search

absmach / magistrala

Industrial IoT Messaging and Device Management Platform
https://www.abstractmachines.fr/magistrala.html
Apache License 2.0
2.46k stars 669 forks source link

Research Ory for fine-grained access control #377

Closed drasko closed 4 years ago

drasko commented 6 years ago

Ory has a whole set of nice Go-based project that can be integrated to obtainerole-based access control in Mainflux.

Once we start going towards groups of users and admin-based control we will need something like this.

We have researched Ladon before, but there are some new products like Keto or Oathkeeper.

sking2600 commented 6 years ago

could we also add OPA as another option to evaluate? Oathkeeper seems to add unnecessary overhead as another reverse proxy plus it's it only supports HTTP. Wouldn't we want to leave the door open to support clients using WS/CoAP/MQTT as well? also, Keto is built on Ladon, which requires postgres, mySQL or cockroachDB. I know the current user/thing db uses postgres, but it's also my understanding that there's interest in supporting other databases to improve scaling and schema flexibility.

It would seem that IoT access policies will have a much greater diversity/novelty compared to that of the cloud (ex: "employees below the rank of manager are not allowed to turn on the air conditioning unless they are currently clocked in and weather.gov says the heat index for my location is greater than 30C or if the thermostat inside the facility exceeds 35C" or "the person that I'm renting out my house to on airbnb is only allowed to unlock my front door from 9am Saturday to 3pm Monday" ) so I'd hope that whatever access control solution is picked keeps those use cases in mind.

https://github.com/open-policy-agent/opa

ghost commented 5 years ago

Thanks for the tip @sking2600 , OPA looks really good IMO.

drasko commented 5 years ago

@dusanb94 @nmarcetic quick analysis from @anovakovic01 showed that this can be used for both API keys and Groups. He compared Ladon and Keto, both can be useful, but he leans towards Keto.

Please sync with him for further work on these issues.

drasko commented 5 years ago

@nmarcetic - assigned to you

nmarcetic commented 4 years ago

Ory/Keto is a great product! Really great, as you can see from the Github thread, they built Keto on top of OPA, to be precise they use OPA as decision-making engine but they built user-friendly API and policy management (from Ladon project) which is a copy of AWS IAM + ACL, RBAC. From the issue, you can see they research why they choose OPA but also really good cons about OPA. My general impression is that the project is great and worth trying. OPA is a low level, just an engine you must build your Policy server around it (as they did with Keto), Rego is complex, hard learning curve, etc... I would rather give a chance to Keto, it will be much faster and easier. I don't think we need more than 5 days for PoC about ACL for Mainflux channels.

The only thing that I see is missing is gRCP API. It will affect our performance a lot.

I opened an issue ory/keto: Issue

Unfortunately, no gRPC for now.

Other products from Ory:

Ladon is a library a bit deprecated I would say, even the Ory crew switched to OPA. Hydra is Oauth2 and OpenID server Oauthkeeper is a proxy for HTTP, acting as a gatekeeper. Hive identity management service (user registration, login, social sign in, password reset, MFA, ...) sort of along the lines of Auth0 or AWS Cognito, but as an OSS solution.

Nothing interesting for Mainflux, only Keto makes sense for now.

Should Keto be used for API Keys, or only for RBAC / IAM Policies?

It can't be used for API keys, its only purpose is to act as a decision engine which exposes HTTP API and can answer you to question: Identity X can/cannot perform operation Y on Resource Z You set this rule ^ in form of IAM policy (JSON document) what will represent the resource is your choice (Name, ID, UUID, API key whatever... it's just a string). Then when you want to do AuthZ you call API to check if this identity can access to resource YES/NO that's it

Is OPA heavy-weight for gateway (I heard 20 MB minimum)? Not sure, I need to check this Google is working on light version (they left OPA project as contributors)

Maybe we can check this, it's written in C

If yes - do we need to drag this OPA in a sidecar always - can we use Keto without it?

No, Keto relay on OPA, they use it as engine (they built Keto on top of OPA to simplify usage, OPA is complicated).

Does Casbin makes sense for us (lightweight) and is it an alternative to OPA or Keto as well?

YES, its similar to Ladon can be used as a library.

I would suggest doing a PoC with Casbin I will open an issue for PoC