blob: a7dff0ab61032e61f33ede79679f8186b35989df [file] [log] [blame]
<!DOCTYPE html>
<html class="no-js">
<head lang="en-us">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,user-scalable=no,initial-scale=1,maximum-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=10" />
<title>Authorization - Eclipse hawkBit</title>
<meta name="generator" content="Hugo 0.49.2" />
<meta name="description" content="IoT. Update. Device.">
<link rel="canonical" href="https://www.eclipse.org/hawkbit/concepts/authorization/">
<meta name="author" content="The Eclipse hawkBit Project">
<meta property="og:url" content="https://www.eclipse.org/hawkbit/concepts/authorization/">
<meta property="og:title" content="Eclipse hawkBit">
<meta property="og:image" content="https://www.eclipse.org/hawkbit/images/hawkbit_icon.png">
<meta name="apple-mobile-web-app-title" content="Eclipse hawkBit">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<link rel="shortcut icon" type="image/x-icon" href="https://www.eclipse.org/hawkbit/images/favicon.ico">
<link rel="icon" type="image/x-icon" href="https://www.eclipse.org/hawkbit/images/favicon.ico">
<style>
@font-face {
font-family: 'Icon';
src: url('https://www.eclipse.org/hawkbit/fonts/icon.eot');
src: url('https://www.eclipse.org/hawkbit/fonts/icon.eot')
format('embedded-opentype'),
url('https://www.eclipse.org/hawkbit/fonts/icon.woff')
format('woff'),
url('https://www.eclipse.org/hawkbit/fonts/icon.ttf')
format('truetype'),
url('https://www.eclipse.org/hawkbit/fonts/icon.svg')
format('svg');
font-weight: normal;
font-style: normal;
}
</style>
<link rel="stylesheet" href="https://www.eclipse.org/hawkbit/stylesheets/application.css">
<link rel="stylesheet" href="https://www.eclipse.org/hawkbit/stylesheets/temporary.css">
<link rel="stylesheet" href="https://www.eclipse.org/hawkbit/stylesheets/palettes.css">
<link rel="stylesheet" href="https://www.eclipse.org/hawkbit/stylesheets/highlight/highlight.css">
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Ubuntu:400,700|Ubuntu&#43;Mono">
<style>
body, input {
font-family: 'Ubuntu', Helvetica, Arial, sans-serif;
}
pre, code {
font-family: 'Ubuntu Mono', 'Courier New', 'Courier', monospace;
}
</style>
<link rel="stylesheet" href="https://www.eclipse.org/hawkbit/css/hawkbit.css">
<link rel="stylesheet" href="//www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/vendor/cookieconsent/cookieconsent.min.css">
<script src="https://www.eclipse.org/hawkbit/javascripts/modernizr.js"></script>
<script src="//www.eclipse.org/eclipse.org-common/themes/solstice/public/javascript/vendor/cookieconsent/default.min.js"></script>
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
</head>
<body class="palette-primary-deep-purple palette-accent-light-green">
<div class="backdrop">
<div class="backdrop-paper"></div>
</div>
<input class="toggle" type="checkbox" id="toggle-drawer">
<input class="toggle" type="checkbox" id="toggle-search">
<label class="toggle-button overlay" for="toggle-drawer"></label>
<header class="header">
<nav aria-label="Header">
<div class="bar default">
<div class="button button-menu" role="button" aria-label="Menu">
<label class="toggle-button icon icon-menu" for="toggle-drawer">
<span></span>
</label>
</div>
<div class="stretch">
<div class="title">
Authorization
</div>
</div>
<div class="button button-github" role="button" aria-label="GitHub">
<a href="https://github.com/eclipse/hawkbit" title="@eclipse/hawkbit on GitHub" target="_blank" class="toggle-button icon icon-github"></a>
</div>
<div class="button button-github" role="button" aria-label="Gitter">
<a href="https://gitter.im/eclipse/hawkbit" title="@eclipse/hawkbit on Gitter" target="_blank" class="toggle-button icon fab fa-gitter"></a>
</div>
