From 8bbe1247578d6bbc0b93f63740f4edfeb26ea460 Mon Sep 17 00:00:00 2001 From: Mohammad Ghazanfar Ali Danish <62088117+mdanish98@users.noreply.github.com> Date: Wed, 31 Jul 2024 08:46:28 +0200 Subject: [PATCH] Improves access rule processing algorithm for performance optimization (#367) * Initial commit Signed-off-by: Mohammad Ghazanfar Ali Danish * Improves access rule processing algorithm for performance optimization Signed-off-by: Mohammad Ghazanfar Ali Danish * Modifies remove Rbac rule parameter Signed-off-by: Mohammad Ghazanfar Ali Danish * Fixes incorrect Javadoc Signed-off-by: Mohammad Ghazanfar Ali Danish --------- Signed-off-by: Mohammad Ghazanfar Ali Danish --- .../Readme.md | 1 + .../Readme.md | 4 +- .../Readme.md | 4 +- .../rbac/CommonRbacConfiguration.java | 6 ++ .../InMemoryAuthorizationRbacStorage.java | 34 ++++++++--- .../rbac/RbacRuleConfiguration.java | 4 +- .../rbac/RbacRuleDeserializer.java | 60 +++++++++++++++++++ .../rbac/RbacRuleInitializer.java | 19 +++--- .../rbac/RbacRuleKeyGenerator.java | 55 +++++++++++++++++ .../basyx/authorization/rbac/RbacStorage.java | 10 ++-- .../rbac/SimpleRbacPermissionResolver.java | 21 +------ .../Readme.md | 4 +- .../Readme.md | 4 +- .../Readme.md | 4 +- 14 files changed, 185 insertions(+), 45 deletions(-) create mode 100644 basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleDeserializer.java create mode 100644 basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleKeyGenerator.java diff --git a/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/Readme.md b/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/Readme.md index 4ebbbfabf..a21c7ea0b 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/Readme.md +++ b/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/Readme.md @@ -90,6 +90,7 @@ Note: * The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. * For the serialization related requests there should be defined rules for accessing the AASs/Submodels/Concept Descriptions, as the serialization requires all of these elements. For e.g, a role with serialization is configured for Aas Environment target information but if there is no role for reading the AAS/Submodel/Concept Description then the request will be denied. * For the upload related requests there should be defined rules for reading, creating, and updating the AASs/Submodels/Concept Descriptions, as the upload requests performs creation, updation, and request operations on the AASs/Submodels/Concept Descriptions contained in the uploaded file, hence appropriate rules should be configured for the subject in consideration. +* Each rule should be unique in combination of role + action + target information ## Action table for RBAC diff --git a/basyx.aasregistry/basyx.aasregistry-feature-authorization/Readme.md b/basyx.aasregistry/basyx.aasregistry-feature-authorization/Readme.md index bb12b33c1..653b0523c 100644 --- a/basyx.aasregistry/basyx.aasregistry-feature-authorization/Readme.md +++ b/basyx.aasregistry/basyx.aasregistry-feature-authorization/Readme.md @@ -63,7 +63,9 @@ The role defines which role is allowed to perform the defined actions. The role The targetInformation defines coarse-grained control over the resource, you may define the aasId with a wildcard (\*), it means the defined role x with action y can access any Asset Administration Shell Descriptors on the registry. You can also define a specific AAS Identifier in place of the wildcard (\*), then the role x with action y could be performed only on that particular AAS Descriptor. -Note: The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +Note: +* The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +* Each rule should be unique in combination of role + action + target information ## Action table for RBAC diff --git a/basyx.aasrepository/basyx.aasrepository-feature-authorization/Readme.md b/basyx.aasrepository/basyx.aasrepository-feature-authorization/Readme.md index da8ef4146..25054a51b 100644 --- a/basyx.aasrepository/basyx.aasrepository-feature-authorization/Readme.md +++ b/basyx.aasrepository/basyx.aasrepository-feature-authorization/Readme.md @@ -63,7 +63,9 @@ The role defines which role is allowed to perform the defined actions. The role The targetInformation defines coarse-grained control over the resource, you may define