Proxy Classification Filtering
These procedures will test classification filtering through our proxy.
Setup
To set up for the test, we will:
-
create a test user in a test group, that can be deleted after the test
-
configure the proxy to target mock data
Create Test User
For this test we will use a test user classtest-user, belonging to a test group classtest.
Login to Keycloak
-
Open a browser to DF’s Keycloak at
https://DF_HOST/auth. -
Click the Administration Console link.
-
Login as
adminuser (or any other user with admin privileges). -
In the top left dropdown, select the
data-fabricrealm (notmasterrealm).
Create Test Group
-
In Keycloak, from the left nav menu select Groups.
-
Click the "Create group" button.
-
Input
classtestfor the group name. -
Click the "Create" button.
Create Test User
-
From the left nav menu, select Users.
-
Click the "Add user" button.
-
Input
classtest-userfor the username. -
Click the "Join Groups" button.
-
In the popup, check the box for the
classtestgroup. -
Click the "Join" button.
-
Back at the create user page for
classtest-user, click the "Create" button. -
Now on the user details page for
classtest-user, select the Credentials tab. -
Click the "Set password" button.
-
Input
testfor the password and confirmation. -
Toggle the Temporary switch to
Off. -
Click the "Save" button.
-
Click the "Save password" confirmation button.
Enable Proxies with Mock Data
-
Open a browser to
https://DF_HOST. -
Login as:
-
Username:
classtest-user -
Password:
test
-
-
In the Group access selection (top right corner), select
classtest. -
In the catalog card view, find and enable the following data sources with:
-
Unified Data Library
-
Username:
ignored -
Password:
ignored -
Palantir
-
Client ID:
ignored -
Client Secret:
ignored
-
Tests
Login to DF Swagger
-
In DF, open Swagger from the left nav menu by expanding APIs and selecting Swagger.
-
On the right of the page, click the "Authorize" button.
-
Click the "Logout" button for any/all currently enabled authorization schemes (log out of any cached credentials).
-
Under
df_basic, enter the following:-
Username:
classtest-user -
Password:
test
-
-
Click the "Authorize" button for
df_basic. -
Click any of the "Close" buttons to dismiss the authorization popup.
-
Test the credentials for
classtest-userby scrolling down to the testing section and expanding theGET /test/authendpoint row. -
Click the Try it out button in the upper right of the expanded section.
-
Click the
"Execute"button. -
Verify you get a good
200response, which should contain the"principal"identifier for the user.{ "principal": "{the-uuid-of-user}" }
Test No Access
Initially, our classtest-user will not have any authorization credentials in Keycloak.
Therefore, all responses with classification markings will be redacted.
UDL
-
From the home Swagger page, under the list of "Proxied Services" click the link for UDL (
/api/proxy/udl). -
Scroll down to the Track section and expand the row for
GET /udl/track. -
Click the "Try it out" button in the upper right of the expanded section.
-
Input the following Parameters values:
-
ts:
2024-01-01T00:00:00.000Z
-
-
Click the "Execute" button.
-
Verify you get back a good
200response, and that the response payload has been completely redacted by returning an empty JSON list.json []
Palantir
-
From the home Swagger page, under the list of "Proxied Services" click the link for Palantir (
/api/proxy/palantir). -
Scroll down to the Object section and expand the row for
GET /api/v1/ontologies/{ontologyRid}/objects/{objectType}. -
Click the "Try it out" button in the upper right of the expanded section.
-
Input the following Parameters values:
-
ontologyRid:
some.ontology.rid -
objectType:
iir
-
-
Click the "Execute" button.
-
Verify you get back a good
200response, and that the response payload has been completely redacted by returning an empty JSON list.{ "data": [], "totalCount": 50 }
Test UNCLASSIFIED Access
In this test we will add the necessary attributes in Keycloak to authorize data at the UNCLASSIFIED level for the classtest-user user.
-
Log back in to Keycloak again as an
adminuser (same as before). -
From the left nav menu, select Users.
-
Click the link for
classtest-userto view user details. -
Now on the user details page for
classtest-user, select the Attributes tab. -
Click the "Add an attribute" button link twice to create two new (empty) key/value rows.
-
Input the following attributes in the two rows:
| Key | Value | |------------------|--------------| | `country` | USA | | `citizenship` | Y | | `classification` | UNCLASSIFIED |
-
Click the "Save" button.
UDL
-
Repeat the steps above to invoke UDL.
-
Verify you get back a good
200response, and that the response payload contains only unclassified (U) tracks.
Palantir
-
Repeat the steps above to invoke Palantir.
-
Verify you get back a good
200response, and that the response payload contains only unclassified (U) IIRs.
Test SECRET Access
⚠️ This test can only be performed when SDL is operating under the SECRET classification level (or above).
In this test we will add the necessary attributes in Keycloak to authorize data at the SECRET level for the classtest-user user.
|
All data and markings are mocked for demonstration purposes only. |
-
Log back in to Keycloak again as an
adminuser (same as before). -
From the left nav menu, select Users.
-
Click the link for
classtest-userto view user details. -
Now on the user details page for
classtest-user, select the Attributes tab. -
Modify the following attribute values:
Key Value classificationSECRET -
Click the "Save" button.
UDL
-
Repeat the steps above to invoke UDL for tracks.
-
Verify you get back a good
200response, and that the response payload contains both unclassified (U) and secret (S) tracks.
Palantir
-
Repeat the steps above to invoke Palantir for IIRs.
-
Verify you get back a good
200response, and that the response payload contains both unclassified (U) and secret (S) IIRs.