Authorisation
System Design Description Overview
This System has:
- A database that describes which Application System can consume what Services from which Application Systems (Intra-Cloud access rules)
- A database that describes which other Local Clouds are allowed to consume what Services from this Cloud (Inter-Cloud authorization rules)
The purpose of this System is therefore to:
- Provide AuthorizationControl Service (both intra- and inter-Cloud)
- Provide a TokenGeneration Service for allowing session control within the Local Cloud
The purpose of the TokenGeneration functionality is to create session control functionality through the Core Sytems. The output is JSON Web Token that validates the Service Consumer system when it will try to access the Service from another Application System (Service Provider). This Token shall be primarily generated during the orchestration process and only released to the Service Consumer when all affected Core Systems are notified and agreed to the to-be-established Service connection.
This System (in line with all core Systems) utilizes the X.509 certificate Common Name naming convention in order to work.
This System only provides two Core Services:
- AuthorizationControl
- TokenGeneration
There are two use cases connected to the Authorization System:
- Check access rights (invoke the AuthorizationControl)
- Generate an access token (the Orchestrator invokes the TokenGeneration)
Figure 1. Authorization crosscheck during orchestration processThe AuthorizationControl Service provides 2 different interfaces to look up authorization rights:
- Intra-Cloud authorization: defines an authorization right between a consumer and provider system in the same Local Cloud for a specific Service.
- Inter-Cloud authorization: defines an authorization right for an external Cloud to consume a specific Service from the Local Cloud.
Endpoints
Latest documentation
- Authorisation system: https://github.com/eclipse-arrowhead/core-java-spring#authorization