Contents
Role-Based Access Control (RBAC) enables you to restrict system access to authorized users based on their assigned roles. Using the RBAC model, permissions to perform specific system operations are assigned to specific roles, and system users are granted permission to perform specific operations only through their assigned roles. This simplifies system administration because users do not need to be assigned permissions directly, and instead acquire them through their assigned roles.
The API Gateway uses the RBAC permissions model to ensure that only users with the assigned role can access parts of the Management Services exposed by the Admin Node Manager. For example, this includes access to traffic monitoring data or making a configuration change by deploying to a group of API Gateways. The following diagram shows an overview of the RBAC model in the API Gateway:
API Gateway Manager
The web-based API Gateway Manager tool (https://localhost:8090
) is a centralized
dashboard for managing and monitoring the API Gateway, and is controlled by RBAC. Users
connecting to this URL with different roles results in different features being displayed.
For example, a user with the API Service Administrator
or API Service
Developer
role can access the API Service Manager tool. However, users in the Policy
Developer
, API Gateway Operator
, or Deployer
roles
cannot access the API Service Manager tool.
For more details on the tools and privileges assigned to specific user roles, see the topic on Managing Admin Users.
Protected Management Services
The Admin Node Manager exposes a number of REST Management Services, which are all protected by RBAC. For example, the exposed services and the associated tools that use them include the following:
Protected Service | Tool | Description |
---|---|---|
Traffic Monitoring Service | API Gateway Manager | Displays HTTP, HTTPS, JMS, and FTP message traffic processed by the API Gateway. |
API Service Manager API | API Gateway Manager | Enables users to virtualize REST APIs and SOAP Services on the API Gateway. |
Configuration Service | API Gateway Manager | Adds and removes tags on the API Gateway. |
Topology API | API Gateway Manager | Accesses and configures API Gateway domains. |
Static Content Resources | API Gateway Manager | Manages UI elements in a browser. |
Deployment API | Policy Studio | Deploys configurations to the API Gateway. |
KPS Service | Policy Studio | Manages a Key Property Store. |
User Roles
User access to Management Services is determined by their role(s). Each role has a defined set of Management Services that it can access. A Management Service is defined by the URI used to access it, for example:
Role Name | Service Name | API Type | Example URI |
---|---|---|---|
API Gateway Operator
|
Topology API | REST |
/api/topology/hosts
|
API Gateway Administrator
|
Deployment API | REST |
/api/router/service/instance-1/deployment/domain/deployments
|
API Service Administrator
|
Static Content Resource | Static |
/
|
For full details on the default roles that have access to each Management Service,
see the section called “Management Service Roles and Permissions”.
By default, all the user credentials are stored in a local Admin User store in the following file:
INSTALL_DIR/conf/adminUsers.json
INSTALL_DIR
is the directory where the API Gateway is installed as Admin Node Manager.
The following shows an example file:
{ "version" : 1, "adminUserPasswords" : { "user-1" : "Y2hhbmdlbWU=" }, "productVersion" : "7.1.0", "adminUsers" : [ { "name" : "admin", "id" : "user-1", "roles" : [ "role-1", "role-4", "role-6", "role-7" ] } ], "adminUserRoles" : [ { "name" : "API Server Administrator", "id" : "role-1" }, { "name" : "API Server Operator", "id" : "role-2" }, { "name" : "API Service Administrator", "id" : "role-3" }, { "name" : "API Service Developer", "id" : "role-4" }, { "name" : "Deployer", "id" : "role-5" }, { "name" : "KPS Administrator", "id" : "role-6" }, { "name" : "Policy Developer", "id" : "role-7" } ], "uniqueIdCounters" : { "User" : 2, "Role" : 8 } }
The credentials from this file are used to authenticate and perform RBAC on all accesses to the Management Services. This store holds the user credentials, so their passwords can be verified, and also holds their roles. Credentials and associated roles can also be retrieved from an LDAP Directory Server (for example, Microsoft Active Directory or OpenLDAP).
