This is the Ocean role-based access control (RBAC) server. The RBAC server is used to implement fine-grained permissions on browsing, consumer and publishing data assets. The permissions are controlled precisely at two levels:
- Marketplace-level permissions for browsing, consuming or publishing within a marketplace frontend. The RBAC checks the user's role and restricts their ability to interact with the market based on the abilities associated with that role.
- Asset-level permissions on consuming a specific asset. This is supported through allow and deny lists. In addition to checking the role, the RBAC server also requests the DDO from aquarius and checks if the user's profile is in either the allow or deny list. This check only takes place on requests with the
"eventType"= "consume".
User profiles and roles can be stored in Keycloak or in json. The functionality has also been designed so that it is easy to expand to use other identity management services.
In order to start user the RBAC server:
- Clone this repository:
git clone https://github.com/oceanprotocol/RBAC-Server.git
cd RBAC-Server- Install the dependancies:
npm install- Build the service
npm run build- Start the server
npm run start- Replace the KEYCLOAK_URL in the Dockerfile with the correct URL for your hosting of keycloak.
- Run the following command to build the RBAC service in a Docker container:
npm run build:docker- Next, run the following command to start running the RBAC service in the Docker container:
npm run start:docker- Now you are ready to send requests to the RBAC server via postman. Make sure to replace the URL to
http://localhost:49160in your requests.
- KEYCLOAK_URL = [Optional] URL for requesting user roles with a JWT login token
- KEYCLOAK_ADDRESS_URL = [Optional] URL for requesting user roles with an Ethereum address
- KEYCLOAK_PROFILE_URL = [Optional] URL for requesting user profiles with an Ethereum address
- DEFAULT_AUTH_SERVICE = [Required] Either "json" or "keycloak". This will determin where the RBAC server looks for the roles and profiles.
- JSON_DATA = [Optional] json of user roles. This is required for deployment to Barge.
- JSON_PROFILE_DATA = [Optional] json of user profiles. This is required for deployment to Barge.
- METADATACACHE_URI = [Required] URI of Aquarius instance.
You can change the default auth service in the .env file e.g. DEFAULT_AUTH_SERVICE = "keycloak". This is the auth service that will be used if no authService is defined within the request.
- Download and install Postman
- Start the RBAC server either locally or in a docker container (see instructions above).
- Now send a
POSTrequest to the RBAC URL, if you are running it locally the address will behttp://localhost:3000.
The body of the request should be in the following format:
{
"eventType": "publish",
"component": "market" ,
"credentials": {
"type": "address",
"value": "0xETHEURM_ADRESS"
}
}If the eventType is "consume" the request format must include the did of the asset. This is because the DDO needs to be requested and checked for an allow or deny list. For example:
{
"eventType": "consume",
"component": "market" ,
"did": "did:op:e0089c4BAC163b571649f6AC4614580f968A2294",
"credentials": {
"type": "address",
"value": "0xETHEURM_ADRESS"
}
}Code style is automatically enforced through ESLint & Prettier rules:
- Git pre-commit hook runs
prettieron staged files, setup with Husky - VS Code suggested extensions and settings for auto-formatting on file save
For running linting and auto-formatting manually, you can use from the root of the project:
# linting check, also runs Typescript typings check
npm run lint
# auto format all files in the project with prettier, taking all configs into account
npm run format