Versions Compared

Old Version 14

changes.mady.by.user Mark Fitzpatrick

Saved on

compared with

New Version 15

changes.mady.by.user Mark Fitzpatrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NOTE: The examples demonstrate how to manage secure access with the adaptors resource but similar situations could apply with other resources.

...

GET /.../* Using wildcards at times may not be desireable desirable since it would allow access resources that should be accessed by only the admin. For example:

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/*"
}

Would allow a user to see all of the adaptor's registration information for a given zone:

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156ac8/registration

...

If the requirement is to grant a user detailed access to adaptors in a zone  but not grant access to the adaptor's registration information, then permission to  adaptor adaptors in the zone must be granted on an adaptor by adaptor basis. For example, assume the zone in our examples has three adaptors:

Code Block
languagejs
{[
	"type": "ALLOW",
	"action": "GET", { ....
	"resourceuuid": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
7c11c574-0e35-4c78-b572-222952156aaa",
    ....
  },
{ 	"type": "ALLOW",
	"action": "GET", { ....
	"resourceuuid": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156aaa"
},
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd616bbb"
}

...

ae91d787-65c9-4f24-bff4-e3acbd616bbb",
    ....
  },
  { ....
	"uuid": "ca445ebd-ffcb-4001-9d63-19e773a95ccc",
    ....
  }
]


And that a user has the following permissions:

Code Block
languagejs
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors"
},
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/7c11c574-0e35-4c78-b572-222952156aaa/*"
},
{
	"type": "ALLOW",
	"action": "GET",
	"resource": "/zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors/ae91d787-65c9-4f24-bff4-e3acbd616bbb"
}

...

Code Block
languagejs
GET /zones/18e1f27a-36b5-472f-a03c-6831fb78f97a/adaptors
Code Block
languagejs
[
  { ....
	"uuid": "7c11c574-0e35-4c78-b572-222952156aaa",
    ....
  },
  { ....
	"uuid": "ae91d787-65c9-4f24-bff4-e3acbd616bbb",
    ....
  },
  { ....
	"uuid": "ca445ebd-ffcb-4001-9d63-19e773a95ccc",
    ....
  }
]


And detailed access to either adaptor specified in the permissions (ending in aaa and bbb) would be allowed but the following request would be denied:

...

But the user could not retrieve the registration details for the adaptor ending in bbb since the wildcard adaptor wasn't applied nor the adaptor aaa since specific permissions for it were not granted.

This allows information about the adaptors to be shared but limits the access to the sensitive registration information about the adaptor.

...