Add permissions rules to protect remaining gtkapi endpoints

[dang03]

User Management is currently "protecting" SP resources through the enhanced authorization process from next gtkapi Catalogue endpoints:

• /packages
• /services
• /functions

User Management requires extra JSON objects defining the resource permissions for the next gtkapi endpoints:

• /requests
• /vims
• /vim_requests
• /records'
• /micro-services
• /users
• /licences
• /vims
• /wims
• /kpis
• /metrics
• /validator
• /rate_limiter

[jbonnet]

Hey, @dang03 What's needed on those extra JSON objects and who should provide them, the Gatekeeper?

[dang03]

Hi @jbonnet These JSON objects can be considered as the "rule sets" for each Gatekeeper API. They are initially set in a JSON file by the Gatekeeper (predefined in the User Management module), but can be dynamically updated through UM /api/v1/resources API. More info about this API will be available at UM API wiki

The initial resource is almost finished, as some endpoints are still provisional, which can be checked here initial-resource.json

This resource data only should be updated once a new module is integrated to the Service Platform, a new SONATA version is released, or a new policy is defined by the SP owner. I guess it won't change often. Here is an example of the resource data (rule set):

{
  "clientId" : "catalogue",
  "resource_owner_name" : "catalogue_api",
  "role" : "none",
  "description" : "This is a sample rule set",
  "resources" : [
    {
      "resource_name": "services",
      "description": "description",
      "type": "resource",
      "URI": "services",
      "owner" : "catalogue",
      "associated_permissions": [
        {
          "name": "read",
          "description": "Read a catalogue service resource",
          "apply_policy": ["developer", "son-slm"],
          "action": "GET"
        },
        {
          "name": "write",
          "description": "Store a catalogue service resource",
          "apply_policy": ["developer", "owner"],
          "action": "POST"
        },
        {
          "name": "update",
          "description": "Update a catalogue service resource",
          "apply_policy": ["developer", "owner"],
          "action": "PUT"
        },
        {
          "name": "delete",
          "description": "Remove a catalogue service resource",
          "apply_policy": ["developer", "owner"],
          "action": "DELETE"
        }
      ]
    }
  ],
  "policies": [
    {
      "name": "developer",
      "description": "SONATA Realm role authorized to request the resource",
      "type": "role",
      "logic": "positive",
      "scopes": null
    },
    {
      "name": "customer",
      "description": "SONATA Realm role authorized to request the resource",
      "type": "role",
      "logic": "positive",
      "scopes": null
    },
    {
      "name": "admin",
      "description": "SONATA Realm role authorized to request the resource",
      "type": "role",
      "logic": "positive",
      "scopes": null
    },
    {
      "name": "son-slm",
      "description": "SONATA Realm role authorized to request the resource",
      "type": "role",
      "logic": "positive",
      "scopes": null
    }
  ]
}