Authorization
Gateway provides different mechanisms to manage authorization in secured environments. One of the most effective and powerful methods is secured endpoints
allowing MOC administrators to restrict access to internal MOC endpoints though configuration properties at the Gateway.
Securing endpoints through the gateway
This configuration requires two components:
Rule base authorities
Protected endpoints.
1- Rule base authorities:
Allow mappings between OAuth2 token claims and Granted Authorities.
These rules are defined under:
oauth2: resource-server: authorization: rule-based-authorities:
Each rule is defined by:
- authority-name: GrantedAuthorityNameToBeAssigned claim-value-condition: claims: token_claim_name_one,token_claim_name_two values: expected_value_one,expected_value_two
Sample configurations:
oauth2: resource-server: authorization: rule-based-authorities: - authority-name: modelopEngineOnlyModelManage claim-value-condition: claims: user_id,client_id values: model-manage - authority-name: modelopEngineOnlyModelManageAndMlc claim-value-condition: claims: user_id,client_id values: model-manage,mlc-service - authority-name: modelop-monitor claim-value-condition: claims: user_id,client_id values: model-manage,mlc-service
If Gateway receives a token containing any of the predefined rules, then that user will get the authority-name
added as granted authority.
As an example:
Using the above configurations and receiving a token with the next claims:
{ "issuer":"", "client_id": "model-manage", "created_date":"09/10/1986", "memberOf":"modelop" }
The resulting Granted authorities will be:
modelopEngineOnlyModelManage,modelopEngineOnlyModelManageAndMlc,modelop-monitor
2- Protected endpoints
These protected endpoints are defined under:
gateway: security: protectedEndpoints:
Each protected endpoint is defined by:
- grantedAuthorityName: required_granted_authority_name endpoints: comma_separated_list_of_endpoints
Sample configurations:
gateway: security: # List of protected endpoints only available for Users with predefined grantedAuthorities protectedEndpoints: ## NOTE: The Order is KEY to have it working as expected , generic rules should be at the BOTTOM. ## Protected ModelOp engine TEST allowing access ONLY to ModelManage - grantedAuthorityName: modelopEngineOnlyModelManage endpoints: /engine-protected-modelop-test/api/roundtrip/0/1 ## Protected ModelOp engine with wildcard allowing access to ModelManage and mlc-service - grantedAuthorityName: modelopEngineOnlyModelManageAndMlc endpoints: /engine-protected-modelop-**/api/roundtrip/0/1
Example 1:
Using the above configurations and receiving a token that generates the next granted authorities:
modelopEngineOnlyModelManage,modelopEngineOnlyModelManageAndMlc,modelop-monitor
Result:
The request will be able to access all endpoints.
Example 2:
Using the above configurations and receiving a token that generates the next granted authorities:
modelopEngineOnlyModelManageAndMlc,modelop-monitor
Result:
The request wont be able to access: /engine-protected-modelop-test/api/roundtrip/0/1
, but will be able to access: /engine-protected-modelop-**/api/roundtrip/0/1
`
Securing MLC-service endpoints
mlc: camunda: access: enabled: true rest: deploy: groups: commaSeparatedGroupNames_toDeploy signal: groups: commaSeparatedGroupNames_toSendSignals signal-responsive: groups: commaSeparatedGroupNames_toSendSignalsResponsives