Hi Devs, I want to make folks aware of a change to the /acl2 Resource from v1.3 to v2.0 that is important to understand.
Some background: the /acl2 Resource's Access Control Entry (ACE) object has a Property "resources", which is the Resource(s) to which the entry is granting access. In OCF v1.3 there were 3 different wildcards available, so that "resources" could match multiple Resources. An example would be the value "*", which matched ALL Resources on the Device. In OCF v2.0 (formerly codenamed Bangkok), we've updated this value to be more restrictive, but also much more useable, so that now the wildcards for "resources" are as follows (excerpted from Security Spec draft): "+" Shall match all Discoverable Non-Configuration Resources (NCRs - see below) which expose at least one Secure Endpoint. "-" Shall match all Discoverable Non-Configuration Resources which expose at least one Unsecure Endpoint. "*" Shall match all Non-Configuration Resources. Note that "NCRs" are the set of all application/vertical Resources, plus a few others (see below for details)... basically they're the Device's "normal" Resources that aren't part of Device discovery and/or configuration. This change has two main impacts: 1. Devices that formerly used "*" to grant access to all Resources including the SVRs will now need to use explicit (non-wildcard) "resources" entries to intentionally grant access to those Resources. a. For example to grant access to /csr for the OBT, the ACE would need to use "href": "/oic/sec/csr", instead of counting on "*" to grant access 2. A much more intuitive application Resource experience can be had by adding two entries to a Device's /acl2: a. An ACE granting "anon-clear" access (e.g. R-only) to "-" b. An ACE granting "auth-crypt" access (e.g. RW) to "+" To explain further item 2.: With ACE a. in the /acl2 Resource, any discoverable NCR Resource created with "OC_NONSECURE" (that is, exposing a CoAP endpoint) will automatically be accessible to any Client connecting over CoAP, without having to change /acl2 at all when a new Resource is added. Likewise with ACE b. installed, any discoverable NCR Resource created with "OC_SECURE" (i.e. exposing a CoAPS endpoint) will automatically be accessible to ay Client connecting over CoAPS (in other words, if the Client can authenticate with the Server, then the Client has access to all "OC_SECURE" NCRs). This should be a big help for those wishing to simply use a "canned" /acl2 config and not have to modify the /acl2 in order to get intuitive access to their Device's vertical Resources. A good working example can be seen in "resource/examples/ocf_light/dl_server_security.json", with very helpful comments on the *.in version of the above .json file. Please let me know if you have any questions; happy to answer. Thanks, Nathan -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9691): https://lists.iotivity.org/g/iotivity-dev/message/9691 Mute This Topic: https://lists.iotivity.org/mt/21807768/21656 Group Owner: iotivity-dev+ow...@lists.iotivity.org Leave: https://lists.iotivity.org/g/iotivity-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
