Revised security guide #2223
Revised security guide #2223
Conversation
finkmanAtSap
left a comment
finkmanAtSap
left a comment
There was a problem hiding this comment.
I did not do an in-depth review but I found some things while skimming through
| entity Books : withGenre { ... } | ||
| ``` | ||
|
|
||
| The detailed syntax of `@ams` annotation provides an `attribute` property which might be helpful to decouple the external from the internal name: |
There was a problem hiding this comment.
I think we never implemented this detailled syntax. It looks like it is just a more verbose version that offers the same semantic?
|
|
||
| You can now perform following tasks in the Administrative Console for the IAS tenant (see prerequisits [here](../guides/security/authentication#ias-admin)): | ||
| - Assign (base or custom) policies to IAS users | ||
| - Create custom policies |
There was a problem hiding this comment.
I think, by now, admin policy may be the official name. If that name is used in the help.sap.com documentation, we should keep it coherent. I'm not sure though.
BraunMatthias
force-pushed
the
revised-security-guide
branch
2 times, most recently
from
bfad258 to
cb794d1
Compare
| - ~{app-api/app-protocol}://~{app-api/app-uri}/*/logout.html | ||
| ``` | ||
| ::: | ||
|
|
There was a problem hiding this comment.
this seems like an abrupt end, how can I now access the UI in hybrid mode to test authentication?
| #### Events to Auto-Exposed Entities { #events-and-auto-expose} | ||
|
|
||
| In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be **auto-exposed** by the CDS compiler due to some reason. | ||
| In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be **auto-exposed** by the CDS compiler for some reason. |
There was a problem hiding this comment.
| In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be **auto-exposed** by the CDS compiler for some reason. | |
| In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be [**auto-exposed**](cdl#auto-exposed-entities) by the CDS compiler for some reason. |
| ::: | ||
|
|
||
| ::: warning _Warning_ <!-- --> | ||
| A service level entity can't inherit a restriction with a `where` condition that doesn't match the projected entity. The restriction has to be overridden in this case. |
There was a problem hiding this comment.
Are you reffering to the situation where an element of the where condition is NOT part of the projection on top - in which case the compilation would fail ?
There was a problem hiding this comment.
for node, we need to check again if this works without cds add hana - for java it appears to be working without hana as sqlite is then used in the cloud
| Hence, start with `broker` if you want to provides technial APIs potentially. | ||
| ::: | ||
|
|
||
| [Learn more about XSUAA application security descriptor configuration syntax](https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-developer-guide-for-cloud-foundry-multitarget-applications-sap-web-ide-full-stack/application-security-descriptor-configuration-syntax){.learn-more} |
There was a problem hiding this comment.
link leads to a blank page (no 404 - nothing but a white page) (tried with safari and chrome)
| See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) in the SAP HANA Platform documentation for the syntax of the _xs-security.json_ and advanced configuration options. | ||
|
|
||
| <!-- REVISIT: Not ideal cds compile --to xsuaa can generate invalid xs-security.json files --> | ||
| ::: warning Avoid invalid characters in your models |
There was a problem hiding this comment.
is there a pointer which characters to avoid?
guides/security/authentication.md
Outdated
| ❗ **Never share service keys or tokens** ❗ | ||
| ::: | ||
|
|
||
| As second step, assign the generated role collection with name `admin (bookshop cdsruntime-cap-zone-bookshop-xsuaa)` to your **test user** by following instructions from [Assign Roles in SAP BTP Cockpit](./cap-users##xsuaa-assign). |
There was a problem hiding this comment.
I had trouble with adding the roles to the role collection because I did not know which application identifier to pick… I figured it out by looking at the clientid from the service key…
guides/security/cap-users.md
Outdated
| **In most casese, there is no need to write custom code dependent on the CAP user - leverage CDS modelling whenever possible**. | ||
| ::: | ||
|
|
||
| ### Reflection { #reflection .java } |
There was a problem hiding this comment.
For Node.js, this section will be somewhat redundant to:
There was a problem hiding this comment.
ok, but I think we need to centralize the security-relevant documentation. In the runtime-specific versions additional or more detailed content could be shown.
| Now we want to fetch a token to prepare a fully authenticated test request. | ||
| As first step we add a new client for the XSUAA application by creating an appropriate service key: | ||
|
|
||
| ```sh | ||
| cf create-service-key bookshop-auth bookshop-auth-key | ||
| ``` | ||
|
|
||
|
|
||
| ```sh | ||
| cf service-key bookshop-auth bookshop-auth-key | ||
| ``` |
There was a problem hiding this comment.
