Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-2236

Ability to manage access to different HTTP methods using RH-SSO role check policy

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • 2.4 GA
    • Gateway
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      Having the ability to restrict allowed methods on the gateway based on the user roles in RH-SSO is useful when users wants to restrict certain group of users.

      For an example, role=admin can have access to all the GET/POST/PUT/DELETE methods,
      but role=user should only have access to GET method.

      Is it possible to add this feature to the RH-SSO role check policy

            [THREESCALE-2236] Ability to manage access to different HTTP methods using RH-SSO role check policy

            Luca Mattia Ferrari added a comment -

            agreeing with dortiz-1 from customer perspective

            Luca Mattia Ferrari added a comment - agreeing with dortiz-1 from customer perspective

            David Ortiz (Inactive) added a comment -

            I don't think liquid is the best solution in this case rhn-support-keprice

            If I understood it correctly, we need to give or deny access to a role for a specific http_method + http_request_path. For me, the most intuitive thing is to have 2 separate fields for the method and the path (resource in this policy). I think that's more user friendly than defining a complex liquid expression with conditionals.

            David Ortiz (Inactive) added a comment - I don't think liquid is the best solution in this case rhn-support-keprice If I understood it correctly, we need to give or deny access to a role for a specific http_method + http_request_path. For me, the most intuitive thing is to have 2 separate fields for the method and the path (resource in this policy). I think that's more user friendly than defining a complex liquid expression with conditionals.

            Kevin Price added a comment -

            dortiz-1 could we also evaluate the resource field as liquid with something like the following? 

            {% if http_method == GET %} /foo {% elsif http_method == POST %} /foo {% endif %}

            Kevin Price added a comment - dortiz-1 could we also evaluate the resource field as liquid with something like the following? {% if http_method == GET %} /foo {% elsif http_method == POST %} /foo {% endif %}

            David Ortiz (Inactive) added a comment -

            I think that it should be possible to add a new "request_method" attribute to the policy config.
            It should be optional and default to "any_method" to keeps backwards compatibility.

            David Ortiz (Inactive) added a comment - I think that it should be possible to add a new "request_method" attribute to the policy config. It should be optional and default to "any_method" to keeps backwards compatibility.

              Unassigned Unassigned
              cabeywar-cssre Chamal Abeywardhana
              Eloy Coto Eloy Coto (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: