Loading config/permissions-open.yaml +120 −39 Original line number Diff line number Diff line Loading @@ -127,6 +127,7 @@ default: # # # # FORMAT: # # - name: 'svc-name' # service name # # api: 'api-name' # API-specific identifier (when service has multiple APIs) # # path: '/svc/base/path' # service base path # # sbox: true|false # sandbox deployment # # default: # default service permissions Loading @@ -145,6 +146,34 @@ default: # #------------------------------------------------------------------------------ # services: # #------------------------------ # # MEC Application Support (Sbox) # #------------------------------ # - name: 'meep-app-enablement' # api: 'mec_app_support' # path: '/mec_app_support/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # MEC Service Management (Sbox) # #------------------------------ # - name: 'meep-app-enablement' # api: 'mec_service_mgmt' # path: '/mec_service_mgmt/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # GIS Engine (Sbox) # #------------------------------ # - name: 'meep-gis-engine' Loading Loading @@ -230,45 +259,6 @@ default: # method: 'GET' # mode: 'block' # #------------------------------ # # MEC Application Support (Sbox) # #------------------------------ # - name: 'meep-app-enablement-app-supp' # path: '/mec_app_support/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # MEC Service Management (Sbox) # #------------------------------ # - name: 'meep-app-enablement-srv-mgmt' # path: '/mec_service_mgmt/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # Application Information (Sbox) # #------------------------------ # - name: 'meep-app-enablement-app-info' # path: '/app_info/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # Metrics Engine (Sbox) # #------------------------------ # - name: 'meep-metrics-engine' Loading Loading @@ -531,6 +521,41 @@ default: # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioDomain' # path: '/active/domains' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioNetworkLocation' # path: '/active/networkLocations' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioPhysicalLocation' # path: '/active/physicalLocations' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioProcess' # path: '/active/processes' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioZone' # path: '/active/zones' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'TerminateScenario' # path: '/active' # method: 'DELETE' Loading @@ -538,6 +563,62 @@ default: # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsAppInstanceIdDELETE' # path: '/applications/{appInstanceId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsAppInstanceIdGET' # path: '/applications/{appInstanceId}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsAppInstanceIdPUT' # path: '/applications/{appInstanceId}' # method: 'PUT' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'ApplicationsGET' # path: '/applications' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsPOST' # path: '/applications' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'CreatePduSession' # path: '/connectivity/pdu-session/{ueName}/{pduSessionId}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetPduSessionList' # path: '/connectivity/pdu-session' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'TerminatePduSession' # path: '/connectivity/pdu-session/{ueName}/{pduSessionId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateReplayFile' # path: '/replay/{name}' # method: 'POST' Loading config/permissions-secure.yaml +17 −396 Original line number Diff line number Diff line Loading @@ -127,6 +127,7 @@ fileservers: # # # # FORMAT: # # - name: 'svc-name' # service name # # api: 'api-name' # API-specific identifier (when service has multiple APIs) # # path: '/svc/base/path' # service base path # # sbox: true|false # sandbox deployment # # default: # default service permissions Loading @@ -145,130 +146,51 @@ fileservers: # #------------------------------------------------------------------------------ services: #------------------------------ # GIS Engine (Sbox) #------------------------------ - name: 'meep-gis-engine' path: '/gis/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'GetAutomationState' # path: '/automation' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetAutomationStateByName' # path: '/automation/{type}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'SetAutomationStateByName' # path: '/automation/{type}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'DeleteGeoDataByName' # path: '/geodata/{assetName}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetAssetData' # path: '/geodata' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetGeoDataByName' # path: '/geodata/{assetName}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'UpdateGeoDataByName' # path: '/geodata/{assetName}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' #------------------------------ # Location Service (Sbox) # MEC Application Support (Sbox) #------------------------------ - name: 'meep-loc-serv' path: '/location/v2' - name: 'meep-app-enablement' api: 'mec_app_support' path: '/mec_app_support/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # MEC Application Support (Sbox) # MEC Service Management (Sbox) #------------------------------ - name: 'meep-app-enablement-app-supp' path: '/mec_app_support/v1' - name: 'meep-app-enablement' api: 'mec_service_mgmt' path: '/mec_service_mgmt/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # MEC Service Management (Sbox) # GIS Engine (Sbox) #------------------------------ - name: 'meep-app-enablement-srv-mgmt' path: '/mec_service_mgmt/v1' - name: 'meep-gis-engine' path: '/gis/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # App Information (Sbox) # Location Service (Sbox) #------------------------------ - name: 'meep-app-enablement-app-info' path: '/app_info/v1' - name: 'meep-loc-serv' path: '/location/v2' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # Metrics Engine (Sbox) #------------------------------ Loading @@ -280,84 +202,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'PostEventQuery' # path: '/metrics/query/event' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'PostHttpQuery' # path: '/metrics/query/http' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'PostNetworkQuery' # path: '/metrics/query/network' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateEventSubscription' # path: '/metrics/subscriptions/event' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateNetworkSubscription' # path: '/metrics/subscriptions/network' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteEventSubscriptionById' # path: '/metrics/subscriptions/event/{subscriptionId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteNetworkSubscriptionById' # path: '/metrics/subscriptions/network/{subscriptionId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetEventSubscription' # path: '/metrics/subscriptions/event' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetEventSubscriptionById' # path: '/metrics/subscriptions/event/{subscriptionId}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetNetworkSubscription' # path: '/metrics/subscriptions/network' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetNetworkSubscriptionById' # path: '/metrics/subscriptions/network/{subscriptionId}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' #------------------------------ # Mobility Group Manager (Sbox) #------------------------------ Loading @@ -369,11 +213,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # Monitoring Engine #------------------------------ Loading @@ -385,18 +224,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # - name: 'GetStates' # path: '/states' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' #------------------------------ # Platform Controller #------------------------------ Loading @@ -408,95 +235,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # - name: 'CreateSandbox' # path: '/sandboxes' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateSandboxWithName' # path: '/sandboxes/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteSandbox' # path: '/sandboxes/{name}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteSandboxList' # path: '/sandboxes' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetSandbox' # path: '/sandboxes/{name}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetSandboxList' # path: '/sandboxes' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateScenario' # path: '/scenarios/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteScenario' # path: '/scenarios/{name}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteScenarioList' # path: '/scenarios' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetScenario' # path: '/scenarios/{name}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetScenarioList' # path: '/scenarios' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'SetScenario' # path: '/scenarios/{name}' # method: 'PUT' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' #------------------------------ # RNI Service (Sbox) #------------------------------ Loading @@ -508,11 +246,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # Sandbox Controller (Sbox) #------------------------------ Loading @@ -524,113 +257,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # - name: 'ActivateScenario' # path: '/active/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveNodeServiceMaps' # path: '/active/serviceMaps' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetActiveScenario' # path: '/active' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'TerminateScenario' # path: '/active' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'CreateReplayFile' # path: '/replay/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateReplayFileFromScenarioExec' # path: '/replay/{name}/generate' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteReplayFile' # path: '/replay/{name}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteReplayFileList' # path: '/replay' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetReplayFile' # path: '/replay/{name}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetReplayFileList' # path: '/replay' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetReplayStatus' # path: '/replaystatus' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'LoopReplay' # path: '/replay/{name}/loop' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'PlayReplayFile' # path: '/replay/{name}/play' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'StopReplayFile' # path: '/replay/{name}/stop' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'SendEvent' # path: '/events/{type}' # method: 'POST' # mode: 'allow' #------------------------------ # WAI Service (Sbox) #------------------------------ Loading @@ -642,8 +268,3 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' go-apps/meep-auth-svc/server/auth-svc.go +84 −26 Original line number Diff line number Diff line Loading @@ -67,6 +67,7 @@ const postgisUser = "postgres" const postgisPwd = "pwd" const pfmCtrlBasepath = "http://meep-platform-ctrl/platform-ctrl/v1" const providerModeSecure = "secure" const mepPrefix = "mep--" // Permission Configuration types type Permission struct { Loading @@ -90,6 +91,7 @@ type Endpoint struct { } type Service struct { Name string `yaml:"name"` Api string `yaml:"api"` Path string `yaml:"path"` Sbox bool `yaml:"sbox"` Default Permission `yaml:"default"` Loading Loading @@ -365,32 +367,58 @@ func cacheServicePermissions(cfg *PermissionsConfig) { authSvc.cache.Services = make(map[string]map[string]*Permission) for _, svc := range cfg.Services { // Create new service + add it to service cache svcMap := make(map[string]*Permission) // Get/Create service + add it to service cache svcMap, found := authSvc.cache.Services[svc.Name] if !found { svcMap = make(map[string]*Permission) authSvc.cache.Services[svc.Name] = svcMap } // Get API-specific prefix if present apiPrefix := "" if svc.Api != "" { apiPrefix = svc.Api + "--" } // Service Endpoints for _, ep := range svc.Endpoints { // Cache service endpoint permissions // Create service endpoint permissions permission := new(Permission) permission.Mode = ep.Mode permission.Roles = make(map[string]string) for role, access := range ep.Roles { permission.Roles[role] = access } svcMap[ep.Name] = permission // Add auth service route // Add auth service routes + cache service endpoint permissions if svc.Sbox { // Mep-specific sandbox service endpoint route := new(AuthRoute) route.Name = ep.Name route.Prefix = false route.Method = ep.Method if svc.Sbox { route.Name = mepPrefix + apiPrefix + ep.Name route.Pattern = "/{sbox}/{mep}" + svc.Path + ep.Path routes = append(routes, route) svcMap[route.Name] = permission // Sandbox service endpoint route = new(AuthRoute) route.Prefix = false route.Method = ep.Method route.Name = apiPrefix + ep.Name route.Pattern = "/{sbox}" + svc.Path + ep.Path routes = append(routes, route) svcMap[route.Name] = permission } else { // Global service endpoint route := new(AuthRoute) route.Prefix = false route.Method = ep.Method route.Name = apiPrefix + ep.Name route.Pattern = svc.Path + ep.Path } routes = append(routes, route) svcMap[route.Name] = permission } } // Default service permissions Loading @@ -407,18 +435,33 @@ func cacheServicePermissions(cfg *PermissionsConfig) { // Use cache default permission if service-specific default is not found permission = authSvc.cache.Default } svcMap[svc.Name] = permission // Add auth service default route // Add auth service routes + cache service permissions if svc.Sbox { // Mep-specific sandbox service route := new(AuthRoute) route.Name = svc.Name route.Prefix = true if svc.Sbox { route.Name = mepPrefix + apiPrefix + svc.Name route.Pattern = "/{sbox}/{mep}" + svc.Path routes = append(routes, route) svcMap[route.Name] = permission // Sandbox service route = new(AuthRoute) route.Prefix = true route.Name = apiPrefix + svc.Name route.Pattern = "/{sbox}" + svc.Path routes = append(routes, route) svcMap[route.Name] = permission } else { // Global service route := new(AuthRoute) route.Prefix = true route.Name = apiPrefix + svc.Name route.Pattern = svc.Path } routes = append(routes, route) svcMap[route.Name] = permission } } // Add routes to router Loading @@ -432,25 +475,40 @@ func cacheFileserverPermissions(cfg *PermissionsConfig) { authSvc.cache.Fileservers = make(map[string]*Permission) for _, fs := range cfg.Fileservers { // Cache fileserver permissions // Create fileserver permissions permission := new(Permission) permission.Mode = fs.Mode permission.Roles = make(map[string]string) for role, access := range fs.Roles { permission.Roles[role] = access } authSvc.cache.Fileservers[fs.Name] = permission // Add auth service route // Add auth service routes + cache filserver permissions if fs.Sbox { // Mep-specific sandbox fileservers route := new(AuthRoute) route.Name = fs.Name route.Prefix = true if fs.Sbox { route.Name = mepPrefix + fs.Name route.Pattern = "/{sbox}/{mep}" + fs.Path routes = append(routes, route) authSvc.cache.Fileservers[route.Name] = permission // Sandbox fileserver route = new(AuthRoute) route.Prefix = true route.Name = fs.Name route.Pattern = "/{sbox}" + fs.Path routes = append(routes, route) authSvc.cache.Fileservers[route.Name] = permission } else { // Global fileserver route := new(AuthRoute) route.Prefix = true route.Name = fs.Name route.Pattern = fs.Path } routes = append(routes, route) authSvc.cache.Fileservers[route.Name] = permission } } // Add routes to router Loading Loading @@ -559,7 +617,6 @@ func asAuthenticate(w http.ResponseWriter, r *http.Request) { // Get service & sandbox name from request query parameters query := r.URL.Query() svcName := query.Get("svc") // sboxName := query.Get("sbox") var sboxName string // Get original request URL & method Loading @@ -585,7 +642,8 @@ func asAuthenticate(w http.ResponseWriter, r *http.Request) { if authSvc.router.Match(r, &match) { routeName := match.Route.GetName() sboxName = match.Vars["sbox"] log.Debug("routeName: ", routeName, " sboxName: ", sboxName) mepName := match.Vars["mep"] log.Debug("routeName: ", routeName, " sboxName: ", sboxName, " mepName: ", mepName) // Check service-specific routes if svcName != "" { Loading Loading
config/permissions-open.yaml +120 −39 Original line number Diff line number Diff line Loading @@ -127,6 +127,7 @@ default: # # # # FORMAT: # # - name: 'svc-name' # service name # # api: 'api-name' # API-specific identifier (when service has multiple APIs) # # path: '/svc/base/path' # service base path # # sbox: true|false # sandbox deployment # # default: # default service permissions Loading @@ -145,6 +146,34 @@ default: # #------------------------------------------------------------------------------ # services: # #------------------------------ # # MEC Application Support (Sbox) # #------------------------------ # - name: 'meep-app-enablement' # api: 'mec_app_support' # path: '/mec_app_support/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # MEC Service Management (Sbox) # #------------------------------ # - name: 'meep-app-enablement' # api: 'mec_service_mgmt' # path: '/mec_service_mgmt/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # GIS Engine (Sbox) # #------------------------------ # - name: 'meep-gis-engine' Loading Loading @@ -230,45 +259,6 @@ default: # method: 'GET' # mode: 'block' # #------------------------------ # # MEC Application Support (Sbox) # #------------------------------ # - name: 'meep-app-enablement-app-supp' # path: '/mec_app_support/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # MEC Service Management (Sbox) # #------------------------------ # - name: 'meep-app-enablement-srv-mgmt' # path: '/mec_service_mgmt/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # Application Information (Sbox) # #------------------------------ # - name: 'meep-app-enablement-app-info' # path: '/app_info/v1' # sbox: true # default: # mode: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # #------------------------------ # # Metrics Engine (Sbox) # #------------------------------ # - name: 'meep-metrics-engine' Loading Loading @@ -531,6 +521,41 @@ default: # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioDomain' # path: '/active/domains' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioNetworkLocation' # path: '/active/networkLocations' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioPhysicalLocation' # path: '/active/physicalLocations' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioProcess' # path: '/active/processes' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveScenarioZone' # path: '/active/zones' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'TerminateScenario' # path: '/active' # method: 'DELETE' Loading @@ -538,6 +563,62 @@ default: # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsAppInstanceIdDELETE' # path: '/applications/{appInstanceId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsAppInstanceIdGET' # path: '/applications/{appInstanceId}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsAppInstanceIdPUT' # path: '/applications/{appInstanceId}' # method: 'PUT' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'ApplicationsGET' # path: '/applications' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'ApplicationsPOST' # path: '/applications' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'CreatePduSession' # path: '/connectivity/pdu-session/{ueName}/{pduSessionId}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetPduSessionList' # path: '/connectivity/pdu-session' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'TerminatePduSession' # path: '/connectivity/pdu-session/{ueName}/{pduSessionId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateReplayFile' # path: '/replay/{name}' # method: 'POST' Loading
config/permissions-secure.yaml +17 −396 Original line number Diff line number Diff line Loading @@ -127,6 +127,7 @@ fileservers: # # # # FORMAT: # # - name: 'svc-name' # service name # # api: 'api-name' # API-specific identifier (when service has multiple APIs) # # path: '/svc/base/path' # service base path # # sbox: true|false # sandbox deployment # # default: # default service permissions Loading @@ -145,130 +146,51 @@ fileservers: # #------------------------------------------------------------------------------ services: #------------------------------ # GIS Engine (Sbox) #------------------------------ - name: 'meep-gis-engine' path: '/gis/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'GetAutomationState' # path: '/automation' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetAutomationStateByName' # path: '/automation/{type}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'SetAutomationStateByName' # path: '/automation/{type}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'DeleteGeoDataByName' # path: '/geodata/{assetName}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetAssetData' # path: '/geodata' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetGeoDataByName' # path: '/geodata/{assetName}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'UpdateGeoDataByName' # path: '/geodata/{assetName}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' #------------------------------ # Location Service (Sbox) # MEC Application Support (Sbox) #------------------------------ - name: 'meep-loc-serv' path: '/location/v2' - name: 'meep-app-enablement' api: 'mec_app_support' path: '/mec_app_support/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # MEC Application Support (Sbox) # MEC Service Management (Sbox) #------------------------------ - name: 'meep-app-enablement-app-supp' path: '/mec_app_support/v1' - name: 'meep-app-enablement' api: 'mec_service_mgmt' path: '/mec_service_mgmt/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # MEC Service Management (Sbox) # GIS Engine (Sbox) #------------------------------ - name: 'meep-app-enablement-srv-mgmt' path: '/mec_service_mgmt/v1' - name: 'meep-gis-engine' path: '/gis/v1' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # App Information (Sbox) # Location Service (Sbox) #------------------------------ - name: 'meep-app-enablement-app-info' path: '/app_info/v1' - name: 'meep-loc-serv' path: '/location/v2' sbox: true default: mode: 'verify' roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # Metrics Engine (Sbox) #------------------------------ Loading @@ -280,84 +202,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'PostEventQuery' # path: '/metrics/query/event' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'PostHttpQuery' # path: '/metrics/query/http' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'PostNetworkQuery' # path: '/metrics/query/network' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateEventSubscription' # path: '/metrics/subscriptions/event' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateNetworkSubscription' # path: '/metrics/subscriptions/network' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteEventSubscriptionById' # path: '/metrics/subscriptions/event/{subscriptionId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteNetworkSubscriptionById' # path: '/metrics/subscriptions/network/{subscriptionId}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetEventSubscription' # path: '/metrics/subscriptions/event' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetEventSubscriptionById' # path: '/metrics/subscriptions/event/{subscriptionId}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetNetworkSubscription' # path: '/metrics/subscriptions/network' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetNetworkSubscriptionById' # path: '/metrics/subscriptions/network/{subscriptionId}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' #------------------------------ # Mobility Group Manager (Sbox) #------------------------------ Loading @@ -369,11 +213,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # Monitoring Engine #------------------------------ Loading @@ -385,18 +224,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # - name: 'GetStates' # path: '/states' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' #------------------------------ # Platform Controller #------------------------------ Loading @@ -408,95 +235,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # - name: 'CreateSandbox' # path: '/sandboxes' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateSandboxWithName' # path: '/sandboxes/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteSandbox' # path: '/sandboxes/{name}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteSandboxList' # path: '/sandboxes' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetSandbox' # path: '/sandboxes/{name}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetSandboxList' # path: '/sandboxes' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateScenario' # path: '/scenarios/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteScenario' # path: '/scenarios/{name}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteScenarioList' # path: '/scenarios' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetScenario' # path: '/scenarios/{name}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetScenarioList' # path: '/scenarios' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'SetScenario' # path: '/scenarios/{name}' # method: 'PUT' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' #------------------------------ # RNI Service (Sbox) #------------------------------ Loading @@ -508,11 +246,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' #------------------------------ # Sandbox Controller (Sbox) #------------------------------ Loading @@ -524,113 +257,6 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block' # - name: 'ActivateScenario' # path: '/active/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'GetActiveNodeServiceMaps' # path: '/active/serviceMaps' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetActiveScenario' # path: '/active' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'TerminateScenario' # path: '/active' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'allow' # - name: 'CreateReplayFile' # path: '/replay/{name}' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'CreateReplayFileFromScenarioExec' # path: '/replay/{name}/generate' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteReplayFile' # path: '/replay/{name}' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'DeleteReplayFileList' # path: '/replay' # method: 'DELETE' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetReplayFile' # path: '/replay/{name}' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetReplayFileList' # path: '/replay' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'GetReplayStatus' # path: '/replaystatus' # method: 'GET' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'LoopReplay' # path: '/replay/{name}/loop' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'PlayReplayFile' # path: '/replay/{name}/play' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'StopReplayFile' # path: '/replay/{name}/stop' # method: 'POST' # mode: 'verify' # roles: # admin: 'allow' # user: 'block' # - name: 'SendEvent' # path: '/events/{type}' # method: 'POST' # mode: 'allow' #------------------------------ # WAI Service (Sbox) #------------------------------ Loading @@ -642,8 +268,3 @@ services: roles: admin: 'allow' user: 'allow' # endpoints: # - name: 'Index' # path: '/' # method: 'GET' # mode: 'block'
