Skip to content

ConsumerAuthorization

This Core system manages and authorizes connections between various systems using authorization rules within an Eclipse Arrowhead Local Cloud (LC). It also provides various token generation functionalities that add an extra layer of security.

Learn more:
Abstract System Description (SysD)

Services

authorization

The purpose of this service is to validate service consumption permissions and to lookup, grant and revoke those permissions. The service is offered for both application and Core/Support systems.

Learn more:
Abstract Service Description (SD)
generic_http (IDD) | generic_https (IDD)
generic_mqtt (IDD) | generic_mqtts (IDD)
since: v5.0.0

grant

This service operation enables a provider to grant access to various consumers to its service. It can also be used by a publisher to grant access to subscribers to its event with a specific type.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

revoke

This service operation enables a provider/publisher to remove existing authorization policies that were created by itself.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

lookup

This service operation lists the requester-created authorization rules that match the filtering requirements.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

verify

This service operation checks whether a consumer has access to a provider's specified service/service operation/event type.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

authorizationToken

The purpose of this service is to generate and validate authorization tokens. The service is offered for both application and Core/Support systems.

Learn more:
Abstract Service Description (SD)
generic_http (IDD) | generic_https (IDD)
generic_mqtt (IDD) | generic_mqtts (IDD)
since: v5.0.0

generate

Its purpose is to verify the requester’s permissions and produce a token of defined type for the targeted service consumption.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

verify

Its purpose is to check whether a given token is valid or not, is associated with the requester or not and to provide the belonged token details.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

get-public-key

Its purpose is to provide the public key of the implementing system if any (necessary for the verification of some token types).

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

register-encryption-key

Its purpose is to store an encryption key that can be used to encrypt the raw tokens generated for any service of the requester system.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

unregister-encryption-key

Its purpose is to remove the encryption key belonged to the requester system.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

generalManagement

Its purpose is to get some information about the hosting system's behavior, such as log entries and configuration settings. The service is offered for administrative Support systems.

Learn more:
Abstract Service Description (SD)
generic_http (IDD) | generic_https (IDD)
generic_mqtt (IDD) | generic_mqtts (IDD)
since: v5.0.0

get-log

This service operation lists the log entries of the system that match the filtering requirements.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

get-config

This service operation lists the current values of the specified configuration settings.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

authorizationManagement

The purpose of this service is to manage (grant, revoke, query, check) authorization rules and validate service consumption permissions in bulk. The service is offered for Core and administrative Support systems.

Learn more:
Abstract Service Description (SD)
generic_http (IDD) | generic_https (IDD)
generic_mqtt (IDD) | generic_mqtts (IDD)
since: v5.0.0

grant-policies

This service operation enables a system with proper rights to grant access to various consumers for various provider's services in bulk. It can also be used to grant access to subscribers for various publisher's events with a specific type in bulk.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

revoke-policies

This service operation enables a system with proper rights to remove existing authorization policies in bulk without considering policy ownerships.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

query-policies

This service operation lists the authorization rules that match the filtering requirements. This operation can be used to query both provider-owned and management level authorization policies.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

check-policies

This service operation checks whether consumers have access to providers' specified service/service operation/event type.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

authorizationTokenManagement

The purpose of this service is to manage (generate, revoke, query) authorization tokens in bulk. The service is offered for Core and administrative Support Systems.

Learn more:
Abstract Service Description (SD)
generic_http (IDD) | generic_https (IDD)
generic_mqtt (IDD) | generic_mqtts (IDD)
since: v5.0.0

generate-tokens

This service operation verifies the given consumer systems’ permissions to the targeted service/service-operation/event type instance and produces expiring access tokens for them.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

query-tokens

This service operation lists the access tokens that match the filtering requirements.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

revoke-tokens

This service operation deletes the access token records associated with the given token references.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

add-encryption-keys

This service operation saves and stores encryption key and algorithm identifier pairs for the given provider systems.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

remove-encryption-keys

This service operation deletes the stored encryption key and algorithm identifier pairs associated with the given provider systems.

