Name: lua-resty-xacml-pep
Owner: ZmartZone IAM
Description: A JSON/REST XACML Policy Enforcement Point implementation in Lua for NGINX/OpenResty
Created: 2017-08-02 08:19:17.0
Updated: 2018-04-03 12:17:14.0
Pushed: 2018-04-03 12:18:08.0
Homepage: null
Size: 14
Language: Lua
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
lua-resty-xacml-pep is a library for NGINX implementing the XACML Policy Enforcement Point functionality using the REST and JSON Profiles of XACML 3.0.
It can be used as a reverse proxy authorizing incoming requests in front of an origin server so that the origin server/services can be protected with the XACML Attribute Based Access Control (ABAC) without implementing XACML on the server or in the application itself.
lua-resty-xacml-pep depends on the following packages:
The dependencies above come automatically with OpenResty. You will need to install one extra pure-Lua dependency that implements HTTP client functions:
Copy xacml_pep.lua somewhere in your lua_package_path under a directory named resty.
If you are using OpenResty, the default location would be /usr/local/openresty/lualib/resty.
ts {
rker_connections 128;
{
a_package_path '~/lua/?.lua;;';
solver 8.8.8.8;
a_ssl_trusted_certificate /opt/local/etc/openssl/cert.pem;
a_ssl_verify_depth 5;
cache for PDP decisions
a_shared_dict decision 1m;
rver {
listen 8080;
location / {
access_by_lua '
-- PDP configuration
local opts = {
pdp_endpoint="https://localhost:8643/asm-pdp/authorize",
pdp_user="pdp-user",
pdp_passwd="my_secret",
ssl_verify = "no",
}
-- typically you'd get the input parameters to the PDP call
-- from the current context, such as the authenticated "subject",
-- the "action" and the current "resource" that is being accessed
local res, err = require("resty.xacml_pep").pdp_decision(opts, "hans", "GET", "https://www.example.com")
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- at this point the user is authorized and content can be served, e.g.:
local cjson = require "cjson"
ngx.header.content_type = "text/json"
ngx.say(cjson.encode(res))
ngx.exit(ngx.OK)
';
}
See the Wiki pages with Frequently Asked Questions at:
https://github.com/zmartzone/lua-resty-xacml-pep/wiki
For commercial support and consultancy you can contact:
info@zmartzone.eu
Any questions/issues should go to issues tracker or the primary author hans.zandbelt@zmartzone.eu
See the DISCLAIMER file in this directory. For commercial support you can contact ZmartZone IAM as described above.