Access to Analytics used to require a manually added user privilage

OpenBankingToolkit / openbanking-analytics

Open Banking analytics, provide KPIs of your Open Banking eco-system

Apache License 2.0

3 stars 1 forks source link

Access to Analytics used to require a manually added user privilage #140

Closed BohoCode closed 4 years ago

BohoCode commented 4 years ago

I has always been the case that user permission is required to access the analytics app. For some reason, during the refactoring of applications, this functionality has disappeared. It is important for users of the analytics app that the competitive information within is kept private.

In order to give a user the ability to view analytics you should have to;

Login to https://am./XUI
Select ‘Realms -> Auth’ from top menu
Select ‘Identities’ from side menu
Find username in list (or create if it does not exist yet)
Click on user
Add value ‘forgerock’ to field ‘MSISDN Number’
Click ‘Save Changes’

jsanhc commented 4 years ago

For the first approach: In order to give a user the ability to view analytics you should have to;

Login to https://am./XUI Select ‘Realms -> Auth’ from top menu Select ‘Identities’ from side menu Find username in list (or create if it does not exist yet) Click on user Add value ‘READ_KPI’ and PUSH_KPI to field ‘MSISDN Number’ Click ‘Save Changes’

BohoCode commented 4 years ago

PUSH_KPI? That sound a bit odd? Surely it's just access to read? We want to collect KPIs for all user interactions? i.e. it's the client APIs that should all have PUSH_KPI, not the users?

BohoCode commented 4 years ago

Will also need PRs to release aspsp and increment version in openbanking-reference-implementation?

jsanhc commented 4 years ago

True, that sound a bit odd, but for the first approach to the solution I don't want to apply big changes on the source, for the moment the source have the below security control: .antMatchers(HttpMethod.POST, "/api/kpi/**").hasAuthority(AnalyticsAuthority.PUSH_KPI.getAuthority()) .antMatchers(HttpMethod.GET, "/api/kpi/**").hasAuthority(AnalyticsAuthority.READ_KPI.getAuthority())

It's checking for the same context different authorities this mean that for push kpi will be necessary have the READ_KPI authority also and the same to read kpi. Means also that we need to apply new changes to have a final solution approach with the below changes:

On analytics implement a control to catch the 403 error when some user try to login without the proper authorities.
On metrics (ref implementation) change the authorities checked by spring security to protect the APIs to use READ_KPI only for these context to read and use the authority PUSH_KPI for these context to push entries.

BohoCode commented 4 years ago

@jorgesanchezperez can you add a link to the PR(s) that fixes this issue please?

BohoCode commented 4 years ago

Don't worry! I've found it; https://github.com/OpenBankingToolkit/openbanking-analytics/pull/142

BohoCode commented 4 years ago

@jorgesanchezperez This issue can be closed now?

BohoCode commented 4 years ago

Ah, no - leaving open for part 2 right?