Example: generic_http | generic_https
Example: generic_mqtt | generic_mqtts

Configuration

The system configuration properties can be found in the application.properties file located at /src/main/resources folder.

Note: During the build process this file is going to be built into the executable JAR, but also going to be copied next to the JAR file. Any modification in the configuration file located next to the executable JAR file will override the built in configuration property value.

General parameters

See the general configuration properties.

Database parameters

spring.datasource.url

Full connection URL to the database.

spring.datasource.username

Username to the database.

spring.datasource.password

Password to the database.

spring.datasource.driver-class-name

The driver provides the connection to the database and implements the protocol for transferring the query and result between client and database.

spring.jpa.show-sql

Set to true in order to log out the SQL queries.

spring.jpa.properties.hibernate.format sql

Set to true to log out SQL queries in pretty format. (Effective only when 'spring.jpa.show-sql' is 'true')

spring.jpa.hibernate.ddl-auto

Auto initialization of database tables. Value must be always 'none'.

Custom parameters

authenticator.credentials

The credentials that this system will use for performing the login operation when the authentication policy is outsourced.

authenticator.credentials={\
    '<credential-name>': '<credential-value>' \
}

authenticator.secret.keys

Secret key for the authenticator servers when authentication policy is outsourced. The authenticator servers are able to use authorization check services by providing an HMAC of their system name computed with the associated secret key.

authenticator.secret.keys={\
    '<system-name>': '<secret-key>' \
}

enable.management.filter

Set to true to enable automatic authorization for management services.

management.policy

Defines the access policy for management services. Can be sysop-only (only systems with system operator permission can use them), whitelist (system operators and those dedicated systems that appear on the management.whitelist can use them) or authorization (system operators, whitelist members and those systems that have permission according to database-stored policies can use them).

management.whitelist

A list of system names (separated by comma) that can use management services if the management.policy is set to whitelist or authorization.

enable.blacklist.filter

Enable/disable automatic service requester system name verification against to cloud level blacklist. Can be true or false.

force.blacklist.filter

Whether or not the service requests should be refused when the blacklist server is not responding. Can be true or false.

blacklist.check.exclude.list

Comma-separated list that contains systems whose requests are served without checking the cloud level blacklist, even if blacklist is enabled.

max.page.size

Specifies the maximum number of records a page can contain in case of pageable service responses.

token.max.age

Determines after how long to delete the tokens from the database (in minutes).

token.time.limit

Specifies the default duration of time-limited tokens (simple time-limited and self-contained tokens) in seconds.

simple.token.usage.limit

Maximum token usage default in case of usage-limited simple tokens.

unbounded.token.generation.whitelist

Comma-separated list that contains the name of systems that can generate tokens for other systems by bypassing their authorization checks.

simple.token.byte.size

Simple token (time-limited, usage-limited) size in bytes. Cannot be less than 16!

secret.cryptographer.key

Sensitive data (consumer tokens, provider encryption keys) will be encrypted with this key before writing out into the database. Must be exactly 16 byte long!

cleaner.job.interval

Specifies how often (in miliseconds) to remove the expired and/or old tokens.

Logging configuration

The logging configuration properties can be found in the log4j2.xml file located at src/main/resources folder.

Note: During the build process this file is going to be built into the executable JAR, but it is also possible to override it by an external file. For that use the following command when starting the system:

java -jar arrowhead-consumer-authentication-5.x.x.jar
     -Dlog4j.configurationFile=path-to-external-file

JDBC_LEVEL

Set this to change the level of log messages in the database. Levels: ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF.

CONSOLE_FILE_LEVEL

Set this to change the level of log messages in console and the log file. Levels: ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF.

LOG_DIR

Set this to change the directory of log files.

Changelog

v5.0.0

Related in CL-5.0.0