the aasIds with a wildcard (\*), it means the defined role x with action y can access any Asset Administration Shell on the repository. You can also define a specific AAS Identifier in place of the wildcard (\*), then the role x with action y could be performed only on that particular AAS. There could be a single aasId or multiple aasIds as a list (cf. basyx-deleter above). -Note: The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +Note: +* The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +* Each rule should be unique in combination of role + action + target information ## Action table for RBAC diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/CommonRbacConfiguration.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/CommonRbacConfiguration.java index e42850a3a..7a7fbf677 100644 --- a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/CommonRbacConfiguration.java +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/CommonRbacConfiguration.java @@ -25,6 +25,7 @@ package org.eclipse.digitaltwin.basyx.authorization.rbac; +import java.util.HashMap; import java.util.Objects; import java.util.Set; @@ -37,6 +38,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.jsontype.NamedType; +import com.fasterxml.jackson.databind.module.SimpleModule; /** * A base configuration for Rbac based authorization @@ -55,6 +57,10 @@ public ObjectMapper getAasMapper(Jackson2ObjectMapperBuilder builder) { Set> subtypes = reflections.getTypesAnnotatedWith(TargetInformationSubtype.class); subtypes.stream().map(this::createNamedType).filter(Objects::nonNull).forEach(mapper::registerSubtypes); + + SimpleModule module = new SimpleModule(); + module.addDeserializer(HashMap.class, new RbacRuleDeserializer()); + mapper.registerModule(module); return mapper; } diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/InMemoryAuthorizationRbacStorage.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/InMemoryAuthorizationRbacStorage.java index e7809e23d..49a1c65eb 100644 --- a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/InMemoryAuthorizationRbacStorage.java +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/InMemoryAuthorizationRbacStorage.java @@ -25,7 +25,7 @@ package org.eclipse.digitaltwin.basyx.authorization.rbac; -import java.util.List; +import java.util.Map; /** * InMemory implementation of the {@link RbacStorage} @@ -33,21 +33,39 @@ * @author danish */ public class InMemoryAuthorizationRbacStorage implements RbacStorage { - private final List rbacRules; + private final Map rbacRules; - public InMemoryAuthorizationRbacStorage(List rbacRuleList) { - this.rbacRules = rbacRuleList; + public InMemoryAuthorizationRbacStorage(Map rbacRules) { + this.rbacRules = rbacRules; } - public List getRbacRules() { + public Map getRbacRules() { return rbacRules; } public void addRule(RbacRule rbacRule) { - rbacRules.add(rbacRule); + + rbacRule.getAction().stream().map(action -> RbacRuleKeyGenerator.generateKey(rbacRule.getRole(), action.toString(), rbacRule.getTargetInformation().getClass().getName())).filter(key -> !rbacRules.containsKey(key)).map(key -> rbacRules.put(key, rbacRule)); } - public void removeRule(RbacRule rbacRule) { - rbacRules.remove(rbacRule); + public void removeRule(String key) { + if (!exist(key)) + throw new RuntimeException("Rule doesn't exist in policy store"); + + rbacRules.remove(key); } + + @Override + public RbacRule getRbacRule(String key) { + if (!exist(key)) + throw new RuntimeException("Rule doesn't exist in policy store"); + + return rbacRules.get(key); + } + + @Override + public boolean exist(String key) { + return rbacRules.containsKey(key); + } + } diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleConfiguration.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleConfiguration.java index 5f921bfb2..0bf358e2f 100644 --- a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleConfiguration.java +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleConfiguration.java @@ -34,7 +34,7 @@ import org.eclipse.digitaltwin.basyx.authorization.CommonAuthorizationProperties; import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; -import java.util.ArrayList; +import java.util.HashMap; /** * Configurations for {@link RbacRule} @@ -63,7 +63,7 @@ public RbacRuleConfiguration(ObjectMapper objectMapper, ResourceLoader resourceL public RbacStorage createInMemoryRbacStorage() throws IOException { if (filePath.isBlank()) - return new InMemoryAuthorizationRbacStorage(new ArrayList<>()); + return new InMemoryAuthorizationRbacStorage(new HashMap<>()); return new InMemoryAuthorizationRbacStorage(new RbacRuleInitializer(objectMapper, filePath, resourceLoader).deserialize()); } diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleDeserializer.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleDeserializer.java new file mode 100644 index 000000000..5795a4705 --- /dev/null +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleDeserializer.java @@ -0,0 +1,60 @@ +/******************************************************************************* + * Copyright (C) 2024 the Eclipse BaSyx Authors + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * + * SPDX-License-Identifier: MIT + ******************************************************************************/ + +package org.eclipse.digitaltwin.basyx.authorization.rbac; + +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.DeserializationContext; +import com.fasterxml.jackson.databind.JsonDeserializer; +import com.fasterxml.jackson.databind.ObjectMapper; + +import java.io.IOException; +import java.util.HashMap; +import java.util.List; + +/** + * A specific deserializer for deserializing list of {@link RbacRule} into HashMap + * + * @author danish + */ +public class RbacRuleDeserializer extends JsonDeserializer> { + + @Override + public HashMap deserialize(JsonParser p, DeserializationContext ctxt) throws IOException { + ObjectMapper mapper = (ObjectMapper) p.getCodec(); + List rbacRules = mapper.readValue(p, new TypeReference>() { + }); + HashMap result = new HashMap<>(); + + for (RbacRule rule : rbacRules) { + rule.getAction().stream().map(action -> RbacRuleKeyGenerator.generateKey(rule.getRole(), action.toString(), rule.getTargetInformation().getClass().getName())).forEach(key -> result.put(key, rule)); + } + + return result; + } + +} + diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleInitializer.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleInitializer.java index bf42b426a..401a3f55f 100644 --- a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleInitializer.java +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleInitializer.java @@ -29,7 +29,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import java.io.File; import java.io.IOException; -import java.util.List; +import java.util.HashMap; import org.eclipse.digitaltwin.basyx.core.exceptions.MissingAuthorizationConfigurationException; import org.springframework.core.io.ResourceLoader; @@ -54,23 +54,26 @@ public RbacRuleInitializer(ObjectMapper objectMapper, String filePath, ResourceL } /** - * Provides the list of {@link RbacRule} from the resource + * Provides the Map of {@link RbacRule} from the resource * - * @return list of rbac rules + * It auto-generates the key based on hash of combination of role, {@link Action}, and the concrete {@link TargetInformation} + * class. + * + * @return map of rbac rules * @throws IOException */ - public List deserialize() throws IOException { - return objectMapper.readValue(getFile(rbacJsonFilePath), new TypeReference>() { + public HashMap deserialize() throws IOException { + return objectMapper.readValue(getFile(rbacJsonFilePath), new TypeReference>() { }); } private File getFile(String filePath) { - + try { return resourceLoader.getResource(filePath).getFile(); - } catch(IOException e) { + } catch (IOException e) { throw new MissingAuthorizationConfigurationException(filePath); } - + } } diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleKeyGenerator.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleKeyGenerator.java new file mode 100644 index 000000000..7ecba11a5 --- /dev/null +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacRuleKeyGenerator.java @@ -0,0 +1,55 @@ +/******************************************************************************* + * Copyright (C) 2024 the Eclipse BaSyx Authors + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * + * SPDX-License-Identifier: MIT + ******************************************************************************/ + +package org.eclipse.digitaltwin.basyx.authorization.rbac; + +/** + * A helper class to generate the key based on hash of combination of role, {@link Action}, and the concrete {@link TargetInformation} + * class. + * + * @author danish + */ +public class RbacRuleKeyGenerator { + + /** + * Generates the key based on hash of combination of role, {@link Action}, and the concrete {@link TargetInformation} + * class. + * + *

