You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/extensions/DataModel-Projects.md
+19-3Lines changed: 19 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,6 +60,9 @@ This means they can not read entities that are not related to any projects.
60
60
**Things**, **Locations**, **Sensors** and **FeaturesOfInterest** link directly to one or more Projects.
61
61
**Datastreams** link to Projects through their Thing.
62
62
**Observations** link to Projects through their Datastream.
63
+
When using the default access rules, users can only see entities that are linked to a Project that is 'public', or to a Project that they themselves are linked to.
64
+
If an entity is linked to multiple Projects, only one of those Projects needs to be 'public' for the entity to be visible to non-project users.
65
+
Entities that are not linked any projects are not visible to users that do not have global `read` rights.
63
66
64
67
**Things**, **Locations**, **Datastreams** and **FeaturesOfInterest** can be restricted.
65
68
This means that even if they are associated with a public project, they can still only be read by users associated to that project.
@@ -82,19 +85,32 @@ FROST-Server comes with following two out of the box: Basic Auth and KeyCloak Au
82
85
83
86
### Basic Auth
84
87
85
-
When using [Basic Authentication](https://fraunhoferiosb.github.io/FROST-Server/settings/auth.html#settings-for-the-auth-provider-class-basicauthprovider) the user/password table and the role mapping of users to roles are maintained in the SensorThings database.
88
+
When using [Basic Authentication](../settings/auth.html#settings-for-the-auth-provider-class-basicauthprovider) the user/password table and the role mapping of users to roles are maintained in the SensorThings database.
86
89
The Users and Roles tables are exposed through the API, and users can change their password using the API.
87
90
Global admins can create users, links users to roles and to projects.
88
91
Project admins can link users to projects.
89
92
90
93
91
94
### KeyCloak Auth
92
95
93
-
When using [KeyCloak Authentication](https://fraunhoferiosb.github.io/FROST-Server/settings/auth.html#settings-for-the-auth-provider-class-keycloakauthprovider) the contents of the user and roles tables are automatically filled from the data supplied by KeyCloak.
96
+
When using [KeyCloak Authentication](../settings/auth.html#settings-for-the-auth-provider-class-keycloakauthprovider) the contents of the user and roles tables are automatically filled from the data supplied by KeyCloak.
94
97
95
98
The links between Projects and Users/Roles can also be decoded from the KeyCloak data, by using a userRoleDecoder. The ProjectRoleDecoder takes the list of roles (strings) that KeyCloak provides, uses a regular expression to extract a project name and a role name from each string, and creates a UserProjectRole for the user for each of these.
96
99
97
100
101
+
## MQTT
102
+
103
+
Using MQTT a client can subscribe to almost any URL in the SensorThings API, and received notifications when something changes for that URL.
104
+
Access rights in the MQTT protocol are checked when a user makes a subscription to a topic, and not when a message arrives on a topic.
105
+
This means that, when combining MQTT with fine-grained authorisation, a user must only be allowed to make subscriptions on topics for which this user is allowed to see _all_ messages.
106
+
107
+
A subscription on the topic `v1.1/Observations` must thus not be allowed, since that would allow the user to receive all Observations that are added to the server, even those in Datastreams he is not allowed to see.
108
+
109
+
In most cases, it is enough to restrict all upper-level topics, and only allow subscriptions to relative topics such as `v1.1/Datastreams(5)/Observations`.
110
+
These restrictions can be made using the option `auth.mqtt.topicAllowList`.
111
+
The suggested value for this option is: `^/[a-zA-Z0-9_-]+\((('[^']+')|([0-9]+))\)/[a-zA-Z0-9_-]+$`.
112
+
113
+
98
114
## Data Model
99
115
100
116
The image below shows the core STA data model in blue, with the security extension in yellow.
@@ -104,7 +120,7 @@ The image below shows the core STA data model in blue, with the security extensi
104
120
105
121
## Example Data
106
122
107
-
An example JSON-Batch document is [available](https://github.com/hylkevds/FROST-Server.Plugin.Projects/blob/main/scripts/dataBatchPost.json).
123
+
An example JSON-Batch document is [available](projectsBatchPost.json).
108
124
When posting this Batch to v1.1/$batch it will create several Projects, User, Roles and STA entities linked to the Projects.
0 commit comments