For details on configuring an LDAP repository, see the following topics:
The Access Control List file (acl.json
) is located in the conf
directory
of your API Gateway installation. This file lists each role and the Management Services that each role
may access. By default, this file defines the following roles:
-
API Service Developer
-
API Service Administrator
-
API Gateway Administrator
-
API Gateway Operator
-
KPS Administrator
-
Policy Developer
-
Deployer
The default admin
user is assigned the API Service Developer
, API Gateway
Administrator
, KPS Administrator
, and Policy Developer
roles by default,
which together allow access to everything. For full details on the Management Services that each role has
access to, and the URIs that must be listed in the acl.json
file to have access to them, see
the table in the section called “Management Service Roles and Permissions”.
Important | |
---|---|
The roles defined in the |
Access Control List File Format
Each role entry in the acl.json
file has the following format:
"role-name" : [ <list_of_permission_names> ]
The permissions consist of operations that are defined by HTTP methods and URIs:
“permission-name” : { <list_of_operation_names> } “operation-name” : { "methods" : [ <list of HTTP Methods> ], "paths" : [ <list of path-names> ] } “path-name” : { "path" : <URI> }
This file entry format is described as follows:
-
The permissions line is repeated for each permission the role has. To determine which permissions should be listed for each Management Service, see the table in the section called “Management Service Roles and Permissions”.
-
You can place a wildcard (
*
) at the end of thepath
field. For example, see the path fordojo resources
in the example that follows. This means the role has access to all URIs that start with the URI content that precedes the*
. -
In some cases, you must protect a Management Service by specifying a query string after the URI. Exact matches only are supported for query strings.
Example Access Control List File
The following example shows the roles and permissions to URIs:
"paths" : { "root" : { "path" : "/" }, "emc pages" : { "path" : "/emc/*" }, "site images" : { "path" : "/images/*" }, "dojo resources" : { "path" : "/dojo/*" }, .... } }, "operations" : { "emc_read_web" : { "methods" : [ "GET" ], "paths" : [ "emc pages", "dojo resources" ] }, "common_read_web" : { "methods" : [ "GET" ], "paths" : [ "root", "site images" ] }, .... }, "permissions" : { "emc" : [ "common_read_web", "emc_read_web" ], "config" : [ "configuration" ], "deploy" : [ "deployment", "management" ], "api_service_manager" : [ "servicemanager", "servicemanager.read", "management" ], "api_service_manager_modify" : [ "servicemanager.modify", "configuration" ] ... }, “roles” : { "API Service Administrator" : [ "emc", "mgmt", "api_service_manager" ], "Policy Developer" : [ "deploy", "config"] }
You can use the API Gateway Manager to configure the users and roles in the local Admin User store. Click the Settings -> Admin Users to view and modify user roles (assuming you have a role that allows this). This screen is displayed as follows:
Managing User Roles
When you click Create to create a new user, you can select the roles to assign to the that new user. New users are not assigned a default role. While users that are replicated from an LDAP repository do not require a role to be assigned to them. You can click Edit to changed the roles assigned to a selected user.
Adding a New Role to the User Store
When you add a new role to the Admin User store, you must modify the available roles in the
adminUsers.json
and acl.json
files in the conf
directory
of your Admin Node Manager installation. You must add the new role to the roles
section of
the acl.json
file, which lists all the permissions that the new role may have.
Important | |
---|---|
You must update the
When you update the |
For more details on managing user roles, see the topic on Managing Admin Users.
You can use the following table for reference purposes when making changes to the
acl.json
file. It defines each Management Service, and the default roles that
have access to them. It also lists the URIs that must be listed in the acl.json
to have access to the Management Service.
Management Service | Default Roles | Permissions |
---|---|---|
API Gateway Manager (https://localhost:8090 )
|
|
|
API Service Manager (read-only access) |
|
|
API Service Manager (write access) |
|
|
API Gateway Manager Dashboard |
|
|
API Gateway Manager Dashboard (read-only access) |
|
|
API Gateway Manager Monitoring |
|
|
API Gateway Manager Traffic |
|
|
API Gateway Manager Logs |
|
|
API Gateway Manager Events |
|
|
API Gateway Manager Settings |
|
|
API Gateway Manager Settings (read-only access) |
|
|
Documentation |
|
|
KPS |
|
|
Policy Studio |
|
|
API Server Configuration Deployment |
|
|