Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
docs/images/api-authorizations
packaging
src
.gitignore
LICENSE
LICENSE_EXCEPTION
Makefile
README.adoc
build.conf
pom-template.xml

README.adoc

Rudder plugin: API Authorizations

This project is part of Rudder - Continuous configuration for effective compliance

Rudder is an easy to use, web-driven, role-based solution for IT Infrastructure Automation & Compliance.

See: http://rudder-project.org for more information.

Synopsis

This plugin provides fine grained Access Control List on APIs. It also allows registered Rudder users to get private token with the same rights as their role allows.

Logging

You can log information about ACL (behavior and errors) by adding the following lines in your logback.xml file:

  <!--
      API ACLs
      ========
      Information about ALC evalutation for APIs.

      This logger allows to get extra information about API
      ACLs resolution.

   -->
  <logger name="api-acl" level="off" />

API Authorizations

User personnal API Token

When you use api-authorizations plugin, any logged user can get a personnal API token by clicking on its login information:

User requesting a personnal API token

Once you click on the button, you get you personnal API token that can get revoked at any time:

Personnal API token information

The user can use that token to execute API requests for the same action that his role allows him to do:

Personnal API token information

These actions are recorded as done by the user owning the API token in Rudder events log:

Personnal API token information

API ACLs

The plugin also allows to configure fine grained access control for a token. By selecting "Custom ACL" access level, you can choose what endpoints are accessible for that API token.

For example, you can create an API token which can only access compliance information:

Create a new API token with "ACL" access level

And only authorize access to compliance endpoints

That token can of course access compliance related endpoints:

Token can access compliance information

But if it tries to access an other endpoint, it get an authorization error:

Token is not authorized to access directives information