mozilla
/
doorman
зеркало из https://github.com/mozilla/doorman.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Doorman is an authorization (micro)service.
218 коммитов 6 Ветки 1 Тег 6,3 MiB
Go 97%
Makefile 2.6%
Dockerfile 0.4%
Перейти к файлу
Mathieu Leplatre 4d9b181c57
Fix demo with new OIDC conformant mode 
Since the `groups` are not sent in JWT payload anymore, Doorman returns
a list of principals that only contains the userid.

Ref #55
 		2017-12-04 17:19:42 +01:00
config @mostlygeek review 2017-12-04 12:54:46 +01:00
doorman Improve coverage 2017-12-01 17:33:13 +01:00
examples Fix demo with new OIDC conformant mode 2017-12-04 17:19:42 +01:00
utilities Merge remote-tracking branch 'origin/master' into 63-config-struct 2017-11-30 16:14:17 +01:00
.gitignore Add the web UI. 2017-11-21 15:47:43 +01:00
.travis.yml Add dedicated test-coverage make target 2017-09-22 18:08:25 +02:00
Dockerfile Rename POLICIES_FILES to POLICIES 2017-11-14 12:20:32 +01:00
LICENSE Initial commit 2017-09-18 13:12:41 +02:00
Makefile Load config outside doorman (fixes #68) 2017-12-01 17:18:46 +01:00
README.md Move rationale from API docs to README 2017-11-24 23:08:35 +01:00
circle.yml Add CircleCI config (fixes #56) 2017-11-24 12:12:07 +01:00
glide.lock Enable audit logging 2017-11-14 17:07:47 +01:00
glide.yaml Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00
logger.go Cleanup logger initialization 2017-12-01 17:41:20 +01:00
logger_test.go Cleanup logger initialization 2017-12-01 17:41:20 +01:00
logo.svg Temporary logo 2017-11-21 13:33:27 +01:00
main.go @mostlygeek review 2017-12-04 12:54:46 +01:00
main_test.go @mostlygeek review 2017-12-04 12:54:46 +01:00
sample.yaml Support list of principals for MatchPrincipalsCondition 2017-11-21 11:15:51 +01:00
settings.go Load config outside doorman (fixes #68) 2017-12-01 17:18:46 +01:00
settings_test.go Load config outside doorman (fixes #68) 2017-12-01 17:18:46 +01:00
version.json Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00

README.md

Doorman

Doorman is an authorization micro-service.

Build Status Coverage Status Go Report

Doorman responds to authorization requests based on a set of rules (policies files).

Having a centralized access control service has several advantages:

  • it clearly dissociates authentication from authorization
  • it provides a standard and generic permissions system to services developers
  • it facilitates permissions management across services (eg. makes revocation easier)
  • it allows authorizations monitoring, metrics, anomaly detection

Run

    docker run \
      -e POLICIES=/config \
      -v ./examples/python:/config \
      -p 8000:8080 \
      --name doorman \
      mozilla/doorman

Doorman is now ready to respond authorization requests on http://localhost:8080. See API docs.

Policies

Policies are defined in YAML files for each consuming service, locally or in remote (private) Github repos, as follow:

service: https://service.stage.net
jwtIssuer: https://auth.mozilla.auth0.com/
tags:
  superusers:
    - userid:maria
    - group:admins
policies:
  -
    id: authors-superusers-delete
    description: Authors and superusers can delete articles
    principals:
      - role:author
      - tag:superusers
    actions:
      - delete
    resources:
      - article
    effect: allow
  • service: the unique identifier of the service
  • jwtIssuer (optional): when the issuer is set, Doorman will verify the JSON Web Token provided in the authorization request and extract the Identity Provider information from its payload
  • tags: Local «groups» of principals in addition to the ones provided by the Identity Provider
  • actions: a domain-specific string representing an action that will be defined as allowed by a principal (eg. publish, signoff, …)
  • resources: a domain-specific string representing a resource. Preferably not a full URL to decouple from service API design (eg. print:blackwhite:A4, category:homepage, …).
  • effect: Use effect: deny to deny explicitly. Requests that don't match any rule are denied.

Principals

The principals is a list of prefixed strings to refer to the «user» as the combination of ids, emails, groups, roles…

Supported prefixes:

  • userid:: provided by Identity Provider (IdP)
  • tag:: local tags
  • role:: provided in context of authorization request (see below)
  • email:: provided by IdP
  • group:: provided by IdP

Example: ["userid:ldap|user", "email:user@corp.com", "group:Employee", "group:Admins", "role:editor"]

Settings

Via environment variables:

  • POLICIES: space separated locations of YAML files with policies. They can be single files, folders or Github URLs (default: ./policies.yaml)
  • GITHUB_TOKEN: Github API token to be used when fetching policies files from private repositories

Advanced:

  • PORT: listen (default: 8080)
  • GIN_MODE: server mode (release or default debug)
  • LOG_LEVEL: logging level (fatal|error|warn|info|debug, default: info with GIN_MODE=release else debug)
  • VERSION_FILE: location of JSON file with version information (default: ./version.json)

Note: the Dockerfile contains different default values, suited for production.

Advanced policies rules

Regular expressions

Regular expressions begin with < and end with >.

principals:
  - userid:<[peter|ken]>
resources:
  - /page/<.*>

Note: regular expressions are not supported in tags members definitions.

Conditions

The conditions are optional on policies and are used to match field values from the authorization request context.

The context value remoteIP is forced by the server.

For example:

policies:
  -
    description: Allow everything from dev environment
    conditions:
      env:
        type: StringEqualCondition
        options:
          equals: dev

There are several types of conditions:

Field comparison

  • type: StringEqualCondition

For example, match request.context["country"] == "catalunya":

conditions:
  country:
    type: StringEqualCondition
    options:
      equals: catalunya

Field pattern

  • type: StringMatchCondition

For example, match request.context["bucket"] ~= "blocklists-.*":

conditions:
  bucket:
    type: StringMatchCondition
    options:
      matches: blocklists-.*

Match principals

  • type: MatchPrincipalsCondition

For example, allow requests where request.context["owner"] is in principals:

conditions:
  owner:
    type: MatchPrincipalsCondition

Note: This also works when a the context field is list (e.g. list of collaborators).

IP/Range

  • type: CIDRCondition

For example, match request.context["remoteIP"] with CIDR notation:

conditions:
  remoteIP:
    type: CIDRCondition
    options:
      # mask 255.255.0.0
      cidr: 192.168.0.1/16

Run from source

make serve -e POLICIES=sample.yaml

Run tests

make test

Generate API docs

make api-docs

Build docker container

make docker-build

License

  • MPLv2.0
  • The logo was made by Mathieu Leplatre with Inkscape and released under CC0