Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Eclipse Ditto » Policy for public access to some attributes(We need a policy without a subject or with subject being * or similar in order to offer public access to some of the data in ditto)
Policy for public access to some attributes [message #1850934] Tue, 22 March 2022 14:56 Go to next message
Eclipse UserFriend
We use Eclipse Ditto for telemetry data for different types of vehicles. The vehicles have attributes like VIN, Serial Number, Manufacturer, etc. and features which are updated by the telemetry servers.

Now we have a use case where we want part of the attributes saved in Ditto to be public so anyone with an ID can see these. For example we have an internal ID "dummy-id-123". We have an API like this: "api.dummy-site.com/show-public-data?id=dummy-id-123".

In this case the subject is not authenticated nor authorized, basically anonymous. Normally all our things are saved in Ditto with a policy which defined subject and group so the subject or the group have access to the Thing. We searched the documentation for policies but found no entry exemplifying our use case and a solution.

Any help is welcomed.
Re: Policy for public access to some attributes [message #1850944 is a reply to message #1850934] Wed, 23 March 2022 03:06 Go to previous message
Eclipse UserFriend
Hi there.

That is a valid use-case, which however is currently not possible to do with Ditto.
There is (not yet) an "anonymous" subject in a Policy and Ditto's gateway strictly enforces user authentication.

Having said that you should however be able to solve this by using the "pre-authentication" - https://www.eclipse.org/ditto/installation-operating.html#pre-authentication
You could configure your nginx (or other reverse proxy sitting in front of Ditto's HTTP API) to always inject the "x-ditto-pre-authenticated" header, e.g. as:
proxy_set_header              x-ditto-pre-authenticated "anonymous:access"


Then you can use this "anonymous" user as if it were a normal subject in your policy, e.g.:
{
  "policyId": "my.namespace:policy-a",
  "entries": {
    "anon": {
      "subjects": {
        "anonymous:access": {
          "type": "unauthenticated, anonymous users"
        }
      },
      "resources": {
        "thing:/attributes/public": {
          "grant": ["READ"],
          "revoke": []
        }
      }
    },
...


What you mentioned with the "id" as part of your API could also be a "subject" which is injected via the "x-ditto-pre-authenticated" header, e.g.:
proxy_set_header              x-ditto-pre-authenticated "via-id:${http_id}"


Does this help you for your usecase?

Best regards
Thomas

[Updated on: Wed, 23 March 2022 03:22] by Moderator

Previous Topic:[Ditto java client] how to convert java dto object to JsonValue
Next Topic:No mapping endpoint
Goto Forum:
  


Current Time: Wed Jul 23 15:43:36 EDT 2025

Powered by FUDForum. Page generated in 0.05845 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly