Secure upload of DRM rules

The modeler has a simple upload UI where users can deploy a dmn or bpmn model. I need to secure the upload so that new models can only be uploaded by users which belong to an admin group of the respective tenant. In https://docs.camunda.org/manual/latest/reference/rest/overview/authentication/ it does not say if there is any authorization mechanism for rest resources, it only talks about authentication against that engine’s identity service.

Groups can be authorized for Deployments, but can I authorize a group of a tenant so that it can only deploy models for that tenant?

Can the modeler ask for username and password?

Hi.

You can take lastmodeller https://blog.camunda.com/post/2019/01/camunda-modeler-3.0.0-0-released/ and setup rest api auth for deploy endpoint. In this verison modeler ask for username and password.

https://docs.camunda.org/manual/7.8/reference/rest/overview/authentication/ with HTTP Basic auth, or write small plugin for auth truth authentication endpoint

1 Like

Excellent! That feature comes just in time for me :slight_smile:

Which kind of plugin do you have in mind? Is there a special kind of authentication plugin which I could use?

Best, Dietrich

I didnt know any ready-to-use plugins.
I mean you have 3 options:

  1. Write plugin to modeler, that will use standard camunda auth rest.
  2. Write camunda-engine plugin, that accept deployments and check standard camunda auth.
    You need to this, if you want manage deploy permissions from standard camunda engine.

OR
3) You can simply made one login and pass for simple HTTP Auth and give it to your admins. So you dont need to code, but need to manage all secure-password-user-etc operation manually.

The second option looks promising: https://docs.camunda.org/manual/latest/user-guide/process-engine/process-engine-plugins/. It appears I can write a process engine plugin which adds a customPreDeployer. In there I can use a TenantIdProvider or retrieve the tenant directly:

IdentityService identityService = Context.getProcessEngineConfiguration().getIdentityService();
Authentication currentAuthentication = identityService.getCurrentAuthentication();
List<String> tenantIds = currentAuthentication.getTenantIds()
1 Like

yeah, you got it!