|
Re: Policy for public access to some attributes [message #1850944 is a reply to message #1850934] |
Wed, 23 March 2022 07:06 |
Thomas Jaeckle Messages: 7 Registered: August 2018 |
Junior Member |
|
|
Hi there.
That is a valid use-case, which however is currently not possible to do with Ditto.
There is (not yet) an "anonymous" subject in a Policy and Ditto's gateway strictly enforces user authentication.
Having said that you should however be able to solve this by using the "pre-authentication" - https://www.eclipse.org/ditto/installation-operating.html#pre-authentication
You could configure your nginx (or other reverse proxy sitting in front of Ditto's HTTP API) to always inject the "x-ditto-pre-authenticated" header, e.g. as:
proxy_set_header x-ditto-pre-authenticated "anonymous:access"
Then you can use this "anonymous" user as if it were a normal subject in your policy, e.g.:
{
"policyId": "my.namespace:policy-a",
"entries": {
"anon": {
"subjects": {
"anonymous:access": {
"type": "unauthenticated, anonymous users"
}
},
"resources": {
"thing:/attributes/public": {
"grant": ["READ"],
"revoke": []
}
}
},
...
What you mentioned with the "id" as part of your API could also be a "subject" which is injected via the "x-ditto-pre-authenticated" header, e.g.:
proxy_set_header x-ditto-pre-authenticated "via-id:${http_id}"
Does this help you for your usecase?
Best regards
Thomas
[Updated on: Wed, 23 March 2022 07:22] Report message to a moderator
|
|
|
Powered by
FUDForum. Page generated in 0.02973 seconds