Allow user to manage the access to gateway proxied APIs
Currently, access to gateway-proxied APIs is enforced at each API endpoint.
However, as a system admin, I also want to secure an API at the gateway (via simple config & permission settings ) for use cases that:
don't require fine-grained access
rest style HTTP-based APIs
Why?
the API route might point to a third-party component that I could not implement on-spot access control enforcement easily
Functionality-wise, the access control model required for the API might match / close to the REST HTTP API interaction story. And again, we don't require fine-grained (e.g. control based on API request data) access for the API access.
1> Turn on the proposed feature
As a system admin, I can turn on the proposed API access control feature by modifying the current gateway route config by adding an extra accessControl field.
e.g. The following gateway route configuration will make the gateway enforce access control on any access to the API. Unless permission is granted to a user on the API endpoint, the user will get a 403 Forbidden response when accessing the API endpoint.
myApi1:
to: http://api-one/v0
accessControl: true
2> Manage API Access
To manage the access around the API, the system admin needs to define the relevant resource, operation, permission & role objects and grant the role to appropriate users.
2.1> Define resource & operation
1> e.g. for a gateway-proxied API endpoint: /api/v0/myApi/search/customers, the system admin should:
create a resource in system settings with URI api/myApi
create an operation search/customers
to represent the access to API /api/v0/myApi/search/customers (for any HTTP request methods)
If the system admin wants to restrict the access by HTTP method further, he can:
create a resource in system settings with URI api/myApi
create an operation search/customers/GET
Here, the last segment of operation URI must be upper case, and its value must be one of the valid HTTP methods
Please note: any API endpoints not covered by defined resource & operation will not be accessible externally.
2.2> Create permission & role
Once the system admin creates proper resource & operation records for all externally accessible API endpoints, he can grant access to those endpoints by creating permission & role records.
The created role records can be assigned to appropriate users to grant access to the API endpoints.
Allow user to manage the access to gateway proxied APIs
Currently, access to gateway-proxied APIs is enforced at each API endpoint.
However, as a system admin, I also want to secure an API at the gateway (via simple config & permission settings ) for use cases that:
Why?
1> Turn on the proposed feature
As a system admin, I can turn on the proposed API access control feature by modifying the current gateway route config by adding an extra
accessControl
field.e.g. The following gateway route configuration will make the gateway enforce access control on any access to the API. Unless permission is granted to a user on the API endpoint, the user will get a
403 Forbidden
response when accessing the API endpoint.2> Manage API Access
To manage the access around the API, the system admin needs to define the relevant
resource
,operation
,permission
&role
objects and grant the role to appropriate users.2.1> Define
resource
&operation
1> e.g. for a gateway-proxied API endpoint:
/api/v0/myApi/search/customers
, the system admin should:api/myApi
search/customers
to represent the access to API
/api/v0/myApi/search/customers
(for any HTTP request methods)If the system admin wants to restrict the access by HTTP method further, he can:
api/myApi
search/customers/GET
2.2> Create
permission
&role
Once the system admin creates proper
resource
&operation
records for all externally accessible API endpoints, he can grant access to those endpoints by creatingpermission
&role
records.The created
role
records can be assigned to appropriate users to grant access to the API endpoints.