EFPF Keycloak Policy Enforcment Guide

EFPF Keycloak Policy Enforcment Guide

The following image shows how the policies are enforced via the API Gateway.

img Figure 1 : Configure EFS as the trusted IDP

  • Policy Administration Point (PAP)

Provides a set of UIs based on the Keycloak Administration Console to manage resource servers, resources, scopes, permissions, and policies. Part of this is also accomplished remotely through the use of the Protection API.

  • Policy Decision Point (PDP)

Provides a distributable policy decision point to where authorization requests are sent and policies are evaluated accordingly with the permissions being requested. For more information, see Obtaining Permissions.

  • Policy Enforcement Point (PEP)

Provides implementations for different environments to actually enforce authorization decisions at the resource server side. Keycloak provides some built-in Policy Enforcers.

  • Policy Information Point (PIP)

Being based on Keycloak Authentication Server, you can obtain attributes from identities and runtime environment during the evaluation of authorization policies.

The following steps will create Keycloak policies for the below scenario:

img Figure 2 : Keycloak policies

  1. Create a client and enable authorization (Apisix client)
  2. Create two scopes (sr_admin, sr_view)
  3. Create service_registry resource and add two the scopes to the resource

Refer below image

img Figure 3 : Keycloak resources

  1. Create a View Service registry policy. A policy that allows users to view SR routes.

img Figure 4 : View Registry policy

  1. Create admin functioanlity policy. A policy which grants service registry admin permission (CRUD) to the users.

img Figure 5 : Admin policy

  1. Create scope based permissions to view registry.

img Figure 6 : Scope based permission for view

  1. Create scope based permissions to perform adminstrative task to registry.

img Figure 7 : Scope based permission for admin tasks

Next