orchestracities / anubis

Anubis: a flexible policy enforcement solution for NGSI APIs (and beyond!)
https://anubis-pep.readthedocs.org
Apache License 2.0
8 stars 4 forks source link

attribute based access control #109

Open chicco785 opened 2 years ago

chicco785 commented 2 years ago

Is your feature request related to a problem? Please describe.

Currently, by implementing the WAC standard profile, anubis supports only RBAC. While not formalized, the specs discuss the possibility to use ODRL to express obligations required to be met by agents prior to accessing a resource cf. authorization-extensions section in WAC spec

We could define the extension as

    oc-acl:constraint     a rdf:Property;
         :comment "The information resource to which access is being granted.";
         :domain acl:Authorization;
         :label "Has Constraint"@en;
    rdfs:range [
        a owl:Class ;
        owl:unionOf ( odrl:Constraint odrl:LogicalConstraint ) ;
    ] .

to allow acl rules to have constraints.

oc-acl:constraint [
                odrl:leftOperand ? ;
                odrl:operator odrl:isA ;
                odrl:rightOperand ?
              ] 

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

chicco785 commented 2 years ago

the language is documented in https://github.com/orchestracities/anubis-vocabulary

chicco785 commented 2 years ago

we need to decide in a next release how to implement this in the backend