Doorman is an authorization (micro)service.
Перейти к файлу
Mathieu Leplatre 88373e250f
Simply and improve consistency
2017-11-23 16:58:16 +01:00
doorman Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00
examples Simply and improve consistency 2017-11-23 16:58:16 +01:00
utilities Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00
.gitignore Add the web UI. 2017-11-21 15:47:43 +01:00
.travis.yml Add dedicated test-coverage make target 2017-09-22 18:08:25 +02:00
Dockerfile Rename POLICIES_FILES to POLICIES 2017-11-14 12:20:32 +01:00
LICENSE Initial commit 2017-09-18 13:12:41 +02:00
Makefile Better docs consistency 2017-11-17 14:41:47 +01:00
README.md Simply and improve consistency 2017-11-23 16:58:16 +01:00
glide.lock Enable audit logging 2017-11-14 17:07:47 +01:00
glide.yaml Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00
logger.go Better docs consistency 2017-11-17 14:41:47 +01:00
logger_test.go Move logging initialization to logger.go 2017-11-03 12:44:14 +01:00
logo.svg Temporary logo 2017-11-21 13:33:27 +01:00
main.go Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00
main_test.go Add /__reload__ endpoint 2017-11-15 12:54:14 +01:00
sample.yaml Support list of principals for MatchPrincipalsCondition 2017-11-21 11:15:51 +01:00
version.json Rename from leplatrem/iam to mozilla/doorman 2017-11-21 11:50:03 +01:00

README.md

Doorman

Doorman is an authorization micro-service.

Build Status Coverage Status Go Report

Run

    docker run \
      -e POLICIES=/config/policies.yaml \
      -v ./config/:/config \
      -p 8000:8080 \
      --name doorman \
      mozilla/doorman

Doorman is now ready to respond authorization requests on http://localhost:8080. See API docs.

Policies

Policies are defined in YAML files for each service, locally or in remote Github repos, as follow:

service: https://service.stage.net
jwtIssuer: https://auth.mozilla.auth0.com/
tags:
  superusers:
    - userid:maria
    - group:admins
policies:
  -
    description: Authors and superusers can delete articles
    principals:
      - role:author
      - tag:superusers
    actions:
      - delete
    resources:
      - article
    effect: allow
  • service: the unique identifier of the service
  • jwtIssuer (optional): when the issuer is set, Doorman will verify the JSON Web Token provided in the authorization request and extract the Identity Provider information from its payload
  • tags: Local «groups» of principals in addition to the ones provided by the Identity Provider
  • actions: a domain-specific string representing an action that will be defined as allowed by a principal (eg. publish, signoff, …)
  • resources: a domain-specific string representing a resource. Preferably not a full URL to decouple from service API design (eg. print:blackwhite:A4, category:homepage, …).
  • effect: Use effect: deny to deny explicitly. Requests that don't match any rule are denied.

Principals

The principals is a list of prefixed strings to refer to the «user» as the combination of ids, emails, groups, roles…

Supported prefixes:

  • userid:: provided by Identity Provider (IdP)
  • tag:: local tags
  • role:: provided in context of authorization request (see below)
  • email:: provided by IdP
  • group:: provided by IdP

Example: ["userid:ldap|user", "email:user@corp.com", "group:Employee", "group:Admins", "role:editor"]

Settings

Via environment variables:

  • POLICIES: space separated locations of YAML files with policies. They can be single files, folders or Github URLs (default: ./policies.yaml)
  • GITHUB_TOKEN: Github API token to be used when fetching policies files from private repositories

Advanced:

  • PORT: listen (default: 8080)
  • GIN_MODE: server mode (release or default debug)
  • LOG_LEVEL: logging level (fatal|error|warn|info|debug, default: info with GIN_MODE=release else debug)
  • VERSION_FILE: location of JSON file with version information (default: ./version.json)

Note: the Dockerfile contains different default values, suited for production.

Advanced policies rules

Regular expressions

Regular expressions begin with < and end with >.

principals:
  - userid:<[peter|ken]>
resources:
  - /page/<.*>

Note: regular expressions are not supported in tags members definitions.

Conditions

The conditions are optional on policies and are used to match field values from the authorization request context.

The context value remoteIP is forced by the server.

For example:

policies:
  -
    description: Allow everything from dev environment
    conditions:
      env:
        type: StringEqualCondition
        options:
          equals: dev

There are several types of conditions:

Field comparison

  • type: StringEqualCondition

For example, match request.context["country"] == "catalunya":

conditions:
  country:
    type: StringEqualCondition
    options:
      equals: catalunya

Field pattern

  • type: StringMatchCondition

For example, match request.context["bucket"] ~= "blocklists-.*":

conditions:
  bucket:
    type: StringMatchCondition
    options:
      matches: blocklists-.*

Match principals

  • type: MatchPrincipalsCondition

For example, allow requests where request.context["owner"] is in principals:

conditions:
  owner:
    type: MatchPrincipalsCondition

Note: This also works when a the context field is list (e.g. list of collaborators).

IP/Range

  • type: CIDRCondition

For example, match request.context["remoteIP"] with CIDR notation:

conditions:
  remoteIP:
    type: CIDRCondition
    options:
      # mask 255.255.0.0
      cidr: 192.168.0.1/16

Run from source

make serve -e POLICIES=sample.yaml

Run tests

make test

Generate API docs

make api-docs

Build docker container

make docker-build

License

  • MPLv2.0
  • The logo was made by Mathieu Leplatre with Inkscape and released under CC0