Solved: Role based security - controlling access to resour...

Report Inappropriate Content · 02-09-2017 03:15 PM

There does not seem to be options in the access control page to set deployment access for resources. I see that it exists for proxies. What I want to do is create a role that prohibits deployment of resources (java, jsc etc.) to our prod and qa environment. I think this is crucial since we do not want users with dev access to inadvertently upload resources to the prod or qa environments.

Where is this access controlled?

kurtkanaskie

Hi @Kevin A,

Although not supported in the UI, this can be accomplished using the Management API to modify an existing custom role. First, create a custom role, I used "testing" and then assign that to a user. This can be done in the UI.

In the following examples, I am adding a "get" permission for the role, testing for OK, then deleting the permission and testing again for 403. Note that the curls use different credentials.

As ORGADMIN use the Management API to add a "get" permission for the path "/environments/test/resources".

curl -X POST -H "Authorization: Basic $B64_ORGADMIN_UNPW" -H "Content-Type: application/json" -d '{
	"path": "/environments/test/resources",
	"permissions": ["get"]
}
' "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/permissions"

Verify that the role has the permissions set:

curl -X GET -H "Authorization: Basic $B64_ORGADMIN_UNPW" -H "Content-Type: application/json" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/permissions"

200 OK
...
{
      "organization": "orgname",
      "path": "/environments/test/resources",
      "permissions": [
        "get"
      ]
}

And the user is assigned that role:

curl -X GET -H "Authorization: Basic $B64_ORGADMIN_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/users"

200 OK 
[
  "user.testing@some.com"
]

As USER in "testing" role, test access returns 200 OK

curl -X GET -H "Authorization: Basic $B64_USER_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/e/test/resources"

200 OK

As ORGADMIN delete the "get" permissions (note Edge returns the entity that was deleted)

curl -X DELETE -H "Authorization: Basic $B64_ORGADMIN_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/permissions/get?path=/environments/test/resources"

200 OK

{
  "path": "/environments/test/resources",
  "permissions": [
    "get"
  ]
}

As USER in "testing" role, test again to see access returns 403:

curl -X GET -H "Authorization: Basic $B64_USER_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/e/test/resources"

403 Forbidden

Hope that helps.

View solution in original post

anilsr

@Kevin A , Great Question & Interesting requirement,

It's not supported at Apigee Edge Proxy level since proxy is a bundle with a collection of xml files & resource files which will be uploaded as raw data in create proxy / update proxy request.

For example, When you see import proxy API, where you can actually implement restrictions like who can create / update / delete proxy using GET , PUT, DELTE permissions, it takes the file payload as a request. You can only specify who can create / update / delete / get the API Proxy.

You can actually restrict upload / update / delete resource files on individual APIs by defining permissions for the custom role. Like,

curl -X POST -H "Content-Type: application/json" -H "Authorization: Basic XXX" -d '{

  "organization": "demo-au04",

  "path": "/applications/*/revisions/*/resourcefiles",

  "permissions": ["get"]

}' "https://api.enterprise.apigee.com/v1/organizations/demo-au04/userroles/{rolename}/permissions"

Above actually works at API level if someone uses Edge Management API to attach / create resources to the proxy.

But, We will never use individual APIs to attach resources to the API Proxy. We always use the API Proxy bundle approach or the Edge UI. So, It's not possible to restrict same in Apigee Edge due to the current design.

You can actually do it outside of Apigee Edge in your CI & CD pipeline by implementing a custom rule. Just before you publish the proxy bundle to Apigee Edge, You can check for user permissions for above APIs using a simple call & then allow / disallow based on proxy bundle contents. It's a workaround / soft restriction that you can implement in your development life cycle.

Hope it helps.

Report Inappropriate Content

Hi Anil, thanks for the response. Actually most of our common code is in environment level javascript files. We are trying to restrict access to upload to the environment level.

We currently use this endpoint to create resources:

https://api.enterprise.apigee.com/v1/o/$ORG_NAME/e/$ENV_NAME/resources?name=$resource_name&type=$res...

So, we would want to restrict the call to a certain environment based on the role for the user. There does not seem to be a way to set this access restriction.

kurtkanaskie

Hi @Kevin A,

Although not supported in the UI, this can be accomplished using the Management API to modify an existing custom role. First, create a custom role, I used "testing" and then assign that to a user. This can be done in the UI.

In the following examples, I am adding a "get" permission for the role, testing for OK, then deleting the permission and testing again for 403. Note that the curls use different credentials.

As ORGADMIN use the Management API to add a "get" permission for the path "/environments/test/resources".

curl -X POST -H "Authorization: Basic $B64_ORGADMIN_UNPW" -H "Content-Type: application/json" -d '{
	"path": "/environments/test/resources",
	"permissions": ["get"]
}
' "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/permissions"

Verify that the role has the permissions set:

curl -X GET -H "Authorization: Basic $B64_ORGADMIN_UNPW" -H "Content-Type: application/json" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/permissions"

200 OK
...
{
      "organization": "orgname",
      "path": "/environments/test/resources",
      "permissions": [
        "get"
      ]
}

And the user is assigned that role:

curl -X GET -H "Authorization: Basic $B64_ORGADMIN_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/users"

200 OK 
[
  "user.testing@some.com"
]

As USER in "testing" role, test access returns 200 OK

curl -X GET -H "Authorization: Basic $B64_USER_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/e/test/resources"

200 OK

As ORGADMIN delete the "get" permissions (note Edge returns the entity that was deleted)

curl -X DELETE -H "Authorization: Basic $B64_ORGADMIN_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/userroles/testing/permissions/get?path=/environments/test/resources"

200 OK

{
  "path": "/environments/test/resources",
  "permissions": [
    "get"
  ]
}

As USER in "testing" role, test again to see access returns 403:

curl -X GET -H "Authorization: Basic $B64_USER_UNPW" "https://api.enterprise.apigee.com/v1/o/$ORG_NAME/e/test/resources"

403 Forbidden

Hope that helps.

Report Inappropriate Content

Hi Kurt, I tested this out and it works perfectly!! Thank you so much!

kurtkanaskie

Awesome, I was excited it worked, since that resource wasn't documented, but hey, that's the beauty of Edge API design ;). If you're satisfied, kindly up-vote my answer so it can help others.

Cheers

Report Inappropriate Content

close enough 🙂 I do have an issue which I did not validate.

So your steps removed access to prod and that works great.. I get a 403 when I access /myorg/e/prod/resources as expected.

I am also able to perform a GET to /myorg/e/test/resources but I get a 403 when I perform a POST to create/update a resource in test using /myorg/e/test/resources.

Perhaps POST access needs to be added back to the test environment?

Any ideas?

Report Inappropriate Content

ok, resolved that by modifying your json to re-add "put" permissions to the test environment, all works now as expected 🙂

kurtkanaskie

You can add multiple permissions initially, e.g. POST with "permissions": ["get", "post"] or one-by-one.

You have to delete the permissions, one-by-one tho.

Role based security - controlling access to resource deployments