weixin_39642981 2020-11-29 17:47
浏览 0

Implement RBAC functionality and decorators

Design and code implementation to achieve RBAC capabilities in current framework.

Principal roadmap #3287.

Tasks: - [X] Implement RBAC framework module - [x] Implement RBAC module unit tests

该提问来源于开源项目:wazuh/wazuh

  • 写回答

10条回答 默认 最新

  • weixin_39642981 2020-11-29 17:47
    关注

    Status update

    Summary

    Today I have been working in the implementation of RBAC capabilities for the new API

    Tasks

    • [1.5h] Development of RBAC capabilities for the new API. This includes decorator matches_privileges to be used in API controllers as in example below:
    • [1h] Implementation of rbac.py function get_user_permissions to obtain and format user permissions from the jwt token
    • [1h] Implementation of rbac.py function get_required_permissions to obtain and format required permissions to execute the request
    • [1h] Implementation of rbac.py function match_pairs to match user and required permissions to allow or deny execution of the request
    • [1h] Testing of new capabilities
    • [0.5h] Refactored the format of permissions provided in the jwt
    • [0.5h] Refactored match_pairs function to reduce nested loops
    • [1.5h] Refactored and tested match_pairs function to include black_list and white_list modes

    Difficulties

    Tests performed

    • RBAC application example:
    python

(actions=['decoder:get'], resources='decoder:name:some')
def get_decoders(pretty: bool = False, wait_for_complete: bool = False, offset: int = 0, limit: int = None,
                 sort: str = None, search: str = None, file: str = None, path: str = None,
                 status: str = None):
    • Denied permission test:
    
root:/# curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3YXp1aCIsImlhdCI6MTU1ODYwNTA5NCwiZXhwIjoxNTU4NjA1Njk0LCJzdWIiOiJmb28iLCJyYmFjIjpbeyJhY3Rpb25zIjpbImRlY29kZXI6Z2V0Il0sInJlc291cmNlcyI6WyJkZWNvZGVyOm5hbWU6YWxsIl0sImVmZmVjdCI6ImRlbnkifV19.w7DDO94PwA4hTkusRh6WYuZgO5jqHUSKbabMLKSdsN4" "http://localhost:55000/decoders"
{
  "code": 4000,
  "dapi_errors": {},
  "detail": "Permission denied",
  "remediation": "Please, make sure you have permissions to execute current request, for more information on setting up permissions please visit XXXX",
  "status": 500,
  "title": "Wazuh Internal Error",
  "type": "about:blank"
}

    Pending

    • Add * as a resource id to matching capabilities
    • Unit test of rback.py
    评论

报告相同问题?