lua-resty-xacml-pep is a library for NGINX implementing the XACML Policy Enforcement Point functionality using the REST and JSON Profiles of XACML 3.0.
It can be used as a reverse proxy authorizing incoming requests in front of an origin server so that the origin server/services can be protected with the XACML Attribute Based Access Control (ABAC) without implementing XACML on the server or in the application itself.
lua-resty-xacml-pep depends on the following packages:
The dependencies above come automatically with OpenResty. You will need to install one extra pure-Lua dependency that implements HTTP client functions:
Copy xacml_pep.lua
somewhere in your lua_package_path
under a directory named resty
.
If you are using OpenResty, the default location would be /usr/local/openresty/lualib/resty
.
For generic questions, see the Wiki pages with Frequently Asked Questions at:
https://github.com/zmartzone/lua-resty-xacml-pep/wiki
Any questions/issues should go to issues tracker.
For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
sales@zmartzone.eu
events {
worker_connections 128;
}
http {
lua_package_path '~/lua/?.lua;;';
resolver 8.8.8.8;
lua_ssl_trusted_certificate /opt/local/etc/openssl/cert.pem;
lua_ssl_verify_depth 5;
-- cache for PDP decisions
lua_shared_dict decision 1m;
server {
listen 8080;
location / {
access_by_lua '
-- PDP configuration
local opts = {
pdp_endpoint="https://localhost:8643/asm-pdp/authorize",
pdp_user="pdp-user",
pdp_passwd="my_secret",
ssl_verify = "no",
}
-- typically you'd get the input parameters to the PDP call
-- from the current context, such as the authenticated "subject",
-- the "action" and the current "resource" that is being accessed
local res, err = require("resty.xacml_pep").pdp_decision(opts, "hans", "GET", "https://www.example.com")
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- at this point the user is authorized and content can be served, e.g.:
local cjson = require "cjson"
ngx.header.content_type = "text/json"
ngx.say(cjson.encode(res))
ngx.exit(ngx.OK)
';
}
}
}
This software is open sourced by ZmartZone IAM. For commercial support you can contact ZmartZone IAM as described above in the Support section.