Oracle® Fusion Middleware
Part 5. Managing Deployments

Role-Based Access Control (RBAC) enables you to restrict system access to authorized users based on their assigned roles. Using the RBAC model, permissions to perform specific system operations are assigned to specific roles, and system users are granted permission to perform specific operations only through their assigned roles. This simplifies system administration because users do not need to be assigned permissions directly, and instead acquire them through their assigned roles.

The API Gateway uses the RBAC permissions model to ensure that only users with the assigned role can access parts of the Management Services exposed by the Admin Node Manager. For example, this includes access to traffic monitoring data or making a configuration change by deploying to a group of API Gateways. The following diagram shows an overview of the RBAC model in the API Gateway:

API Gateway Manager

The web-based API Gateway Manager tool (https://localhost:8090) is a centralized dashboard for managing and monitoring the API Gateway, and is controlled by RBAC. Users connecting to this URL with different roles results in different features being displayed.

For example, a user with the API Service Administrator or API Service Developer role can access the API Service Manager tool. However, users in the Policy Developer, API Gateway Operator, or Deployer roles cannot access the API Service Manager tool.

For more details on the tools and privileges assigned to specific user roles, see the topic on Managing Admin Users.

Protected Management Services

The Admin Node Manager exposes a number of REST Management Services, which are all protected by RBAC. For example, the exposed services and the associated tools that use them include the following:

User Roles

User access to Management Services is determined by their role(s). Each role has a defined set of Management Services that it can access. A Management Service is defined by the URI used to access it, for example:

For full details on the default roles that have access to each Management Service, see the section called “Management Service Roles and Permissions”.

By default, all the user credentials are stored in a local Admin User store in the following file:

INSTALL_DIR/conf/adminUsers.json

INSTALL_DIR is the directory where the API Gateway is installed as Admin Node Manager.

The following shows an example file:

{
  "version" : 1,
  "adminUserPasswords" : {
    "user-1" : "Y2hhbmdlbWU="
  },
  "productVersion" : "7.1.0",
  "adminUsers" : [ {
    "name" : "admin",
    "id" : "user-1",
    "roles" : [ "role-1", "role-4", "role-6", "role-7" ]
  } ],
  "adminUserRoles" : [ {
    "name" : "API Server Administrator",
    "id" : "role-1"
  }, {
    "name" : "API Server Operator",
    "id" : "role-2"
  }, {
    "name" : "API Service Administrator",
    "id" : "role-3"
  }, {
    "name" : "API Service Developer",
    "id" : "role-4"
  }, {
    "name" : "Deployer",
    "id" : "role-5"
  }, {
    "name" : "KPS Administrator",
    "id" : "role-6"
  }, {
    "name" : "Policy Developer",
    "id" : "role-7"
  } ],
  "uniqueIdCounters" : {
    "User" : 2,
    "Role" : 8
  }
}

The credentials from this file are used to authenticate and perform RBAC on all accesses to the Management Services. This store holds the user credentials, so their passwords can be verified, and also holds their roles. Credentials and associated roles can also be retrieved from an LDAP Directory Server (for example, Microsoft Active Directory or OpenLDAP).

For details on configuring an LDAP repository, see the following topics:

The Access Control List file (acl.json) is located in the conf directory of your API Gateway installation. This file lists each role and the Management Services that each role may access. By default, this file defines the following roles:

The default admin user is assigned the API Service Developer, API Gateway Administrator, KPS Administrator, and Policy Developer roles by default, which together allow access to everything. For full details on the Management Services that each role has access to, and the permissions that must be listed in the acl.json file to have access to them, see the table in the section called “Management Service Roles and Permissions”.

Access Control List File Format

Each role entry in the acl.json file has the following format:

"role-name" : [ <list_of_permission_names> ]

The permissions consist of operations that are defined by HTTP methods and URIs:

“permission-name” : { <list_of_operation_names> }
“operation-name” : {
	"methods" : [ <list of HTTP Methods> ],
	"paths" : [ <list of path-names> ]
}

“path-name” : {
	"path" : <URI>
}

This file entry format is described as follows:

Example Access Control List File

The following example shows the roles and permissions to URIs:

"paths" : {
	"root" : { "path" : "/" },
	"emc pages" : { "path" : "/emc/*" },
	"site images" : { "path" : "/images/*" },
	"dojo resources" : { "path" : "/dojo/*" },
	....
	}

},

"operations" : {
	"emc_read_web" : {
	"methods" : [ "GET" ],
	"paths" : [ "emc pages", "dojo resources" ]
	},
	
	"common_read_web" : {
	"methods" : [ "GET" ],
	"paths" : [ "root", "site images" ]
	},
	....
},

"permissions" : {
	"emc" : [ "common_read_web", "emc_read_web" ],
	"config" : [ "configuration" ],
	"deploy" : [ "deployment", "management" ],
	"api_service_manager" : [ "servicemanager",
	"servicemanager.read", "management" ],
	"api_service_manager_modify" : [ "servicemanager.modify",
	"configuration" ]
	...
},

“roles” : {
	"API Service Administrator" : [ "emc", "mgmt",
	"api_service_manager" ],
	"Policy Developer" : [ "deploy", "config"]
}

You can use the API Gateway Manager to configure the users and roles in the local Admin User store. Click the Settings -> Admin Users to view and modify user roles (assuming you have a role that allows this). This screen is displayed as follows:

Managing User Roles

When you click Create to create a new user, you can select the roles to assign to the that new user. New users are not assigned a default role. While users that are replicated from an LDAP repository do not require a role to be assigned to them. You can click Edit to changed the roles assigned to a selected user.

Adding a New Role to the User Store

When you add a new role to the Admin User store, you must modify the available roles in the adminUsers.json and acl.json files in the conf directory of your Admin Node Manager installation. You must add the new role to the roles section of the acl.json file, which lists all the permissions that the new role may have.

For more details on managing user roles, see the topic on Managing Admin Users.

You can use the following table for reference purposes when making changes to the acl.json file. It defines each Management Service, and the default roles that have access to them. It also lists the permissions that must be listed in the acl.json file to have access to the Management Service.