I’m wondering if I can implement Location-Based Access Control (LBAC) and Time-Based Access Control (TBAC) by interacting with the OpenZiti API. For example, at 8 AM, I would add an attribute to a specific client, allowing them to interact with a particular service. Additionally, I want to retrieve the client's IP address to enforce location-based access.
This would be done using a simple Python script that runs at scheduled times (e.g., using cron) or triggers on client connections.
If this is possible, could you guide me on where to obtain a token or secret key to authenticate with the OpenZiti API?
Hi @abidinhadjali, certainly you could do this. It's the sort of feature I believe the OpenZiti project itself would add support for someday (either directly or though an add on, like your doing). The request comes up from time to time.
You use the /authenticate endpoint supplying a query param indicating the type of login being attempted (cert | user/pwd | ext-jwt-signer). Every controller surfaces the API docs at /edge/management/v1/docs. For example https://ctrl.cdaws.clint.demo.openziti.org:8441/edge/management/v1/docs
Refer to those docs for more details. Let us know if that doesn't give you what you need, but I think it will.
Getting the IP address is somewhat tricky. OpenZiti doesn't collect this information natively as it's considered personally identifiable information. One option is to host a service on these machines that can make an http request (or other) to some server that returns the IP, then give your script dial privs to the service and collect it yourself. I'm sure there are other means, but it's probably the trickier part of what you're trying to do.
Another option that may of may not be viable is using a service router policy to control the locations that are allowed to use a service. You must deploy an edge router at all such locations, but then you could ensure only clients on a specific network could use a specific set of services. People have used this method in the past to do location based services, but it's not quite as flexible as mapping the IP, but it's certainly a bit easier in many ways
Hope that helps