Proxy Classification Filtering
These procedures will test classification filtering through our proxy.
Setup
To set up for the test, we will:
-
create a test user in a test group, that can be deleted after the test
-
configure the proxy to target mock data
Create Test User
For this test we will use a test user classtest-user
, belonging to a test group classtest
.
Login to Keycloak
-
Open a browser to DF’s Keycloak at
https://localhost/auth
. -
Click the Administration Console link.
-
Login as
admin
user (or any other user with admin privileges). -
In the top left dropdown, select the
data-fabric
realm (notmaster
realm).
Create Test Group
-
In Keycloak, from the left nav menu select Groups.
-
Click the "Create group" button.
-
Input
classtest
for the group name. -
Click the "Create" button.
Create Test User
-
From the left nav menu, select Users.
-
Click the "Add user" button.
-
Input
classtest-user
for the username. -
Click the "Join Groups" button.
-
In the popup, check the box for the
classtest
group. -
Click the "Join" button.
-
Back at the create user page for
classtest-user
, click the "Create" button. -
Now on the user details page for
classtest-user
, select the Credentials tab. -
Click the "Set password" button.
-
Input
test
for the password and confirmation. -
Toggle the Temporary switch to
Off
. -
Click the "Save" button.
-
Click the "Save password" confirmation button.
Enable Proxies with Mock Data
-
Open a browser to
https://localhost
. -
Login as:
-
Username:
classtest-user
-
Password:
test
-
-
In the Group access selection (top right corner), select
classtest
. -
In the catalog card view, find and enable the following data sources with:
-
Unified Data Library
-
Username:
ignored
-
Password:
ignored
-
Palantir
-
Client ID:
ignored
-
Client Secret:
ignored
-
Tests
Login to DF Swagger
-
In DF, open Swagger from the left nav menu by expanding APIs and selecting Swagger.
-
On the right of the page, click the "Authorize" button.
-
Click the "Logout" button for any/all currently enabled authorization schemes (log out of any cached credentials).
-
Under
df_basic
, enter the following:-
Username:
classtest-user
-
Password:
test
-
-
Click the "Authorize" button for
df_basic
. -
Click any of the "Close" buttons to dismiss the authorization popup.
-
Test the credentials for
classtest-user
by scrolling down to the testing section and expanding theGET /test/auth
endpoint row. -
Click the Try it out button in the upper right of the expanded section.
-
Click the
"Execute"
button. -
Verify you get a good
200
response, which should contain the"principal"
identifier for the user.{ "principal": "{the-uuid-of-user}" }
Test No Access
Initially, our classtest-user
will not have any authorization credentials in Keycloak.
Therefore, all responses with classification markings will be redacted.
UDL
-
From the home Swagger page, under the list of "Proxied Services" click the link for UDL (
/api/proxy/udl
). -
Scroll down to the Track section and expand the row for
GET /udl/track
. -
Click the "Try it out" button in the upper right of the expanded section.
-
Input the following Parameters values:
-
ts:
2024-01-01T00:00:00.000Z
-
-
Click the "Execute" button.
-
Verify you get back a good
200
response, and that the response payload has been completely redacted by returning an empty JSON list.json []
Palantir
-
From the home Swagger page, under the list of "Proxied Services" click the link for Palantir (
/api/proxy/palantir
). -
Scroll down to the Object section and expand the row for
GET /api/v1/ontologies/{ontologyRid}/objects/{objectType}
. -
Click the "Try it out" button in the upper right of the expanded section.
-
Input the following Parameters values:
-
ontologyRid:
some.ontology.rid
-
objectType:
iir
-
-
Click the "Execute" button.
-
Verify you get back a good
200
response, and that the response payload has been completely redacted by returning an empty JSON list.{ "data": [], "totalCount": 50 }
Test UNCLASSIFIED
Access
In this test we will add the necessary attributes in Keycloak to authorize data at the UNCLASSIFIED
level for the classtest-user
user.
-
Log back in to Keycloak again as an
admin
user (same as before). -
From the left nav menu, select Users.
-
Click the link for
classtest-user
to view user details. -
Now on the user details page for
classtest-user
, select the Attributes tab. -
Click the "Add an attribute" button link twice to create two new (empty) key/value rows.
-
Input the following attributes in the two rows:
| Key | Value | |------------------|--------------| | `country` | USA | | `citizenship` | Y | | `classification` | UNCLASSIFIED |
-
Click the "Save" button.
UDL
-
Repeat the steps above to invoke UDL.
-
Verify you get back a good
200
response, and that the response payload contains only unclassified (U
) tracks.
Palantir
-
Repeat the steps above to invoke Palantir.
-
Verify you get back a good
200
response, and that the response payload contains only unclassified (U
) IIRs.
Test SECRET
Access
⚠️ This test can only be performed when SDL is operating under the SECRET
classification level (or above).
In this test we will add the necessary attributes in Keycloak to authorize data at the SECRET
level for the classtest-user
user.
All data and markings are mocked for demonstration purposes only. |
-
Log back in to Keycloak again as an
admin
user (same as before). -
From the left nav menu, select Users.
-
Click the link for
classtest-user
to view user details. -
Now on the user details page for
classtest-user
, select the Attributes tab. -
Modify the following attribute values:
Key Value classification
SECRET
-
Click the "Save" button.
UDL
-
Repeat the steps above to invoke UDL for tracks.
-
Verify you get back a good
200
response, and that the response payload contains both unclassified (U
) and secret (S
) tracks.
Palantir
-
Repeat the steps above to invoke Palantir for IIRs.
-
Verify you get back a good
200
response, and that the response payload contains both unclassified (U
) and secret (S
) IIRs.