Device Level Security

[pachori91]

As per EdgeX Documentation Different microservice could be accessed in secured way by generating JWT and calling APIs by passing generated JWT Token in header.
As per my knowledge single JWT token is valid to access any API of any EdgeX Microservice.

My Query-
My requirement is to generate different JWT token to access data of Device through EDGEX APIs. For Each device i want to create dedicated user who can access only data of assigned device only.
Is it possible in EdgeX ? or Does EdgeX supports Per device authorization policies to ensure zero data leak tolerance?

Thanks

[pachori91]

Hi Team,

It is just a gentle reminder. Is there any suggestion for same query?

[cloudxxx8]

From the Device level, it depends on the Device protocol. Some protocols don't support any security, such as Modbus, and some protocols define their own security mechanism, such as OPC-UA.
All we can do is to make sure the Device Service is protected.

[eaton-coreymutter]

If you are thinking of something like cloud multitenancy, that is a big project and there is no built-in support for it today.

If it's OK for other users to know of the existence of a device and its resources, then you could limit at the API gateway level by URL path, only allowing a user access to the paths corresponding to their own devices, blocking the /all URLs that return lists of devices/events/etc. Allowing discovering devices is trickier, you'd probably need to maintain a set of labels then allow users to query by label for their label.

Anything finer-grained, or hiding the existence of devices from some users, requires the services to know what user is asking and the mapping of which objects which users are allowed to access. Or front-ending the services with other services that know this and can "redact" requests and responses. Either of those is a big project.