Skip to content

Limit the namespaces which can be accessed via gateway (HTTP / Websocket) by matching a placeholder, e.g. JWT claim #2304

New issue
New issue
Open
Feature
Open
Limit the namespaces which can be accessed via gateway (HTTP / Websocket) by matching a placeholder, e.g. JWT claim#2304
Feature
Milestone
3.9.0
@thjaeckle

Description

@thjaeckle
thjaeckle
opened on Jan 14, 2026

In a Ditto setup where several OpenID Connect providers are configured and where multiple tenants should be supported, it is important to keep data separated.
While Ditto policies already provide a way to do this, an additional "cheap" way to limit access would be to configure that a certain claim in the JWT (e.g. the Issuer iss) would limit the namespaces which could be accessed by this user.

A configuration could look like:

ditto.gateway.authentication {
    namespace-access = {
      conditions = [ # conditions must all evaluate to true (AND semantics)
        "{{ jwt:iss | fn:filter('like','https://eclipse.org*') }}"
        "{{ header:someheader | fn:filter('ne','dangerous') }}"
      ]
      allowed-namespaces = [
        "org.eclipse.*",
        "another.concrete.namespace"
      ]
      blocked-namespaces = [
        "forbidden.namespace"
      ]
    }
}
  • Effects of the allowed/blocked namespaces: Directly in the gateway service,
    • Ditto would reject a direct GET / PUT / PATCH / DELETE requests on a policy or thing if the namespace of that policy/thing was not allow-listed to be available for the issuer
    • Ditto would reject operations via WebSocket targeting a policy/thing in a non-allowed namespace
    • When doing a search, Ditto gateway would
      • automatically inject the namespaces to search in into the search query
      • remove non-allowed namespaces from explicitly defined namespaces parameter
      • OPEN: Supporting wildcards in Ditto search (defining namespaces parameter) is not yet supported - check if this can be provided as part of this issue as well
    • For events (to be published via WebSocket or SSE), Ditto would filter out the non-allowed namespaces, even if they made it to the streaming session based on access control (policies)
  • To support placeholders:
    • JWT
    • headers
    • time (could be useful to already configure a "rule" in the future)
  • We can make use of Ditto placeholder function fn:filter
    • starting with a supported placeholder
    • when the condition "retains" any matches (fn:filter removes all non-matches)
    • the condition is fulfilled

Summarizing, this feature can add another layer of security / access enforcement

  • in both a multi-tenant setup of Ditto
  • but also when using namespaces for different things than tenant separation
  • it is orthogonal to policy based access control - so only if configured namespace-access (which is statically configured and very corse grained) and policy based access control let an API caller pass, an operation succeeds

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions