Access Control
GS2-Identifier is a mechanism to manage credentials (authentication information) and access privileges to access GS2 services.
Authority management for access to each service is performed for each GS2-Identifier user (hereinafter referred to as “user”).
GS2 assigns a security policy to each user, which defines what GS2 services the user can use.
GS2 uses the credentials to authenticate the accessing user and returns a project token. The game application/management tool uses this project token to access each service.
Detailed permission settings are defined in the security policy, which is assigned to each user.
Users
The following is an overview of the data structure a user has
class User {
+userId
+name
:
}
class Identifier {
+clientId
+clientSecret
:
}
class Password {
+hashedPassword
:
}
class AttachedSecurityPolicy {
+securityPolicyId
:
}
class SecurityPolicy {
+policyDocument
:
}
User "1" *-- "many" Identifier
User "1" --- "1" Password
User "1" *-- "<=10" AttachedSecurityPolicy
AttachedSecurityPolicy "1" -- "1" SecurityPolicy
note "Authentication information (credentials)\nInformation required to access each service's API" as IdentifierNote
Identifier .. IdentifierNote
note "Password Information to log in to \nthe Management Console as a sub-account" as PasswordNote
Password .. PasswordNote
note "User access privileges" as AttachedSecurityPolicyNote
AttachedSecurityPolicy .. AttachedSecurityPolicyNote
note "Permission settings" as SecurityPolicyNote
SecurityPolicy .. SecurityPolicyNote
Security Policy
The following policies have been predefined in the security policy.
Security Policy Name | Description |
---|---|
AdministratorAccess | Permission to use all APIs |
ApplicationAccess | Permission to call only APIs that do not lead to cheating |
DeliveryAccess | Permission required for GS2-Distributor to perform resource overflow processing |
UnauthenticatedAccess | Authority to perform only the processing (including login processing) necessary to perform version checks (GS2-Version). |
AdministratorAccess policy is the authority to access all GS2 services.
The ApplicationAccess policy, which is intended to be embedded in a game application, is a policy that allows access to all GS2 services. The ApplicationAccess policy, which is assumed to be used in a game application, is set so that API calls that can manipulate the server leading to cheating are not allowed.
Security Policy Format
Security policies are written in JSON format.
Statements contain the Effect, Actions, and Resources elements. The * (asterisk) represents a wildcard.
The simplest security policy is shown in the example. This security policy says that all operations are allowed on all services and APIs. APIs.
{
"Version": "2016-04-01",
"Statements": [
{
"Effect": "Allow",
"Actions": [
"*"
],
"Resources": [
"*"
]
}
]
}
Effect
Specify whether access to the API is allowed or not in this policy.
Actions
The security policy shown in the example allows any operation on the GS2-Inbox service. The user assigned the security policy in this example has no access to any services other than GS2-Inbox.
The * (asterisk) represents a wildcard.
{
"Version": "2016-04-01",
"Statements": [
{
"Effect": "Allow",
"Actions": [
"Gs2Inbox:*"
],
"Resources": [
"*"
]
}
]
}
Enumerating Actions
Actions can enumerate actions, specifications of methods that can or cannot be accessed and executed. Actions can be enumerated. Specify the methods listed in the reference for each service.
Put a : (colon) in between, e.g. [service name]:[method name].
To specify a service name, use Gs2Inbox without the - (hyphen), and the name of each service should be appended to Gs2, as in “Gs2Inbox”.
The method name should be SendMessage with the first letter capitalized (upper camelCase).
{
"Version": "2016-04-01",
"Statements": [
{
"Effect": "Allow",
"Actions": [
"Gs2Inbox:SendMessage",
"Gs2Inbox:DescribeMessage",
"Gs2Inbox:ReadMessage",
"Gs2Inbox:DeleteMessage"
],
"Resources": [
"*"
]
}
]
}
Resources
This variable specifies the range of resources affected by this policy.
Resources lists the GRNs of the resources whose operations are to be allowed or denied. As with Actions, leading and trailing wildcards are allowed.
{
"Version": "2016-04-01",
"Statements": [
{
"Effect": "Allow",
"Actions": [
"Gs2Inbox:SendMessage"
],
"Resources": [
"grn:gs2:{region}:{ownerId}:inbox:namespace-0001",
"grn:gs2:{region}:{ownerId}:inbox:namespace-0001:*"
]
}
]
}
In this example, only namespace-0001 has SendMessage-enabled permissions.
Determine security policy
A user can assign up to 10 security policies. After processing with And for actions for which Allow is specified in Effect, the API can be called except for those processed with And for actions for which Deny is specified in Effect.
In other words, if both Allow and Deny are described, Deny takes precedence.