Doorman is an authorization (micro)service.
Перейти к файлу
Mathieu Leplatre 0d47bfcb86
Rename jwtIssuer to identityProvider (ref #80)
2018-01-30 12:35:57 +01:00
api Rename jwtIssuer to identityProvider (ref #80) 2018-01-30 12:35:57 +01:00
authn Move handlers to dedicated package (Fixes #86) 2018-01-30 12:03:22 +01:00
config Rename handlers to api 2018-01-30 12:29:34 +01:00
doorman Rename jwtIssuer to identityProvider (ref #80) 2018-01-30 12:35:57 +01:00
examples Rename jwtIssuer to identityProvider (ref #80) 2018-01-30 12:35:57 +01:00
.gitignore Rename handlers to api 2018-01-30 12:29:34 +01:00
.travis.yml Add dedicated test-coverage make target 2017-09-22 18:08:25 +02:00
Dockerfile Rename POLICIES_FILES to POLICIES 2017-11-14 12:20:32 +01:00
Gopkg.lock Remove Auth0 specific code (fixes #82) (#83) 2018-01-17 15:50:04 +01:00
Gopkg.toml Remove Auth0 specific code (fixes #82) (#83) 2018-01-17 15:50:04 +01:00
LICENSE Initial commit 2017-09-18 13:12:41 +02:00
Makefile Rename handlers to api 2018-01-30 12:29:34 +01:00
README.md Rename jwtIssuer to identityProvider (ref #80) 2018-01-30 12:35:57 +01:00
circle.yml Build main before building container on CircleCI (#73) 2017-12-11 08:34:10 +01:00
logger.go Cleanup logger initialization 2017-12-01 17:41:20 +01:00
logger_test.go Cleanup logger initialization 2017-12-01 17:41:20 +01:00
logo.svg Temporary logo 2017-11-21 13:33:27 +01:00
main.go Rename handlers to api 2018-01-30 12:29:34 +01:00
main_test.go @mostlygeek review 2017-12-04 12:54:46 +01:00
sample.yaml Rename jwtIssuer to identityProvider (ref #80) 2018-01-30 12:35:57 +01:00
settings.go Load config outside doorman (fixes #68) 2017-12-01 17:18:46 +01:00
settings_test.go Load config outside doorman (fixes #68) 2017-12-01 17:18:46 +01:00
version.json Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00

README.md

Doorman

Doorman is an authorization micro-service.

Build Status Coverage Status Go Report

Doorman responds to authorization requests based on a set of rules (policies files).

Having a centralized access control service has several advantages:

  • it clearly dissociates authentication from authorization
  • it provides a standard and generic permissions system to services developers
  • it facilitates permissions management across services (eg. makes revocation easier)
  • it allows authorizations monitoring, metrics, anomaly detection

Run

    docker run \
      -e POLICIES=/config \
      -v ./examples/python:/config \
      -p 8000:8080 \
      --name doorman \
      mozilla/doorman

Doorman is now ready to respond authorization requests on http://localhost:8080. See API docs.

Policies

Policies are defined in YAML files for each consuming service, locally or in remote (private) Github repos, as follow:

service: https://service.stage.net
identityProvider: https://auth.mozilla.auth0.com/
tags:
  superusers:
    - userid:maria
    - group:admins
policies:
  -
    id: authors-superusers-delete
    description: Authors and superusers can delete articles
    principals:
      - role:author
      - tag:superusers
    actions:
      - delete
    resources:
      - article
    effect: allow
  • service: the unique identifier of the service
  • identityProvider (optional): when the identify provider is not empty, Doorman will verify the Access Token or the ID Token provided in the authorization request to authenticate the request and obtain the subject profile information (principals)
  • tags: Local «groups» of principals in addition to the ones provided by the Identity Provider
  • actions: a domain-specific string representing an action that will be defined as allowed by a principal (eg. publish, signoff, …)
  • resources: a domain-specific string representing a resource. Preferably not a full URL to decouple from service API design (eg. print:blackwhite:A4, category:homepage, …).
  • effect: Use effect: deny to deny explicitly. Requests that don't match any rule are denied.

Principals

The principals is a list of prefixed strings to refer to the «user» as the combination of ids, emails, groups, roles…

Supported prefixes:

  • userid:: provided by Identity Provider (IdP)
  • tag:: local tags
  • role:: provided in context of authorization request (see below)
  • email:: provided by IdP
  • group:: provided by IdP

Example: ["userid:ldap|user", "email:user@corp.com", "group:Employee", "group:Admins", "role:editor"]

Settings

Via environment variables:

  • POLICIES: space separated locations of YAML files with policies. They can be single files, folders or Github URLs (default: ./policies.yaml)
  • GITHUB_TOKEN: Github API token to be used when fetching policies files from private repositories

Advanced:

  • PORT: listen (default: 8080)
  • GIN_MODE: server mode (release or default debug)
  • LOG_LEVEL: logging level (fatal|error|warn|info|debug, default: info with GIN_MODE=release else debug)
  • VERSION_FILE: location of JSON file with version information (default: ./version.json)

Note: the Dockerfile contains different default values, suited for production.

Advanced policies rules

Regular expressions

Regular expressions begin with < and end with >.

principals:
  - userid:<[peter|ken]>
resources:
  - /page/<.*>

Note: regular expressions are not supported in tags members definitions.

Conditions

The conditions are optional on policies and are used to match field values from the authorization request context.

The context value remoteIP is forced by the server.

For example:

policies:
  -
    description: Allow everything from dev environment
    conditions:
      env:
        type: StringEqualCondition
        options:
          equals: dev

There are several types of conditions:

Field comparison

  • type: StringEqualCondition

For example, match request.context["country"] == "catalunya":

conditions:
  country:
    type: StringEqualCondition
    options:
      equals: catalunya

Field pattern

  • type: StringMatchCondition

For example, match request.context["bucket"] ~= "blocklists-.*":

conditions:
  bucket:
    type: StringMatchCondition
    options:
      matches: blocklists-.*

Match principals

  • type: MatchPrincipalsCondition

For example, allow requests where request.context["owner"] is in principals:

conditions:
  owner:
    type: MatchPrincipalsCondition

Note: This also works when a the context field is list (e.g. list of collaborators).

IP/Range

  • type: CIDRCondition

For example, match request.context["remoteIP"] with CIDR notation:

conditions:
  remoteIP:
    type: CIDRCondition
    options:
      # mask 255.255.0.0
      cidr: 192.168.0.1/16

Run from source

make serve -e POLICIES=sample.yaml

Run tests

make test

Generate API docs

make api-docs

Build docker container

make docker-build

License

  • MPLv2.0
  • The logo was made by Mathieu Leplatre with Inkscape and released under CC0