<div class="button button-github" role="button" aria-label="Docker">
<a href="https://hub.docker.com/u/hawkbit" title="hawkbit on Docker Hub" target="_blank" class="toggle-button icon fab fa-docker"></a>
</div>
</div>
<div class="bar search">
<div class="button button-close" role="button" aria-label="Close">
<label class="toggle-button icon icon-back" for="toggle-search"></label>
</div>
<div class="stretch">
<div class="field">
<input class="query" type="text" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck>
</div>
</div>
<div class="button button-reset" role="button" aria-label="Search">
<button class="toggle-button icon icon-close" id="reset-search"></button>
</div>
</div>
</nav>
</header>
<main class="main">
<div class="drawer">
<nav aria-label="Navigation">
<a href="https://www.eclipse.org/hawkbit/" class="project">
<div class="banner">
<div class="logo">
<img src="https://www.eclipse.org/hawkbit/images/hawkbit_icon.png">
</div>
<div class="name">
<strong>Eclipse hawkBit&trade; </strong>
<br>
eclipse/hawkbit
</div>
</div>
</a>
<div class="scrollable">
<div class="wrapper">
<ul class="repo">
<li class="repo-download">
<a href="https://hawkbit.eclipse.org" target="_blank" title="hawkBit Sandbox" data-action="sandbox">
<i class="fas fa-desktop"></i> &nbsp; Sandbox
</a>
</li>
<li class="repo-stars">
<a href="https://github.com/eclipse/hawkbit/stargazers" target="_blank" title="Stargazers" data-action="star">
<i class="icon icon-star"></i> Stars
<span class="count">&ndash;</span>
</a>
</li>
</ul>
<hr>
<div class="toc">
<ul>
<li>
<a title="What is hawkBit" href="/hawkbit/whatishawkbit/">
What is hawkBit
</a>
</li>
<li>
<a title="Getting started" href="/hawkbit/gettingstarted/">
Getting started
</a>
</li>
<li>
<a title="Guides" href="/hawkbit/guides/">
Guides
</a>
</li>
<li>
<a title="Features" href="/hawkbit/features/">
Features
</a>
</li>
<li>
<a title="Concepts" href="/hawkbit/concepts/">
Concepts
</a>
</li>
<li>
<a title="Architecture" href="/hawkbit/architecture/">
Architecture
</a>
</li>
<li>
<a title="Management UI" href="/hawkbit/ui/">
Management UI
</a>
</li>
<li>
<a title="APIs" href="/hawkbit/apis/">
APIs
</a>
</li>
<li>
<a title="Community" href="/hawkbit/community/">
Community
</a>
</li>
<li>
<a title="Release notes" href="/hawkbit/release-notes/">
Release notes
</a>
</li>
</ul>
<hr>
<ul>
<li>
<a href="https://gitter.im/eclipse/hawkbit?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge" title="Chat on Gitter" target="_blank">
<img src="https://badges.gitter.im/eclipse/hawkbit.svg" />
</a>
</li>
<li>
<a href="https://circleci.com/gh/eclipse/hawkbit" title="Circle CI Status" target="_blank">
<img src="https://circleci.com/gh/eclipse/hawkbit.svg?style=shield" />
</a>
</li>
<li>
<a href="https://sonar.ops.bosch-iot-rollouts.com" title="SonarQube Status" target="_blank">
<img src="https://sonar.ops.bosch-iot-rollouts.com/api/badges/gate?key=org.eclipse.hawkbit:hawkbit-parent" />
</a>
</li>
<li>
<a href="https://maven-badges.herokuapp.com/maven-central/org.eclipse.hawkbit/hawkbit-parent" title="Maven Central Status" target="_blank">
<img src="https://maven-badges.herokuapp.com/maven-central/org.eclipse.hawkbit/hawkbit-parent/badge.svg" />
</a>
</li>
</ul>
</div>
</div>
</div>
</nav>
</div>
<article class="article">
<div class="wrapper">
<h1>Authorization </h1>
<p>Authorization is handled separately for <em>Direct Device Integration (DDI) API</em> and <em>Device Management Federation (DMF) API</em> (where successful authentication includes full authorization) and <em>Management API</em> and <em>UI</em> which is based on Spring security <a href="https://github.com/eclipse/hawkbit/blob/master/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java">authorities</a>.
