Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Ditto » Policy for public access to some attributes(We need a policy without a subject or with subject being * or similar in order to offer public access to some of the data in ditto)
Policy for public access to some attributes [message #1850934] Tue, 22 March 2022 18:56 Go to next message
Bogdan Magureanu is currently offline Bogdan MagureanuFriend
Messages: 1
Registered: March 2022
Junior Member
We use Eclipse Ditto for telemetry data for different types of vehicles. The vehicles have attributes like VIN, Serial Number, Manufacturer, etc. and features which are updated by the telemetry servers.

Now we have a use case where we want part of the attributes saved in Ditto to be public so anyone with an ID can see these. For example we have an internal ID "dummy-id-123". We have an API like this: "api.dummy-site.com/show-public-data?id=dummy-id-123".

In this case the subject is not authenticated nor authorized, basically anonymous. Normally all our things are saved in Ditto with a policy which defined subject and group so the subject or the group have access to the Thing. We searched the documentation for policies but found no entry exemplifying our use case and a solution.

Any help is welcomed.
Re: Policy for public access to some attributes [message #1850944 is a reply to message #1850934] Wed, 23 March 2022 07:06 Go to previous message
Thomas Jaeckle is currently offline Thomas JaeckleFriend
Messages: 7
Registered: August 2018
Junior Member
Hi there.

That is a valid use-case, which however is currently not possible to do with Ditto.
There is (not yet) an "anonymous" subject in a Policy and Ditto's gateway strictly enforces user authentication.

Having said that you should however be able to solve this by using the "pre-authentication" - https://www.eclipse.org/ditto/installation-operating.html#pre-authentication
You could configure your nginx (or other reverse proxy sitting in front of Ditto's HTTP API) to always inject the "x-ditto-pre-authenticated" header, e.g. as:
proxy_set_header              x-ditto-pre-authenticated "anonymous:access"


Then you can use this "anonymous" user as if it were a normal subject in your policy, e.g.:
{
  "policyId": "my.namespace:policy-a",
  "entries": {
    "anon": {
      "subjects": {
        "anonymous:access": {
          "type": "unauthenticated, anonymous users"
        }
      },
      "resources": {
        "thing:/attributes/public": {
          "grant": ["READ"],
          "revoke": []
        }
      }
    },
...


What you mentioned with the "id" as part of your API could also be a "subject" which is injected via the "x-ditto-pre-authenticated" header, e.g.:
proxy_set_header              x-ditto-pre-authenticated "via-id:${http_id}"


Does this help you for your usecase?

Best regards
Thomas

[Updated on: Wed, 23 March 2022 07:22]

Report message to a moderator

Previous Topic:[Ditto java client] how to convert java dto object to JsonValue
Next Topic:No mapping endpoint
Goto Forum:
  


Current Time: Sun Dec 04 06:41:09 GMT 2022

Powered by FUDForum. Page generated in 0.02170 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top