|
| 1 | +--- |
| 2 | +title: Authorization Configuration |
| 3 | +description: Learn about the standard authorization (AuthZ) configuration and role-based access control in the OpenTDF platform |
| 4 | +sidebar_position: 2 |
| 5 | +--- |
| 6 | + |
| 7 | +# Standard Authorization (AuthZ) Configuration for opentdf Platform |
| 8 | + |
| 9 | +The opentdf platform uses **Casbin** to manage authorization (AuthZ) for its routes, which are defined using **ConnectRPC**. This document outlines the standard AuthZ configuration, role mappings, and administrative responsibilities for managing and customizing the platform to meet specific security requirements. |
| 10 | + |
| 11 | +## Default Authorization Roles and Policies |
| 12 | + |
| 13 | +By default, the platform provides three role mappings (`admin`, `standard`, and `unknown`) and a concept of **public endpoints**. These roles are tied to the `realmsRole` claim of the OIDC token issued by the Keycloak Identity Provider. |
| 14 | + |
| 15 | +### Role Mappings and Their Permissions |
| 16 | + |
| 17 | +1. **`admin`** |
| 18 | + - **Description**: Administrators of the platform. |
| 19 | + - **Permissions**: |
| 20 | + - Perform all actions. |
| 21 | + - Modify and mutate policy data. |
| 22 | + - Access private and public endpoints. |
| 23 | + - **Requirements**: Must have a valid OIDC token with a claim mapping to the `admin` role. |
| 24 | + |
| 25 | +2. **`standard`** |
| 26 | + - **Description**: Standard users of the platform. |
| 27 | + - **Permissions**: |
| 28 | + - Perform basic actions. |
| 29 | + - Cannot modify policy data. |
| 30 | + - Access private and public endpoints. |
| 31 | + - **Requirements**: Must have a valid OIDC token with a claim mapping to the `standard` role. |
| 32 | + |
| 33 | +3. **`unknown`** |
| 34 | + - **Description**: Users with valid OIDC tokens who are not mappable into the platform's predefined roles. |
| 35 | + - **Permissions**: |
| 36 | + - Can only perform public functions. |
| 37 | + - Cannot access private endpoints. |
| 38 | + - **Requirements**: Must have a valid OIDC token, but no mapping exists for the `realmsRole` claim. |
| 39 | + |
| 40 | +### Public Endpoints |
| 41 | + |
| 42 | +- **Description**: Certain routes are designated as public endpoints and **bypass AuthZ entirely**. |
| 43 | +- **Use Case**: These routes are accessible to all users, regardless of their role or token validity. |
| 44 | + |
| 45 | +## Responsibilities of Administrators |
| 46 | + |
| 47 | +It is critical to note that the opentdf platform provides a **basic configuration** for authorization. Administrators are fully responsible for customizing and managing authorization policies to align with their organization's security posture. This includes: |
| 48 | + |
| 49 | +1. **Configuring the Platform for Security Posture**: |
| 50 | + - Review and customize the default Casbin policy to meet organizational needs. |
| 51 | + - Ensure that sensitive routes are properly protected. |
| 52 | + |
| 53 | +2. **Managing Role Mappings**: |
| 54 | + - Update and maintain the mappings for the `realmsRole` claim in Keycloak to ensure accurate role assignment. |
| 55 | + - Ensure that users are correctly categorized into `admin`, `standard`, or custom roles as required. |
| 56 | + |
| 57 | +3. **Monitoring and Updating Policies**: |
| 58 | + - Regularly review policy files to ensure compliance with evolving security requirements. |
| 59 | + - Keep track of updates and changes in the Casbin model and policy files. |
| 60 | + |
| 61 | +## Default Casbin Policy |
| 62 | + |
| 63 | +The platform leverages Casbin to enforce role-based access control (RBAC). Below is an outline of the default policy: |
| 64 | + |
| 65 | +### Default Role Mapping |
| 66 | + |
| 67 | +- `admin` → Full permissions to all resources and actions. |
| 68 | +- `standard` → Limited permissions to basic resources and actions. |
| 69 | +- `unknown` → Only permitted to access public functions. |
| 70 | + |
| 71 | +### Casbin Access Control Model |
| 72 | + |
| 73 | +The Casbin model supports **extensibility** so that administrators can define custom access control logic to meet their specific needs. For example, administrators can override the default policy using custom mapping logic or additional claims. |
| 74 | + |
| 75 | +## Example Configuration |
| 76 | + |
| 77 | +Here is an example of how the `realmsRole` claim in Keycloak maps to Casbin roles: |
| 78 | + |
| 79 | +```yaml |
| 80 | +server: |
| 81 | + auth: |
| 82 | + policy: |
| 83 | + csv: | |
| 84 | + p, role:admin, *, *, allow |
| 85 | + p, role:standard, /basic/*, GET|POST, allow |
| 86 | + p, role:unknown, /public/*, GET, allow |
| 87 | + g, opentdf-admin, role:admin |
| 88 | + g, opentdf-standard, role:standard |
| 89 | +``` |
| 90 | +
|
| 91 | +## Key Takeaways |
| 92 | +
|
| 93 | +- The opentdf platform provides a basic AuthZ configuration as a starting point. |
| 94 | +- Administrators are responsible for ensuring the platform's configuration aligns with their security policies. |
| 95 | +- It is the organization's responsibility to manage role mappings and to ensure that the `realmsRole` claim in Keycloak is configured correctly. |
| 96 | +- By default, `admin`, `standard`, and `unknown` roles are provided, with respective permissions. Public endpoints bypass AuthZ entirely. |
| 97 | + |
| 98 | +For more advanced configurations, refer to the [Casbin documentation](https://casbin.org/docs/syntax-for-models) for guidance on customizing policies and models. |
0 commit comments