Archived
This forum has been archived. Please start a new discussion on GitHub.
Authorisation of Requests to Server Objects and Facets
Hi,
I have a more general question about the correct/best approach to the following problem:
I would like to be able to be to authorise all requests to servers based on a range of variables including the client IP address, the server being called, the facet being called on that server, and the id of client that made request. The use case is to restrict users access based on a role to certain server objects and facets.
Currently all requests from clients are authenticated by a Glacier2 server. Once authenticated requests to all facets of all server components can be made.
So far I have identified the following possible solutions:
1. Servers components themselves carry out authorisation of each request. Seems a bit messy to include this logic in each server component, also means unnecessary unauthorised traffic will hit server components. Better to deny them at Glacier2 and cut down overall traffic.
2. A plugin on Glacier2 which makes a true or false decision on whether to authorise the request based on whatever rules are implemented. I have seen an attempt to do this here:
https://zeroc.com/forums/help-center/5750-extending-glacier2-allow-customized-request-filtering.html
However, this attempt was abandoned and I suspect the same key issues still exist regarding ssl context forwarding etc. as listed in last post.
3. Dynamic request filtering. This will work for restricting access to different servers, but I can;t see how it is possible to allow some user's access to specific facets on a server, and not others.
Thanks in advance!
Cheers
Chris
I have a more general question about the correct/best approach to the following problem:
I would like to be able to be to authorise all requests to servers based on a range of variables including the client IP address, the server being called, the facet being called on that server, and the id of client that made request. The use case is to restrict users access based on a role to certain server objects and facets.
Currently all requests from clients are authenticated by a Glacier2 server. Once authenticated requests to all facets of all server components can be made.
So far I have identified the following possible solutions:
1. Servers components themselves carry out authorisation of each request. Seems a bit messy to include this logic in each server component, also means unnecessary unauthorised traffic will hit server components. Better to deny them at Glacier2 and cut down overall traffic.
2. A plugin on Glacier2 which makes a true or false decision on whether to authorise the request based on whatever rules are implemented. I have seen an attempt to do this here:
https://zeroc.com/forums/help-center/5750-extending-glacier2-allow-customized-request-filtering.html
However, this attempt was abandoned and I suspect the same key issues still exist regarding ssl context forwarding etc. as listed in last post.
3. Dynamic request filtering. This will work for restricting access to different servers, but I can;t see how it is possible to allow some user's access to specific facets on a server, and not others.
Thanks in advance!
Cheers
Chris
0
Comments
-
Hi Chris,
Glacier2 supports already some form of filtering either through configuration properties or with the Glacier2::SessionControl interface. You can filter access on Ice object identities, categories, adapter IDs. These filters can be modified during the session lifetime of the client. Filtering on Ice object facets is currently not possible however. For more information on this see https://doc.zeroc.com/display/Ice/Dynamic+Request+Filtering+with+Glacier2
Can't you establish which Ice objects your session will be allowed to access when the session is created and setup these filters appropriately? You have access to the client IP and client credentials when the session is created.
We don't currently support implementing Glacier2 filters to allow filtering when the request is received and before it's forwarded to the server. This is something we could eventually consider adding in the future.
Cheers,
Benoit.0
