API Gateway Authorizers: Difference between revisions

From Izara Wiki
Jump to navigation Jump to search
No edit summary
mNo edit summary
 
Line 1: Line 1:
= Overview =
= Overview =


Each request from an external service to backend services passes the API Gateway which sets an optional authorizer for the request. Authorizers are setup in the [[Service - User Account|User Account Service]].
Each request from an external service to backend services passes through the **API Gateway**, which applies an optional authorizer for access control. Authorizers are configured within the [[Service - User Account|User Account Service]].


= Authorizer Levels=
== Service Resource Action Structure ==
The '''service_resource_action''' string defines specific permissions and is used by the Authorizer to match the requested action. The structure is uniform across both AppLevel and UserLevel.
 
=== 1. ObjectType belongTo ===
Used to define access rights for a specific object type endpoint.
<syntaxhighlight lang="JavaScript">
{
  service_resource_action:"{serviceTag}_{objectType}_{apiMethods}",
}
</syntaxhighlight>
* **`{serviceTag}`:** Specifies the target **Service** name.
* **`{objectType}`:** Specifies the target **Resource** or Object (e.g., Config, Product).
* **`{apiMethods}`:** Specifies the permitted **Action** (e.g., Create, Get, Update).
 
=== 2. Flow Schema Format ===
Used to define permissions for the flowSchema, which allows who can access it.
<syntaxhighlight lang="JavaScript">
{
  service_resource_action:"{serviceTag}_{flowTag}_{flowTag}",
}
</syntaxhighlight>
* **`{serviceTag}`:** Specifies the target **Service**.
* **`{flowTag}`:** A variable representing the specific **Resource** or **Action** (Flow).
 
 
= Authorizer Levels =


== AppLevel ==
== AppLevel ==
There is no “owner” for this level, users with application level permissions to administer roles can do so
This level enforces application-wide permissions and has **no single owner**. Users granted application-level administrative rights can manage roles and settings across the entire service.
#Can change other user roles.  
 
#Can create new roles  
* Can change other user roles.
#Change site-wide settings  
* Can create new roles.
#SuperUser permissions for lower level RBAC (eg:  User level or Category level RBAC permissions)TODO: so, you all need to give the role permission to user)
* Change site-wide settings.
* Grants **SuperUser** permissions for lower-level RBAC (e.g., User level or Category level RBAC permissions).
:'''Context:''' Permissions focus on **application-wide/system-level** rights.


=== allow the role permission to user appLevel ===
=== allow the role permission to user appLevel ===
*'''SuperUser'''  
*'''SuperUser'''
:can do all actions:
:can do all actions:
:: CREATE | UPDATE | DELETE | GET | LIST
:: CREATE | UPDATE | DELETE | GET | LIST
*'''VerifiedUser'''
*'''VerifiedUser'''
:can do some actions:
:can do some actions:
:: CREATE | GET | LIST  
:: CREATE | GET | LIST
*'''BasicUser '''  
*'''BasicUser '''
:can do few actions:
:can do few actions:
:: GET
:: GET