go-apps/meep-auth-svc/server/auth-svc.go +84 −26 Original line number Diff line number Diff line Loading @@ -67,6 +67,7 @@ const postgisUser = "postgres" const postgisPwd = "pwd" const pfmCtrlBasepath = "http://meep-platform-ctrl/platform-ctrl/v1" const providerModeSecure = "secure" const mepPrefix = "mep--" // Permission Configuration types type Permission struct { Loading @@ -90,6 +91,7 @@ type Endpoint struct { } type Service struct { Name string `yaml:"name"` Api string `yaml:"api"` Path string `yaml:"path"` Sbox bool `yaml:"sbox"` Default Permission `yaml:"default"` Loading Loading @@ -365,32 +367,58 @@ func cacheServicePermissions(cfg *PermissionsConfig) { authSvc.cache.Services = make(map[string]map[string]*Permission) for _, svc := range cfg.Services { // Create new service + add it to service cache svcMap := make(map[string]*Permission) // Get/Create service + add it to service cache svcMap, found := authSvc.cache.Services[svc.Name] if !found { svcMap = make(map[string]*Permission) authSvc.cache.Services[svc.Name] = svcMap } // Get API-specific prefix if present apiPrefix := "" if svc.Api != "" { apiPrefix = svc.Api + "--" } // Service Endpoints for _, ep := range svc.Endpoints { // Cache service endpoint permissions // Create service endpoint permissions permission := new(Permission) permission.Mode = ep.Mode permission.Roles = make(map[string]string) for role, access := range ep.Roles { permission.Roles[role] = access } svcMap[ep.Name] = permission // Add auth service route // Add auth service routes + cache service endpoint permissions if svc.Sbox { // Mep-specific sandbox service endpoint route := new(AuthRoute) route.Name = ep.Name route.Prefix = false route.Method = ep.Method if svc.Sbox { route.Name = mepPrefix + apiPrefix + ep.Name route.Pattern = "/{sbox}/{mep}" + svc.Path + ep.Path routes = append(routes, route) svcMap[route.Name] = permission // Sandbox service endpoint route = new(AuthRoute) route.Prefix = false route.Method = ep.Method route.Name = apiPrefix + ep.Name route.Pattern = "/{sbox}" + svc.Path + ep.Path routes = append(routes, route) svcMap[route.Name] = permission } else { // Global service endpoint route := new(AuthRoute) route.Prefix = false route.Method = ep.Method route.Name = apiPrefix + ep.Name route.Pattern = svc.Path + ep.Path } routes = append(routes, route) svcMap[route.Name] = permission } } // Default service permissions Loading @@ -407,18 +435,33 @@ func cacheServicePermissions(cfg *PermissionsConfig) { // Use cache default permission if service-specific default is not found permission = authSvc.cache.Default } svcMap[svc.Name] = permission // Add auth service default route // Add auth service routes + cache service permissions if svc.Sbox { // Mep-specific sandbox service route := new(AuthRoute) route.Name = svc.Name route.Prefix = true if svc.Sbox { route.Name = mepPrefix + apiPrefix + svc.Name route.Pattern = "/{sbox}/{mep}" + svc.Path routes = append(routes, route) svcMap[route.Name] = permission // Sandbox service route = new(AuthRoute) route.Prefix = true route.Name = apiPrefix + svc.Name route.Pattern = "/{sbox}" + svc.Path routes = append(routes, route) svcMap[route.Name] = permission } else { // Global service route := new(AuthRoute) route.Prefix = true route.Name = apiPrefix + svc.Name route.Pattern = svc.Path } routes = append(routes, route) svcMap[route.Name] = permission } } // Add routes to router Loading @@ -432,25 +475,40 @@ func cacheFileserverPermissions(cfg *PermissionsConfig) { authSvc.cache.Fileservers = make(map[string]*Permission) for _, fs := range cfg.Fileservers { // Cache fileserver permissions // Create fileserver permissions permission := new(Permission) permission.Mode = fs.Mode permission.Roles = make(map[string]string) for role, access := range fs.Roles { permission.Roles[role] = access } authSvc.cache.Fileservers[fs.Name] = permission // Add auth service route // Add auth service routes + cache filserver permissions if fs.Sbox { // Mep-specific sandbox fileservers route := new(AuthRoute) route.Name = fs.Name route.Prefix = true if fs.Sbox { route.Name = mepPrefix + fs.Name route.Pattern = "/{sbox}/{mep}" + fs.Path routes = append(routes, route) authSvc.cache.Fileservers[route.Name] = permission // Sandbox fileserver route = new(AuthRoute) route.Prefix = true route.Name = fs.Name route.Pattern = "/{sbox}" + fs.Path routes = append(routes, route) authSvc.cache.Fileservers[route.Name] = permission } else { // Global fileserver route := new(AuthRoute) route.Prefix = true route.Name = fs.Name route.Pattern = fs.Path } routes = append(routes, route) authSvc.cache.Fileservers[route.Name] = permission } } // Add routes to router Loading Loading @@ -559,7 +617,6 @@ func asAuthenticate(w http.ResponseWriter, r *http.Request) { // Get service & sandbox name from request query parameters query := r.URL.Query() svcName := query.Get("svc") // sboxName := query.Get("sbox") var sboxName string // Get original request URL & method Loading @@ -585,7 +642,8 @@ func asAuthenticate(w http.ResponseWriter, r *http.Request) { if authSvc.router.Match(r, &match) { routeName := match.Route.GetName() sboxName = match.Vars["sbox"] log.Debug("routeName: ", routeName, " sboxName: ", sboxName) mepName := match.Vars["mep"] log.Debug("routeName: ", routeName, " sboxName: ", sboxName, " mepName: ", mepName) // Check service-specific routes if svcName != "" { Loading