</p>
<p>However, keep in mind that hawkBit does not offer an off the shelf authentication provider to leverage these permissions and the underlying multi user/tenant capabilities of hawkBit. Check out <a href="http://projects.spring.io/spring-security/">Spring security documentation</a> for further information. In hawkBit <a href="https://github.com/eclipse/hawkbit/blob/master/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java">SecurityAutoConfiguration</a> is a good starting point for integration.</p>
<p>The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions.</p>
<h2 id="ddi-api">DDI API</h2>
<p>An authenticated target is permitted to:
- retrieve commands from the server
- provide feedback to the the server
- download artifacts that are assigned to it</p>
<p>A target might be permitted to download artifacts without authentication (if enabled, see above). Only the download can be permitted to disable the authentication. This can be used in scenarios where the artifacts itself are e.g. signed and secured.</p>
<h2 id="management-api-and-ui">Management API and UI</h2>
<h3 id="delivered-permissions">Delivered Permissions</h3>
<ul>
<li><p>READ<em>/UPDATE</em>/CREATE_/DELETE_TARGETS for:</p>
<ul>
<li>Target entities including metadata (that includes also the installed and assigned distribution sets)</li>
<li>Target tags</li>
<li>Target actions</li>
<li>Target registration rules</li>
<li>Bulk operations</li>
<li>Target filters</li>
</ul></li>
<li><p>READ<em>/UPDATE</em>/CREATE_/DELETE_REPOSITORY for:</p>
<ul>
<li>Distribution sets</li>
<li>Software Modules</li>
<li>Artifacts</li>
<li>DS tags</li>
</ul></li>
<li><p>READ_TARGET_SECURITY_TOKEN</p>
<ul>
<li>Permission to read the target security token. The security token is security concerned and should be protected.</li>
</ul></li>
<li><p>DOWNLOAD_REPOSITORY_ARTIFACT</p>
<ul>
<li>Permission to download artifacts of an software module (Note: READ_REPOSITORY allows only to read the metadata).</li>
</ul></li>
<li><p>TENANT_CONFIGURATION</p>
<ul>
<li>Permission to administrate the tenant settings.</li>
</ul></li>
<li><p>ROLLOUT_MANAGEMENT</p>
<ul>
<li>Permission to provision targets through rollouts.</li>
</ul></li>
</ul>
<h3 id="permission-matrix-for-example-uses-cases-that-need-more-than-one-permission">Permission Matrix for example uses cases that need more than one permission</h3>
<table>
<thead>
<tr>
<th>Use Case</th>
<th>Needed permissions</th>
</tr>
</thead>
<tbody>
<tr>
<td>Search <em>targets</em> by installed or assigned <em>distribution set</em></td>
<td>READ_TARGET, READ_REPOSITORY</td>
</tr>
<tr>
<td>Assign <em>DS</em> to a <em>target</em></td>
<td>READ_REPOSITORY, UPDATE_TARGET</td>
</tr>
<tr>
<td>Assign DS to target through a <em>Rollout</em>, i.e. <em>Rollout</em> creation and start</td>
<td>READ_REPOSITORY, UPDATE_TARGET, ROLLOUT_MANAGEMENT</td>
</tr>
<tr>
<td>Read <em>Rollout</em> status including its <em>deployment groups</em></td>
<td>ROLLOUT_MANAGEMENT</td>
</tr>
<tr>
<td>Checks <em>targets</em> inside <em>Rollout deployment group</em></td>
<td>READ_TARGET, ROLLOUT_MANAGEMENT</td>
</tr>
</tbody>
</table>
<h2 id="device-management-federation-api">Device Management Federation API</h2>
<p>The provided <em>RabbitMQ</em> <a href="https://www.rabbitmq.com/access-control.html">vhost and user</a> should be provided with the necessary permissions to send messages to hawkBit through the exchange and receive messages from it through the specified queue.</p>
<aside class="copyright" role="note">
<div class="logo">
<a href="https://www.eclipse.org" target="_blank">
<img src="/hawkbit/images/eclipse_foundation_logo.png" />
</a>
</div>
<p class="notice">
&copy; 2018 The Eclipse hawkBit Project &ndash;
Documentation built with
<a href="https://www.gohugo.io" target="_blank">Hugo</a>
using the
<a href="http://github.com/digitalcraftsman/hugo-material-docs" target="_blank">Material</a> theme.
