FIWARE / kong-plugins-fiware

Kong plugin to support attribute-based access management for NGSI requests with the iSHARE scheme
MIT License
4 stars 0 forks source link

Kong-keyrock Authorize issue with Query parameter. #25

Open ravipodila opened 1 year ago

ravipodila commented 1 year ago

Hi

I tried to use this Kong image and was able to install kong and is running.

I have a issue with keyrock permission :

                  **Without using Query parameters**
                  In Keyrock UI, I have set the keyrock permission:  method: GET, resource : **/ngsi-ld/v1/entities** 
                  when i try to get the entities using postman it works with out issues 

                  **With using Query parameters**
                  In Keyrock UI, when i set the keyrock permission:  method: GET, resource: **/ngsi-ld/v1/entities?type=city**
                  This  fails to authorize gives error:
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=debug msg="Delegate decision to Keyrock.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="[Keyrock] Request was not allowed. Response was &
                   {0xc00020ed00 {0 0} false 0xc000022080 <nil> 0x6a1100}.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="Request was not allowed.", context: ngx.timer

Same situation when i try to POST the data

                  **Without using Query parameters**
                  In Keyrock UI, I have set the keyrock permission method: GET, resource : **/ngsi-ld/v1/entityOperations/upsert** 
                  when i try to get the entities using postman it works with out issues 

                  **With using Query parameters**
                  In Keyrock UI, when i set the keyrock permission method: GET, resource: **/ngsi-ld/v1/entityOperations/upsert?type=city**
                  This  fails to authorize gives error:
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=debug msg="Delegate decision to Keyrock.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="[Keyrock] Request was not allowed. Response was &
                   {0xc00020ed00 {0 0} false 0xc000022080 <nil> 0x6a1100}.", context: ngx.timer
                   [pep-plugin:1121] time="2023-08-10T06:16:21Z" level=info msg="Request was not allowed.", context: ngx.timer  

my kong congif

orion-a

  - host: "orion.fiware.svc.cluster.local"
    name: "orion"
    port: 1026
    protocol: http

    routes:
      - name: orion
        paths:
          - /kong_prefix
        strip_path: true

    plugins:
      - name: rate-limiting
        config: 
          minute: 5

      - name: pep-plugin
        config:
          authorizationendpointtype: Keyrock
          authorizationendpointaddress: http://keyrock.fiware.svc.cluster.local:3005/user
          keyrockappid: 8216*********************************
          pathprefix: /kong_prefix

      - name: request-transformer
        config:
          remove:
            headers:
              - Authorization
              - authorization

Why am i not able to give Query parameter : type as a filter in keyrock permission so that user with specific permission entity type (in this case city) can only get the data and others get denied for rest of the entity types.

how can i give permission based on Query parameter : type .