For e.g., role = Engineer, Action = READ, TargetInformation Class = org.eclipse.digitaltwin.basyx.aasrepository.feature.authorization.AasTargetInformation.java + *
+ * So the hash code of concatenation of these is: -1428731317. + * + *

+ * + * @param role + * @param action + * @param clazz + * @return + */ + public static String generateKey(String role, String action, String clazz) { + return String.valueOf((role + action + clazz).hashCode()); + } + +} diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacStorage.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacStorage.java index 1e5265641..b55d89d67 100644 --- a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacStorage.java +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/RbacStorage.java @@ -25,16 +25,18 @@ package org.eclipse.digitaltwin.basyx.authorization.rbac; -import java.util.List; +import java.util.Map; /** - * An interface for definig storage of {@link RbacRule} + * An interface for defining storage of {@link RbacRule} * * @author danish */ public interface RbacStorage { - public List getRbacRules(); + public Map getRbacRules(); + public RbacRule getRbacRule(String key); public void addRule(RbacRule rbacRule); - public void removeRule(RbacRule rbacRule); + public void removeRule(String key); + public boolean exist(String key); } diff --git a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/SimpleRbacPermissionResolver.java b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/SimpleRbacPermissionResolver.java index d2b7807c6..f2b4be32c 100644 --- a/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/SimpleRbacPermissionResolver.java +++ b/basyx.common/basyx.authorization/src/main/java/org/eclipse/digitaltwin/basyx/authorization/rbac/SimpleRbacPermissionResolver.java @@ -42,8 +42,6 @@ */ public class SimpleRbacPermissionResolver implements RbacPermissionResolver { - private static final String ALL_ALLOWED_WILDCARD = "*"; - private Logger logger = LoggerFactory.getLogger(SimpleRbacPermissionResolver.class); private RbacStorage rbacStorage; @@ -84,27 +82,14 @@ public boolean hasPermission(final Action action, final T targetInformation) { private Stream getMatchingRules(final List roles, final Action action, final T targetInformation) { - List filteredRbacRulesForTargetInfo = this.rbacStorage.getRbacRules().stream().filter(rbacRule -> hasMatchingTargetInformation(targetInformation, rbacRule)).collect(Collectors.toList()); + List filteredRbacRulesForTargetInfos = roles.stream().map(role -> RbacRuleKeyGenerator.generateKey(role, action.toString(), targetInformation.getClass().getName())).filter(rbacStorage::exist).map(rbacStorage::getRbacRule).collect(Collectors.toList()); - return filteredRbacRulesForTargetInfo.parallelStream().filter(rbacRule -> checkRolesMatchRbacRule(rbacRule, roles)).filter(rbacRule -> checkActionMatchesRbacRule(rbacRule, action)) - .filter(rbacRule -> checkRbacRuleMatchesTargetInfo(rbacRule, targetInformation)); - } - - private boolean checkRolesMatchRbacRule(final RbacRule rbacRule, final List roles) { - return rbacRule.getRole().equals(ALL_ALLOWED_WILDCARD) || (roles != null && roles.stream().anyMatch(role -> rbacRule.getRole().equals(role))); - } - - private boolean checkActionMatchesRbacRule(final RbacRule rbacRule, final Action action) { - return rbacRule.getAction().stream().anyMatch(rbacRuleAction -> rbacRuleAction.equals(action)); + return filteredRbacRulesForTargetInfos.stream().filter(rbacRule -> checkRbacRuleMatchesTargetInfo(rbacRule, targetInformation)); } private boolean checkRbacRuleMatchesTargetInfo(final RbacRule rbacRule, final T targetInformation) { return targetPermissionVerifier.isVerified(rbacRule, targetInformation); } - - private boolean hasMatchingTargetInformation(final T targetInformation, RbacRule rbacRule) { - - return targetInformation.getClass().isInstance(rbacRule.getTargetInformation()); - } + } diff --git