RDK Resources
[*RDK Preferred*]
Code Management Facility
RDK Forums
[RDK Conferences]
RDK Support
Archives
Papers & Presentations Archive
Page History
...
- Application - A Lightning/web app (WPE runtime) or Lightning/Spark app (Spark runtime) loaded from the web.
- Thunder client - javascript client used by application
- WPE/Spark - Application Runtime Environments
- Thunder - Web Platform for Embedded Framework for services
- Security Agent - A thunder plugin. Accessible only by COM/RPC only by application runtimes.
- Plugin1 - Represents any plugin used as a service. Accessible by JSON/RPC
- thunder_permissions.conf - configuration for permissions of applications to access Thunder services.
| draw.io Diagram | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Figure 2. Sequence Diagram
Notes: The Spark or WPE runtime loads the application. The application that wants to use Thunder services creates the ThunderClient. When the client is created, it requests a security token from the runtime. The runtime then requests the token directly from the security agent through COM/RPC using the application context (the application's URL). The security agent then creates and returns the token and returns it to the client. As noted, the token is not returned back to the application that creates the Thunder client. Once the application has created the Thunder Client, it then can invoke a service on a plugin... in this case Plugin1.foo(). The Thunder Client creates the request to Thunder by including the security token. The Thunder Framework (not the actual plugin) checks with the security plugin to determine if the application can access this plugin based on the permissions file, and if so, allows the plugin to perform the request with the result being returned to the application.
| draw.io Diagram | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Sending Security Token in JSON-RPC Requests
...
Details on Security Permissions
The Thunder security permissions or ACL are defined under /etc/thunder_acl.json. Sample permissions are shown below as an example. "assign" contains a list of urls for which different roles are assigned.
"roles" define each of the roles which specify the ACL
...
as an allow and block list. For development and testing purposes /etc/thunder_acl.json file can be copied to /opt/thunder_acl.json and edited. This is allowed only on VBN builds.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"assign": [
{
{
"url": "*://localhost",
"role": "local"
},
{
{
"url": "*://testurl1.com/localhost:*",
"role": "localrestricted1"
},
{
{
"url": "*://127.0.0.1testurl2.com/*",
"role": "localrestricted2"
},
{
{
"url": "*://127.0.0.1:*",
",
"role": "localdefault"
},
{
"url": "*://[::1]",
"role": "local"
},
{
"url": "*://[::1]:*",
"role": "local"
},
{
"url": "*://[0:0:0:0:0:0:0:1]",
"role": "local"
},
{
"url": "*://[0:0:0:0:0:0:0:1]:*",
"role": "local"
},
{
"url": "file://*",
"role": "local"
},
{
"url": "*://*.comcast.com",
"role": "comcast"
},
{
"url": "*://metrological.com",
"role": "metrological"
},
{
"url": "*",
"role": "default"
}
],
"roles": {
"default" : {
"default" : "blocked"
},
"local" : {
"default" : "allowed"
},
"metrological": {
"default": "blocked",
"DeviceInfo": {
"default": "allowed",
"methods": [ "register", "unregister" ]
},
"JSONRPCPlugin": {
"default": "blocked",
"methods": [ "time", "status" ]
}
},
"comcast": {
"default": "blocked",
"Messenger": {
"default": "allowed"
}
}
}
}
}
]
"roles": {
"default": {
"thunder": {
"block": [
"*"
]
}
},
"local": {
"thunder": {
"allow": [
"*"
]
}
},
"restricted1": {
"thunder": {
"allow": [
"org.rdk.DisplaySettings",
"org.rdk.Timer"
]
}
},
"restricted2": {
"thunder": {
"allow": [
"*"
],
"block": [
"org.rdk.SystemServices",
"org.rdk.StorageManager"
]
}
}
}
} |
Overview
Community Forums
Content Tools
Tasks