Allow user to manage the access to gateway proxied APIs

[t83714]

Allow user to manage the access to gateway proxied APIs

Currently, access to gateway-proxied APIs is enforced at each API endpoint.

However, as a system admin, I also want to secure an API at the gateway (via simple config & permission settings ) for use cases that:

• don't require fine-grained access
• rest style HTTP-based APIs

Why?

• the API route might point to a third-party component that I could not implement on-spot access control enforcement easily
• Functionality-wise, the access control model required for the API might match / close to the REST HTTP API interaction story. And again, we don't require fine-grained (e.g. control based on API request data) access for the API access.

1> Turn on the proposed feature

As a system admin, I can turn on the proposed API access control feature by modifying the current gateway route config by adding an extra accessControl field.

e.g. The following gateway route configuration will make the gateway enforce access control on any access to the API. Unless permission is granted to a user on the API endpoint, the user will get a 403 Forbidden response when accessing the API endpoint.

myApi1:
    to: http://api-one/v0
    accessControl: true

2> Manage API Access

To manage the access around the API, the system admin needs to define the relevant resource, operation, permission & role objects and grant the role to appropriate users.

2.1> Define resource & operation

1> e.g. for a gateway-proxied API endpoint: /api/v0/myApi/search/customers, the system admin should:

• create a resource in system settings with URI api/myApi
• create an operation search/customers

to represent the access to API /api/v0/myApi/search/customers (for any HTTP request methods)

If the system admin wants to restrict the access by HTTP method further, he can:

• create a resource in system settings with URI api/myApi
• create an operation search/customers/GET
  • Here, the last segment of operation URI must be upper case, and its value must be one of the valid HTTP methods

Please note: any API endpoints not covered by defined resource & operation will not be accessible externally.

2.2> Create permission & role

Once the system admin creates proper resource & operation records for all externally accessible API endpoints, he can grant access to those endpoints by creating permission & role records.

The created role records can be assigned to appropriate users to grant access to the API endpoints.

[t83714]

closed via Pr: https://github.com/magda-io/magda/pull/3498