1. Adding Identity Management, Access Control and
API Management in your system
(システムに ID 管理、アクセス制御、API 管理を追加)
A complete framework for Identity, Access Control and API
Management
Álvaro Alonso
FIWARE Security Chapter
(Translated into Japanese by Kazuhito Suda k@fisuda.jp)
15. Web アプリケーション と GEs
15
Generic Enabler
Account
Request+
access-token
Oauth2 flows
access-token
OK + user info (roles)
Web App OAuthLibrary
access_token
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
19. レベル 1: 認証 (Authentication)
19
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
20. レベル 2: 基本的な認可 (Basic Authorization)
20
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy
access-token
OK + user info
Oauth2 flows
access_token
Authz PDP
GE
XACML <Request>:
roles + verb + path
OK
Basic RBAC policies in
XACML
(simple role permissions)
24. APInf と PEP Proxy
Back-end
Request+
APIKey
Web App
Back-end Back-end Back-end
25. APInf と PEP Proxy
Back
end
App
Account
Request+
access-tokenWeb App
OauthLibrary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Back
end
App
Back
end
App
Back
end
App
29. Industrial Data Space
FIWARE セキュリティによる対応
Industrial Data Space
Infrastructure
IdP PAP
Policies DB
PDP
Industrial Data Space
Context Consumer
Connector
Industrial Data Space
Context Producer
Connector
PEP
30. セキュリティ GEs
▪ Identity Management – Keyrock
▪ Authorization PDP – AuthZForce
▪ PEP Proxy – Wilma
▪ あなたのインフラに導入してください!!!
• セキュリティ GEs
インストールと設定ガイド
* PDP : Policy Decision Point (ポリシー決定点)
* PEP : Policy Enforcement Point (ポリシー実行点)