==== example reloPermission ====
==== example rolePermission ====
*'''AppLevel:superUser'''
*'''AppLevel:superUser (ObjectType belongTo)'''
<syntaxhighlight lang="JavaScript">
{
  roleIdKey:"AppLevel_this-is-uuid-for-role-superUserA",
  service_resource_action:"ServiceTemplate_Config_Create",
  permission: "accept"
}
</syntaxhighlight>
*'''AppLevel:verifiedUser (ObjectType belongTo)'''
<syntaxhighlight lang="JavaScript">
<syntaxhighlight lang="JavaScript">
{  
{
  "roleIdKey":"AppLevel_this-is-uuid-for-role-superUserA",  
  roleIdKey: "AppLevel_this-is-uuid-for-role-verifiedUserA",
  "service_resource_action":"ServiceTemplate_Config_Create",  
  service_resource_action: "ServiceTemplate_Config_Create",
  "permission": "accept"  
  permission: "accept"
}  
}
</syntaxhighlight>
</syntaxhighlight>
*'''AppLevel:verifiedUser'''
*'''AppLevel:basicUser (ObjectType belongTo)'''
<syntaxhighlight lang="JavaScript">
<syntaxhighlight lang="JavaScript">
{  
{
  "roleIdKey": "AppLevel_this-is-uuid-for-role-verifiedUserA",  
  userId: "this-is-uuid-for-user-basicUserA",
  "service_resource_action": "ServiceTemplate_Config_Create",
  roleIdKey: "AppLevel_this-is-uuid-for-role-basicUserA"
  "permission": "accept"  
}
}
</syntaxhighlight>
</syntaxhighlight>
*'''AppLevel:basicUser'''
*'''AppLevel:basicUser (FlowSchema)'''
<syntaxhighlight lang="JavaScript">
<syntaxhighlight lang="JavaScript">
{  
{
   "roleIdKey": "AppLevel_this-is-uuid-for-role-basicUserA",  
   roleIdKey: "AppLevel_this-is-uuid-for-role-basicUserA",
   "service_resource_action": "UserAccountAppLevel_UserRole_Get",  
   service_resource_action: "ServiceTemplate_createSomething_createSomething",
   "permission": "accept"  
   permission: "accept"
}
}
</syntaxhighlight>
</syntaxhighlight>
==== example UserRoles ====
==== example UserRoles ====
*'''AppLevel:superUser'''
*'''AppLevel:superUser'''
<syntaxhighlight lang="JavaScript">
<syntaxhighlight lang="JavaScript">
{  
{
  "userId": "this-is-uuid-for-user-superUserA",  
  userId: "this-is-uuid-for-user-superUserA",
  "roleIdKey": "AppLevel_this-is-uuid-for-role-superUserA"  
  roleIdKey: "AppLevel_this-is-uuid-for-role-superUserA"
}
}
</syntaxhighlight>
</syntaxhighlight>
*'''AppLevel:verifiedUser'''
*'''AppLevel:verifiedUser'''
<syntaxhighlight lang="JavaScript">
<syntaxhighlight lang="JavaScript">
{  
{
   "userId": "this-is-uuid-for-user-verifiedUserA",  
   userId: "this-is-uuid-for-user-verifiedUserA",
   "roleIdKey": "AppLevel_this-is-uuid-for-role-verifiedUserA"  
   roleIdKey: "AppLevel_this-is-uuid-for-role-verifiedUserA"
}
}
</syntaxhighlight>
</syntaxhighlight>
*'''AppLevel:basicUser'''
<syntaxhighlight lang="JavaScript">
{
  "userId": "this-is-uuid-for-user-basicUserA",
  "roleIdKey": "AppLevel_this-is-uuid-for-role-basicUserA"
}
</syntaxhighlight>


==== setting for authorizer appLevel ====
==== setting for authorizer appLevel ====
*function.yml  
*'''APIv1 (REST API)'''
:For LambdaFunctionHdrApi applevel
:Uses the `arn` of the authorizer and `request` type in `function.yml`.
<syntaxhighlight lang="JavaScript">
**function.yml
LambdaFunctionHdrApi:  
<syntaxhighlight lang="yaml">
   events:  
LambdaFunctionHdrApi:
  - http:  
   events:
      path: Lambda/LambdaAction
    - http:
      method: post  
        path: Lambda/LambdaAction
      cors: true  
        method: post
      authorizer:  
        cors: true
        arn: ${self:custom.iz_authorizerAppLevel}
        authorizer:
        type request  
          arn: ${self:custom.iz_authorizerAppLevel}
        resultTtlInSeconds: 0  
          type: request
          resultTtlInSeconds: 0
</syntaxhighlight>
*'''APIv2 (HTTP API)'''
:Uses a centralized `authorizers` definition in `serverless.yml` and references the authorizer name in `function.yml`.
**serverless.yml
<syntaxhighlight lang="yaml">
provider:
  httpApi:
    cors: true
    payload: "2.0"
    authorizers: ${file(sls_yaml/generatedCode/source/Authorizer.yml)}
</syntaxhighlight>
</syntaxhighlight>
**function.yml (Examples)
<syntaxhighlight lang="yaml">
# ObjectType belongTo Matching ({serviceTag}/{objectType}/{action})
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /{serviceTag}/{objectType}/{action}
        method: put
        authorizer: authorizerServiceSchema