Is it really necessary to create a service key? I was able to do it with:
❯ cf env bookshop-srv | grep '"xsuaa":' -A 20
"xsuaa": [
{
"binding_guid": "d10bccfe-b325-4ede-aecc-6644af1ba01b",
"binding_name": null,
"credentials": {
"apiurl": "https://api.authentication.eu12.hana.ondemand.com",
"clientid": "sb-bookshop-cap-sandbox-patrice!t50015",
"clientsecret": "…",
"credential-type": "binding-secret",
"identityzone": "cap-sandbox",
"identityzoneid": "a6d85e7a-c4cb-49e0-afec-2449a59dde87",
"sburl": "https://internal-xsuaa.authentication.eu12.hana.ondemand.com",
"serviceInstanceId": "fb12c45d-aecf-4acb-ad51-4cfc38e277e2",
"subaccountid": "127c6f37-462d-4157-a41b-a2427e2f4b6a",
"tenantid": "a6d85e7a-c4cb-49e0-afec-2449a59dde87",
"tenantmode": "dedicated",
"uaadomain": "authentication.eu12.hana.ondemand.com",
"url": "https://cap-sandbox.authentication.eu12.hana.ondemand.com",
"verificationkey": "…",
"xsappname": "bookshop-cap-sandbox-patrice!t50015",
"zoneid": "a6d85e7a-c4cb-49e0-afec-2449a59dde87"| ```sh [Token for named user] | ||
| curl -X POST \ | ||
| -H "Content-Type: application/x-www-form-urlencoded" \ | ||
| -d 'grant_type=password' \ | ||
| -d 'client_id=<clientid>' \ | ||
| -d 'client_secret=<clientsecret>' \ | ||
| -d 'username=<username>' \ | ||
| -d 'password=<userpassword>' \ | ||
| <url>/oauth/token |
There was a problem hiding this comment.
First, I created the service keys described as above and used it to fetch a token for the "Technical User". WIth this token, I was able to access catalog/Books but got a 403 for admin/Books (which was a nice learning effect). Then I added my user to the auto-generated role collection (admin (…)). After that, I used the clientid and client_secret from cf env bookshop-srv in combination with my user + password to fetch a token for the "Named User" → with this token I was able to also access admin/Books.
guides/security/authentication.md
Outdated
| TODO: the below command currently does not setup sqlite for production. | ||
|
|
||
| In addition, activate SQLite to serve as in-memory DB (**not** recommended for production!): | ||
| ```sh | ||
| cds add sqlite --for production | ||
| ``` |
There was a problem hiding this comment.
I just did it with HANA, not sure if all trial users have this possibility. Probably easier to have the in-memory db also in the deployed application for the sake of this guide
guides/security/cap-users.md
Outdated
| | User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation | ||
| |---------------|---------------------|----------------------------------|-------------------------|--------------------| | ||
| | _Logon name_ | `getName()` | `user_name` | `sub` | `$user` | | ||
| | _Tenant_ | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | |
There was a problem hiding this comment.
See #2264 (comment)
| | _Tenant_ | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | | |
| | _Tenant_ | `getTenant()` | `zid` | `app_tid` | `$user.tenant` | |
| onBehalfOf: systemUserProvider | ||
| ``` | ||
|
|
||
| The parameter `onBehalfOf` in the binding configuration section allows to define following *user propagation* strategies: |
There was a problem hiding this comment.
| The parameter `onBehalfOf` in the binding configuration section allows to define following *user propagation* strategies: | |
| The parameter `onBehalfOf` in the binding configuration section allows to define the following *user propagation* strategies: |
| @@ -0,0 +1,142 @@ | |||
| <mxfile host="65bd71144e"> | |||
There was a problem hiding this comment.
Don't separate the ias-ui-setup.drawio and ias-ui-setup.svg into just ias-ui-setup.drawio.svg, which can be directly edited and rendered in the browser. We want to avoid the double maintenance and export steps.
Same for the other graphics where this applies.
| @@ -0,0 +1,5982 @@ | |||
| { | |||
There was a problem hiding this comment.
Pls replace that file by a .drawio.svg. 6000 lines added vs. the ~200-400 we see in the Draw.io ones.
Makes this diff so huge that GitHub forces you to review by file.
| ### Authentication | ||
|
|
||
| Add [security configuration](../security/authorization#xsuaa-configuration) using the command: | ||
| Add [security configuration](../security/authentication#authentication) using the command: |
There was a problem hiding this comment.
Bit of an awkward URL with the stuttering. As "#authentication" is just the h1 heading in the linked guide, why use it at all?
| Add [security configuration](../security/authentication#authentication) using the command: | |
| Add [security configuration](../security/authentication) using the command: |
However, I wouldn't hide this link in the prose text but rather add a {.learn-more} one, e.g. after the cds add command:
[Learn more about Authentication in CAP](../security/authentication){.learn-more}
This makes it clearer to the user what you're trying to cross-reference.
Adding node specific snippets and sections to the revised security guide, originally added in #2223. --------- Co-authored-by: Manuel Fink <[email protected]>
|
|
||
| CAP is not tied to any specific authentication method, nor to concrete user information such as that provided by IAS or XSUAA. | ||
| Instead, an abstract [user representation](cap-users#claims) is attached to the request which can be used to influence request processing. | ||
| For example, both authorization enforcement and domain logic can depend on the current user properties. |
There was a problem hiding this comment.
| For example, both authorization enforcement and domain logic can depend on the current user properties. | |
| For example, both authorization enforcement and domain logic can depend on properties of the the current user. |
|
|
||
| - For _local development_ and _unit testing_, [Mock User Authentication](#mock-user-auth) is an appropriate built-in authentication feature. | ||
|
|
||
| - For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: |
There was a problem hiding this comment.
| - For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: | |
| - For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services out of the box: |
No description provided.