-
Notifications
You must be signed in to change notification settings - Fork 12
Users management design
José Bonnet edited this page Mar 18, 2019
·
4 revisions
This page explains the design of the Gatekeeper in managing users.
User Management in 5GTANGO is implemented through the tng-gtk-usr component. The Gatekeeper implements some rules, which are explained elsewhere, that complement that component.
Anonynous users are users that do not yet possess a token. Anonymous users can have access to the following APIs.
| Action | Verb | Endpoint | Comments |
|---|---|---|---|
| User creation | POST | /api/v3/users |
User creation must obviously be done by an anonymous user; the data stored on the user is returned |
| User login | POST | /api/v3/users/sessions |
the user login; the login process, if successfull, returns a token that then turn the user into an authenticated user, when the token is sent with any other request |
| * | * | * | Any other endpoint or verb used without an authentication token should result in an error being returned (mostly 401 Unauthorized) |
For some examples of usage of the above explained endpoints, please check the Users management usage wiki page.
Authenticated users posess a token that they use in each request they do to the API, passing the token in the Authorization HTTP header, as a bearer token.
| Action | Verb | Endpoint | Comments |
|---|---|---|---|
| User creation | POST | /api/v3/users |
When the user creation is done by an authenticated user and this user plays the role of an admin, the created user can be created also with the admin role; the data stored on the user is returned |
| User view | GET | /api/v3/users |
when the authenticated user has the admin role, all users data is returned; otherwise, only the authenticated user data is returned. The password field is never shown |
| User update | PATCH | /api/v3/users |
Only authenticated users with the role admmin can update other users's data, which includes making them part of the admin role. Users with the other roles can only update their own data |
| User deletion | DELETE | /api/v3/users |
Only authenticated users with the role admmin can delete other users's data. Users with the other roles can only delete their own data. |
| User logout | DELETE | /api/v3/users/sessions |
Logging out means destroying the session that was created by logging in |
| * | * | * | Any other endpoint or verb used should result in an error being returned (mostely 403 Forbidden) |