Implement RBAC-based authorization for Submodel Service#682
Merged
aaronzi merged 11 commits intoeclipse-basyx:mainfrom Apr 8, 2025
Merged
Implement RBAC-based authorization for Submodel Service#682aaronzi merged 11 commits intoeclipse-basyx:mainfrom
aaronzi merged 11 commits intoeclipse-basyx:mainfrom
Conversation
This commit introduces support for rule-based (RBAC) authorization in the Submodel Service component, following the mechanism used in other parts of the BaSyx stack. Key aspects: - New module: basyx.submodelservice-feature-authorization - Integration of Spring Security to evaluate access control using rbac_rule expressions - Fine-grained access evaluation per submodel element (e.g., operations) - Shared classes moved from Submodel Repository to Submodel Service for better reuse and separation - Integration tests added to validate authorization behavior - Example script (run-security-test.sh) included to demonstrate secured API usage with Keycloak See also: - Issue eclipse-basyx#505 - Design considerations in Issue eclipse-basyx#674
events are fired before test start / sometimes on teststart. could be problematic for tests and break the ci process
geso02
commented
Apr 8, 2025
Contributor
Author
geso02
left a comment
geso02
left a comment
There was a problem hiding this comment.
Update copyright year
aaronzi
approved these changes
Apr 8, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔐 Implement RBAC-based Authorization for Submodel Service
This pull request introduces rule-based authorization for the Submodel Service, addressing Issue #505.
✅ Summary
The implementation follows the general RBAC mechanism already used in the BaSyx stack and adapts it to the specifics of the Submodel Service. The logic is based on a configurable rbac_rule expression and leverages Spring Security to enforce access control.
⚙️ Key Considerations
Unlike the Submodel Repository, which allows broader update operations on submodels, the Submodel Service acts as a host for a single submodel. Therefore, this implementation focuses on fine-grained authorization on individual submodel elements, especially operations.
Treating submodel element invocations as part of a larger updateSubmodel() would have simplified the model, but at the cost of granularity. Preserving this granularity was seen as essential in the context of a dedicated submodel host.
This design decision is further discussed in Issue #674.
🔧 What's Included
basyx.submodelservice-feature-authorization: New feature module enabling RBAC-based access control
Integration of Spring Security into the Submodel Service runtime
Support for fine-grained access evaluation on submodel elements (e.g., invoking specific operations)
Configurable rbac_rule expressions for role-based access decisions
Integration test suite covering multiple authorization scenarios
Refactoring: Shared classes previously located in the Submodel Repository have been moved into the Submodel Service package structure, where they are more appropriately maintained and reused
🧪 Testing
A test script (run-security-test.sh) has been added to the example project. It demonstrates how to:
Obtain an access token from Keycloak (using client credentials flow)
Call operations that are permitted or denied, depending on the current token