# Flow Schema Matching ({serviceTag}/{flowTag}/{flowTag})
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /{serviceTag}/{flowTag}/{flowTag}
        method: put
        authorizer: authorizerServiceSchema
</syntaxhighlight>


== UserLevel ==
== UserLevel ==
Permissions at this level are **linked to a specific user ID**. The user corresponding to that ID is considered the **owner** and always retains full permissions for their own resources.
* All permissions are linked to one user id.
* All permissions are linked to one user id.
* Has an owner (the current user), that user always has full permissions for their user id.
* The current user is the owner and always has full permissions for their user id.
* Available roles are shared by all users, any user can create new roles and add permissions, roles can then be used by any users.  
* Available roles are shared by all users.
* Only the creator of the role can make changes later (for the start - in future we can add RBAC management of user level roles).
* Only the creator of a role can make subsequent changes (initial state).
:'''Context:''' Permissions focus on **accessing resources tied to a specific User ID**; requires Target ID scoping in the API path.


=== example permissions: ===
=== example permissions: ===
* Can administer users roles/permissions  
* Can administer user roles/permissions linked to this user ID.
* Can administer sell offers for this user  
* Can administer sell offers for this user.


=== allow the role permission to user ===
=== allow the role permission to user ===
*'''SuperUser'''  
*'''SuperUser'''
:can do all actions:
:can do all actions:
:: CREATE | UPDATE | DELETE | GET | LIST
:: CREATE | UPDATE | DELETE | GET | LIST
*'''VerifiedUser'''
*'''VerifiedUser'''
:can do some actions:
:can do some actions:
:: CREATE | GET | LIST  
:: CREATE | GET | LIST
*'''BasicUser '''  
*'''BasicUser '''
:can do few actions:
:can do few actions:
:: GET  
:: GET


==== example rolePermission ====
==== example rolePermission ====
* Create role permission, user can do action, can create in seed data or run from
* Role permissions are created either via seed data or the API endpoint: '''RolePermissionCreateHdrApi''' (https://us-east-2.console.aws.amazon.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk)
https://us-east-2.console.aws.amazon.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk : '''RolePermissionCreateHdrApi'''


*'''UserLevel:verifiedUser'''
*'''UserLevel:verifiedUser (ObjectType belongTo)'''
:<syntaxhighlight lang="JavaScript">
:<syntaxhighlight lang="JavaScript">
{  
{
   "roleIdKey":"UserLevel_this-is-uuid-for-role-verifiedUserA_this-is-uuid-for-role-verifiedUserB",  
   roleIdKey:"UserLevel_this-is-uuid-for-role-verifiedUserA_this-is-uuid-for-user-verifiedUserB",
   "service_resource_action":"VariantStandard_Product_AddProduct",  
   service_resource_action:"VariantStandard_Product_AddProduct",
   "permission": "accept"  
   permission: "accept"
}  
}
</syntaxhighlight>
::* '''roleIdKey Structure:''' The key consists of 3 parts separated by underscores (`_`). The final part (e.g., `this-is-uuid-for-user-verifiedUserB`) represents the **targetId** or the UUID of the user to whom the permission is specifically tied.
 