a/basyx.conceptdescriptionrepository/basyx.conceptdescriptionrepository-feature-authorization/Readme.md b/basyx.conceptdescriptionrepository/basyx.conceptdescriptionrepository-feature-authorization/Readme.md index 284d7c821..fd993f500 100644 --- a/basyx.conceptdescriptionrepository/basyx.conceptdescriptionrepository-feature-authorization/Readme.md +++ b/basyx.conceptdescriptionrepository/basyx.conceptdescriptionrepository-feature-authorization/Readme.md @@ -73,7 +73,9 @@ The role defines which role is allowed to perform the defined actions. The role The targetInformation defines coarse-grained control over the resource, you may define the conceptDescriptionIds with a wildcard (\*), it means the defined role x with action y can access any Concept Description on the repository. You can also define a specific Concept Description Identifier in place of the wildcard (\*), then the role x with action y could be performed only on that particular Concept Description. There could be a single conceptDescriptionId or multiple conceptDescriptionIds as a list (cf. basyx-reader-two above). -Note: The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +Note: +* The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +* Each rule should be unique in combination of role + action + target information ## Action table for RBAC diff --git a/basyx.submodelregistry/basyx.submodelregistry-feature-authorization/Readme.md b/basyx.submodelregistry/basyx.submodelregistry-feature-authorization/Readme.md index f7ef16ba7..2daf612ef 100644 --- a/basyx.submodelregistry/basyx.submodelregistry-feature-authorization/Readme.md +++ b/basyx.submodelregistry/basyx.submodelregistry-feature-authorization/Readme.md @@ -63,7 +63,9 @@ The role defines which role is allowed to perform the defined actions. The role The targetInformation defines coarse-grained control over the resource, you may define the submodelId with a wildcard (\*), it means the defined role x with action y can access any Submodel Descriptors on the registry. You can also define a specific Submodel Identifier in place of the wildcard (\*), then the role x with action y could be performed only on that particular Submodel Descriptor. -Note: The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +Note: +* The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE, and EXECUTE) but later user configurable mapping of these actions would be provided. +* Each rule should be unique in combination of role + action + target information ## Action table for RBAC diff --git a/basyx.submodelrepository/basyx.submodelrepository-feature-authorization/Readme.md b/basyx.submodelrepository/basyx.submodelrepository-feature-authorization/Readme.md index f4b1d1a6c..47f199091 100644 --- a/basyx.submodelrepository/basyx.submodelrepository-feature-authorization/Readme.md +++ b/basyx.submodelrepository/basyx.submodelrepository-feature-authorization/Readme.md @@ -76,7 +76,9 @@ The role defines which role is allowed to perform the defined actions. The role The targetInformation defines coarse-grained control over the resource, you may define the submodelIds and submodelElementIdShortPaths with a wildcard (\*), it means the defined role x with action y can access any Submodel and any SubmodelElement on the repository. You can also define a specific Submodel Identifier in place of the wildcard (\*), then the role x with action y could be performed only on that particular Submodel. Similarly, you can define a specific SubmodelElement IdShort path, then you can only access the SubmodelElement corresponding to that IdShort path. It means that the whole Submodel GET request would not be possible if the IdShort path for a specific SubmodelElement is provided, because the requestor only has access for a specific SubmodelElement. There could be a single submodelId/submodelElementIdShortPath or multiple submodelIds/submodelElementIdShortPaths as a list (cf. basyx-sme-reader). -Note: The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE and EXECUTE) but later user configurable mapping of these actions would be provided. +Note: +* The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE and EXECUTE) but later user configurable mapping of these actions would be provided. +* Each rule should be unique in combination of role + action + target information ## Action table for RBAC