Security PDP AuthZ Realm
- Shaun Morris
- Matthew Ramey
Analytics
Description
The DDF Security PDP AuthZ Realm exposes a Realm service that makes decisions on authorization requests using the attributes stored within the Metacard to determine if access should be granted. Unlike the Security PDP XACML Realm, this realm does not use XACML and does not delegate decisions to an external processing engine. Decisions are made based on "match-all" and "match-one" logic. The configuration below provides the mapping between user attributes and Metacard attributes - one map exists for each type of mapping (each map may contain multiple values).
Match-All Mapping: This mapping is used to guarantee that all values present in the specified Metacard attribute exist in the corresponding user attribute.
Match-One Mapping: This mapping is used to guarantee that at least one of the values present in the specified Metacard attribute exists in the corresponding user attribute.
Configuration
Installation
This bundle is not installed by default and can be added by installing the security-pdp-java feature.
Settings
Settings can be found in the webconsole under Configuration -> Security Simple AuthZ Realm.
| Configuration Name | Default Value | Additional Description |
|---|---|---|
| Roles | admin | Add all the roles that allow access to restricted actions. Any user that has any one of these roles will be allowed access to restricted actions. |
| Open Action List | Add any actions that will not be restricted by role. Any action listed here will automatically be allowed to be performed by any user in any role. | |
| Match-All Mappings | These map user attributes to metacard security attributes to be used in "Match All" checking. All the values in the metacard attribute must be present in the user attributes in order to "pass" and allow access. These attribute names are case-sensitive. | |
| Match-One Mappings | These map user attributes to metacard security attributes to be used in "Match One" checking. At least one of the values from the metacard attribute must be present in the corresponding user attribute to "pass" and allow access. These attribute names are case-sensitive. |
Implementation Details
Imported Services
None
Exported Services
| Registered Interfaces | Implementation Class | Properties Set |
|---|---|---|
org.apache.shiro.realm.Realm org.apache.shiro.authz.Authorizer | ddf.security.pdp.realm.SimpleAuthzRealm | None |