[review] Security Guide #2321
[review] Security Guide #2321
Conversation
| ### Filter Conditions { #filter-consitions } | ||
| ### Filter Conditions | ||
|
|
||
| For instance, a user is allowed to read or edit `Orders` (defined with the `managed` aspect) that they have created: |
There was a problem hiding this comment.
This idea was to move the example first, as we often do it in capire. We could do the same in other sections as well, if we agree on doing so. This is just an example to show what I mean.
There was a problem hiding this comment.
@BraunMatthias What do you think about changing this?
Remote AuthenticationThat guide is based on a Java sample only, right? Are there plans for Node.js as well? |
| ```sh | ||
| TODO | ||
| ``` |
There was a problem hiding this comment.
Needs to be filled
There was a problem hiding this comment.
Within our logs, I think this would be the closest we get ... I am not aware of an output that names the service binding, our auth middleware is going to use.
| ```sh | |
| TODO | |
| ``` | |
| ```sh | |
| [cds] - using auth strategy { | |
| kind: 'ias', | |
| impl: 'node_modules/@sap/cds/lib/srv/middlewares/auth/ias-auth.js' | |
| } |
| TODO | ||
There was a problem hiding this comment.
Needs to be filled
There was a problem hiding this comment.
I am not aware of a functional equivalent in node 🤔 People could add a custom auth middleware?
There was a problem hiding this comment.
If there is no way to turn off authentication, we could also just remove this div here.
| Mock users require **basic authentication**, hence sending the same request on behalf of mock user `alice` (no password) with | ||
| ```sh | ||
| curl http://alice:basic@localhost:4004/odata/v4/admin/Books | ||
| curl http://alice:@localhost:4004/odata/v4/admin/Books |
There was a problem hiding this comment.
@PDT42 Is this correct or does Alice have a password? Please also check the curl command for correctness. Thanks :)
| Unsupported privilege properties are ignored by the runtime. Especially, for bound or unbound actions, the `grant` property is implicitly removed (assuming `grant: '*'` instead). The same also holds for functions: | ||
|
|
||
| ```cds | ||
| ::: code-group |
There was a problem hiding this comment.
I feel it does make sense to show a wrong version and the resulting model after implicitly removing it. WDYT?
Please check the resulting model. Or is there a better/right way to show that?
| | action/function | <Na/> | <Y/> | <Na/><sup>2</sup> | = `@requires` | | ||
|
|
||
| > <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`. | ||
| > <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level, see [link] (somewhere in Node.js docs)<br> |
There was a problem hiding this comment.
I felt that there was too much text that could be part of the runtime docs. I'm not saying is has to but maybe we can find a place for that and set a link here. Would be preferred.
|
|
||
| > <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`. | ||
| > <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level, see [link] (somewhere in Node.js docs)<br> | ||
| > <sup>2</sup> For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. |
There was a problem hiding this comment.
Should it say "bound and unbound actions and functions"? In consequence we should add <sup>2</sup> also in the table for entity.
See:
| > <sup>2</sup> For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. | |
| > <sup>2</sup> For bound and unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. |
| Mock users require **basic authentication**, hence sending the same request on behalf of mock user `alice` (no password) with | ||
| ```sh | ||
| curl http://alice:basic@localhost:4004/odata/v4/admin/Books | ||
| curl http://alice:@localhost:4004/odata/v4/admin/Books |
There was a problem hiding this comment.
Can't create a suggestion on the original comment.
Default user alice does not have a password. Running this curl worked for me after setting up a tiny-sample. I think we should use the catalog service, since its available in sample as well as tiny-sample.
| curl http://alice:@localhost:4004/odata/v4/admin/Books | |
| curl http://alice:@localhost:4004/odata/v4/catalog/Books |
There was a problem hiding this comment.
The context here is that unrestricted services are not authenticated in non-production profiles, see line 130ff. So I think that's why the admin service is used here.
| ::: warning | ||
| If you switch off CAP authentication, make sure that the internal communication channels are secured by the given infrastructure. | ||
| ::: |
There was a problem hiding this comment.
@BraunMatthias How about moving this note into the java div with the hint how to turn off authentication? If there's is no equivalent in Node.js then we could move it into the Java div as it doesn't apply to Node.js at all. Right?
General remarks on: