Skip to content

Enable authorized API services to obtain PassTickets to access them #448

New issue
New issue
Closed
Closed
Enable authorized API services to obtain PassTickets to access them#448
Assignees
plavjanikJirkaAichler
Labels
enhancementNew feature or request
@plavjanik

Description

@plavjanik
plavjanik
opened on Nov 28, 2019

This is a new functionality in ZAAS.

An authorized API service requires to obtain a PassTicket from ZAAS for an authenticated user in order to do an action that requires valid credentials (user ID and password/PassTicket) in order to for example change thread-level security environment to the authenticated user ID.

  • The API service provides a valid JWT token and the application ID (APPLID) to the /ticket endpoint of ZAAS. If the token is valid, and the user is authorized to the APPLID, the returned response will contain a valid PassTicket that will be valid for at least a minute
    • The JWT token is passed in the same way as in /query endpoint
    • The request body is in JSON and contains a single field applid
  • Returns a failure indication if the token is expired or not valid or the ZAAS is not authorized to obtain PassTickets to the given APPLID
  • The successful response contains: userId, ticket, applicationName, for example: 
    {
   "userId": "ZOWEUSER",
   "ticket": "LZTKEEDQ",
   "applicationName": "MYAPP"
}
  • The API service can use /ticket only if it has provided valid TLS client certificate
    • This is to have the same level of protection as it is for PassTicket in z/OS and not allow any service to obtain PassTickets to any APPLID
    • If the API service is not authorized the reason (missing/invalid client cert, or missing access to the resource above) is set back to the API service so misconfiguration can be diagnosed by system programmers
  • It is expected that the API service is able to accept PassTickets and has done setup similar to https://bit.ly/35U7LOz and bypassed the reply protection (https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.icha700/passtic.htm)
    • The model documentation of how the API service should document its security requirements is provided
  • The API service is expected to limit the access to generated PassTickets within a secure network on z/OS (not send them to API clients - such as web UIs or CLIs), ideally, keep it only inside the API service only
  • The documentation contains steps on how to allow ZAAS to obtain PassTickets to given APPLID - see https://bit.ly/33uvgf6
  • The new endpoint is documented in the API documentation and https://github.com/zowe/api-layer/wiki/Zowe-Authentication-and-Authorization-Service us updated
  • Automated tests including negative tests are a must

Notes:

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions