect (only applicable if there are no rules) |
has_rules |
bool |
optional |
Flag to infer if effect should be considered or not |
rules |
|
optional |
List of policies bound to a policy set |
io.restorecommerce.rule.RuleRQ
| Field | Type | Label | Description |
|---|---|---|---|
id |
string |
optional |
Policy Set ID |
target |
|
optional |
Policy set target |
effect |
|
optional |
A policy’s effect (only applicable if there are no rules) |
CRUD Operations
The microservice exposes the below CRUD operations for creating or modifying Rule, Policy and PolicySet resources.
| Method Name | Request Type | Response Type | Description |
|---|---|---|---|
Create |
|
|
List of \<resourceName> be created |
Read |
|
|
List of \<resourceName> |
Update |
|
|
List of \<resourceName> to be updated |
Upsert |
|
|
List of \<resourceName> to be created or updated |
Delete |
|
|
List of resource IDs to be deleted |
For detailed fields of protobuf messages io.restorecommerce.resourcebase.ReadRequest and
io.restorecommerce.resourcebase.DeleteRequest refer resource-base-interface.
Events
Emitted
List of events emitted by this microservice for below topics:
| Topic Name | Event Name | Description |
|---|---|---|
|
|
system restore response |
|
system reset response |
|
|
system health check response |
|
|
system version response |
|
|
configuration update response |
|
|
Command event to flush ACS Cache |
|
|
flush ACS Cache response |
|
|
set API Key response |
|
|
|
emitted when policy_set is created |
|
emitted when policy_set is modified |
|
|
emitted when policy_set is deleted |
|
|
|
emitted when policy is created |
|
emitted when policy is modified |
|
|
emitted when policy is deleted |
|
|
|
emitted when rule is created |
|
emitted when rule is modified |
|
|
emitted when rule is deleted |
|
|
|
emitted when HierarchicalScope does not exist in subject |
Consumed
This microservice consumes messages for the following events by topic:
| Topic Name | Event Name | Description |
|---|---|---|
|
|
used for system restore |
|
used for system reset |
|
|
to get system health check |
|
|
to get system version |
|
|
flushes ACS Cache |
|
|
used to update configurations |
|
|
used to set API key |
|
|
|
emitted when HierarchicalScope response is received |