feat: added rbac rules for every service (#784)

Author: marctuerke

examples/cloud/dependency_charts/aas-environment/config/rbac-rules.json

@@ -0,0 +1,155 @@
+[
+    {
+      "role": "basyx-reader",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "*",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "admin",
+      "action": ["CREATE", "READ", "UPDATE", "DELETE", "EXECUTE"],
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "*",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-reader-two",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-sme-reader",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": ["specificSubmodelId", "testSMId1", "testSMId2"],
+        "submodelElementIdShortPaths": ["testSMEIdShortPath1","smc2.specificSubmodelElementIdShort","testSMEIdShortPath2"]
+      }
+    },
+    {
+      "role": "basyx-sme-reader-two",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId",
+        "submodelElementIdShortPaths": "smc2.specificFileSubmodelElementIdShort"
+      }
+    },
+    {
+      "role": "basyx-creator",
+      "action": "CREATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "*",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-updater",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "*",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-updater-two",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-sme-updater",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId",
+        "submodelElementIdShortPaths": "smc2.specificFileSubmodelElementIdShort"
+      }
+    },
+    {
+      "role": "basyx-sme-updater-two",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId",
+        "submodelElementIdShortPaths": "smc2"
+      }
+    },
+    {
+      "role": "basyx-sme-updater-three",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId-2",
+        "submodelElementIdShortPaths": "smc1.specificSubmodelElementIdShort-2"
+      }
+    },
+    {
+      "role": "basyx-file-sme-updater",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId-2",
+        "submodelElementIdShortPaths": "smc2.specificFileSubmodelElementIdShort"
+      }
+    },
+    {
+      "role": "basyx-deleter",
+      "action": "DELETE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "*",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-deleter-two",
+      "action": "DELETE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId-2",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-executor",
+      "action": "EXECUTE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "*",
+        "submodelElementIdShortPaths": "*"
+      }
+    },
+    {
+      "role": "basyx-executor-two",
+      "action": "EXECUTE",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId",
+        "submodelElementIdShortPaths": "square"
+      }
+    },
+    {
+      "role": "basyx-file-sme-reader",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "submodel",
+        "submodelIds": "specificSubmodelId-2",
+        "submodelElementIdShortPaths": "smc2.specificFileSubmodelElementIdShort"
+      }
+    }
+  ]

examples/cloud/dependency_charts/aas-environment/templates/aas-environment-deployment.yaml

@@ -26,6 +26,9 @@ spec:
       - name: {{ template "aas-environment.fullname" $ }}-config
         configMap:
           name: {{ template "aas-environment.fullname" $ }}-config
+      - name: {{ template "aas-environment.fullname" $ }}-rbac-rules
+        configMap:
+          name: {{ template "aas-environment.fullname" $ }}-rbac-rules
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -62,6 +65,9 @@ spec:
         - mountPath: /application/application.properties
           name: {{ template "aas-environment.fullname" $ }}-config
           subPath: application.properties
+        - mountPath: /application/rbac-rules.json
+          name: {{ template "aas-discovery.fullname" $ }}-rbac-rules
+          subPath: rbac-rules.json
         {{- if .Values.startup.enabled }}
         - mountPath: /application/aas
           name: startup

examples/cloud/dependency_charts/aas-environment/templates/aas-environment-rbac-rules.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aas-environment.fullname" . }}-rbac-rules
+  labels:
+    {{- include "aas-environment.labels" . | nindent 4 }}
+data:
+  rbac-rules.json: |-
+{{ .Files.Get "config/rbac-rules.json" | indent 4 }}
+{{ end -}}

examples/cloud/dependency_charts/aas-environment/values.yaml

@@ -64,3 +64,9 @@ config: |
   mqtt.clientId=AAS-Env-Example-8081
   mqtt.hostname = mqtt
   mqtt.port = 1884
+
+  basyx.feature.authorization.enabled = true
+  basyx.feature.authorization.type = rbac
+  basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+  basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
+  spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak.basyx.local:8080/realms/BaSyx

examples/cloud/dependency_charts/aas-registry/config/rbac-rules.json

@@ -0,0 +1,82 @@
+[
+    {
+      "role": "basyx-reader",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "*"
+      }
+    },
+    {
+      "role": "admin",
+      "action": ["CREATE", "READ", "UPDATE", "DELETE"],
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "*"
+      }
+    },
+    {
+      "role": "basyx-reader-two",
+      "action": "READ",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "dummyShellId_3"
+      }
+    },
+    {
+      "role": "basyx-creator",
+      "action": "CREATE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "*"
+      }
+    },
+    {
+      "role": "basyx-updater",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "*"
+      }
+    },
+    {
+      "role": "basyx-updater-two",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "dummyShellId_3"
+      }
+    },
+    {
+      "role": "basyx-asset-updater",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "*"
+      }
+    },
+    {
+      "role": "basyx-asset-updater-two",
+      "action": "UPDATE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "specificAasId-2"
+      }
+    },
+    {
+      "role": "basyx-deleter",
+      "action": "DELETE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "*"
+      }
+    },
+    {
+      "role": "basyx-deleter-two",
+      "action": "DELETE",
+      "targetInformation": {
+        "@type": "aas-registry",
+        "aasIds": "specificAasId-2"
+      }
+    }
+  ]

examples/cloud/dependency_charts/aas-registry/templates/aas-registry-deployment.yaml

@@ -45,7 +45,13 @@ spec:
         - mountPath: /workspace/config/application.properties
           name: {{ template "aas-registry.fullname" $ }}-config
           subPath: application.properties
+        - mountPath: /application/rbac-rules.json
+          name: {{ template "aas-registry.fullname" $ }}-rbac-rules
+          subPath: rbac-rules.json
       volumes:
       - name: {{ template "aas-registry.fullname" $ }}-config
         configMap:
           name: {{ template "aas-registry.fullname" $ }}-config
+      - name: {{ template "aas-registry.fullname" $ }}-rbac-rules
+        configMap:
+          name: {{ template "aas-registry.fullname" $ }}-rbac-rules

examples/cloud/dependency_charts/aas-registry/templates/aas-registry-rbac-rules.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aas-registry.fullname" . }}-rbac-rules
+  labels:
+    {{- include "aas-registry.labels" . | nindent 4 }}
+data:
+  rbac-rules.json: |-
+{{ .Files.Get "config/rbac-rules.json" | indent 4 }}
+{{ end -}}

examples/cloud/dependency_charts/aas-registry/values.yaml

@@ -65,3 +65,9 @@ config: |
   basyx.cors.allowed-origins="*"
   basyx.cors.allowed-methods="GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD"
 
+  basyx.feature.authorization.enabled = true
+  basyx.feature.authorization.type = rbac
+  basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+  basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
+  spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak.basyx.local:8080/realms/BaSyx
+