</p>
<p class="quickLinks">
<a href="http://www.eclipse.org/legal/privacy.php" target="_blank">
&gt; Privacy Policy
</a>
<a href="http://www.eclipse.org/legal/termsofuse.php" target="_blank">
&gt; Terms of Use
</a>
<a href="http://www.eclipse.org/legal/copyright.php" target="_blank">
&gt; Copyright Agent
</a>
<a href="http://www.eclipse.org/legal" target="_blank">
&gt; Legal
</a>
<a href="https://www.eclipse.org/org/documents/epl-v10.php" target="_blank">
&gt; License
</a>
</p>
</aside>
<footer class="footer">
<nav class="pagination" aria-label="Footer">
<div class="previous">
<a href="https://www.eclipse.org/hawkbit/concepts/authentication/" title="Authentication">
<span class="direction">
Previous
</span>
<div class="page">
<div class="button button-previous" role="button" aria-label="Previous">
<i class="icon icon-back"></i>
</div>
<div class="stretch">
<div class="title">
Authentication
</div>
</div>
</div>
</a>
</div>
<div class="next">
<a href="https://www.eclipse.org/hawkbit/concepts/datamodel/" title="Data Model">
<span class="direction">
Next
</span>
<div class="page">
<div class="stretch">
<div class="title">
Data Model
</div>
</div>
<div class="button button-next" role="button" aria-label="Next">
<i class="icon icon-forward"></i>
</div>
</div>
</a>
</div>
</nav>
</footer>
</div>
</article>
<div class="results" role="status" aria-live="polite">
<div class="scrollable">
<div class="wrapper">
<div class="meta"></div>
<div class="list"></div>
</div>
</div>
</div>
</main>
<script>
var base_url = 'https:\/\/www.eclipse.org\/hawkbit\/';
var repo_id = 'eclipse\/hawkbit';
</script>
<script src="https://www.eclipse.org/hawkbit/javascripts/application.js"></script>
<script>
/* Add headers to scrollspy */
var headers = document.getElementsByTagName("h2");
var scrollspy = document.getElementById('scrollspy');
if(scrollspy) {
if(headers.length > 0) {
for(var i = 0; i < headers.length; i++) {
var li = document.createElement("li");
li.setAttribute("class", "anchor");
var a = document.createElement("a");
if(!headers[i].id)
a.setAttribute("href", headers[i].parentNode.href);
else
a.setAttribute("href", "#" + headers[i].id);
a.setAttribute("title", headers[i].innerHTML);
a.innerHTML = headers[i].innerHTML;
li.appendChild(a);
scrollspy.appendChild(li);
}
} else {
scrollspy.parentElement.removeChild(scrollspy)
}
/* Add permanent link next to the headers */
var headers = document.querySelectorAll("h1, h2, h3, h4, h5, h6");
for(var i = 0; i < headers.length; i++) {
var a = document.createElement("a");
a.setAttribute("class", "headerlink");
a.setAttribute("href", "#" + headers[i].id);
a.setAttribute("title", "Permanent link");
a.innerHTML = "#";
headers[i].appendChild(a);
}
}
</script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.8.0/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
</body>
</html>