*'''UserLevel:flowSchema (Flexible)'''
:<syntaxhighlight lang="JavaScript">
{
  roleIdKey:"UserLevel_this-is-uuid-for-role-basicUserA_this-is-uuid-for-user-basicUserB",
  service_resource_action:"VariantStandard_CreateSomething_CreateSomething",
  permission: "accept"
}
</syntaxhighlight>
</syntaxhighlight>


==== example userRoles ====
==== example userRoles ====
* Create userRoles, user have role, can create from 
* User roles are created via the API endpoint: '''UserRolesCreateHdrApi''' (https://us-east-2.console.aws.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk)
**https://us-east-2.console.aws.amazon.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk : UserRolesCreateHdrApi


*'''UserLevel:verifiedUser'''
*'''UserLevel:verifiedUser'''
:<syntaxhighlight lang="JavaScript">
:<syntaxhighlight lang="JavaScript">
{  
{
   "userId": "this-is-uuid-for-user-verifiedUserB",  
   userId: "this-is-uuid-for-user-verifiedUserB",
   "roleIdKey": "UserLevel_this-is-uuid-for-user-verifiedUserA_this-is-uuid-for-user-verifiedUserB"  
   roleIdKey: "UserLevel_this-is-uuid-for-user-verifiedUserA_this-is-uuid-for-user-verifiedUserB"
}
}
</syntaxhighlight>
</syntaxhighlight>


==== setting for authorizer userLevel ====
==== setting for authorizer userLevel ====
*function.yml
*'''APIv1 (REST API)'''
:For LambdaFunctionHdrApi userlevel, need to add adds targetid to api route/path  
:For LambdaFunctionHdrApi userlevel, the API path must include a **target ID suffix** to specify the resource owner.
**function.yml
<syntaxhighlight lang="yaml">
LambdaFunctionHdrApi:
  events:
    - http:
        path: Lambda/LambdaAction${self:custom.api_path_targetid_suffix}
        method: post
        cors: true
        authorizer:
          arn: ${self:custom.iz_authorizerUserLevel}
          type: request
          resultTtlInSeconds: 0
</syntaxhighlight>
*'''APIv2 (HTTP API)'''
:Utilizes the centralized authorizer definition and path placeholders to scope access to the target user ID.
**serverless.yml
<syntaxhighlight lang="yaml">
provider:
  httpApi:
    cors: true
    payload: "2.0"
    authorizers: ${file(sls_yaml/generatedCode/source/Authorizer.yml)}
</syntaxhighlight>
**function.yml (Examples)
<syntaxhighlight lang="yaml">
# ObjectType belongTo Matching (e.g., UnitType/unitType/create/{targetUserId})
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /UnitType/unitType/create/{targetUserId}
        method: put
        authorizer: authorizerIdentifiers


<syntaxhighlight lang="JavaScript">
# Flow Schema Matching
LambdaFunctionHdrApi:  
LambdaFunctionHdrApi:
   events:  
   events:
  - http:  
    - httpApi:
      path: Lambda/LambdaAction${self:custom.api_path_targetid_suffix}
        path: /{serviceTag}/{flowTag}/{flowTag}/{targetId}
      method: post
        method: put
      cors: true
        authorizer: authorizerIdentifiers
      authorizer:  
        arn: ${self:custom.iz_authorizerUserLevel}
        type request
        resultTtlInSeconds: 0
</syntaxhighlight>
</syntaxhighlight>

Latest revision as of 05:58, 14 November 2025

Overview

Each request from an external service to backend services passes through the **API Gateway**, which applies an optional authorizer for access control. Authorizers are configured within the User Account Service.

Service Resource Action Structure

The service_resource_action string defines specific permissions and is used by the Authorizer to match the requested action. The structure is uniform across both AppLevel and UserLevel.

1. ObjectType belongTo

Used to define access rights for a specific object type endpoint. 

{
  service_resource_action:"{serviceTag}_{objectType}_{apiMethods}",
}
  • **`{serviceTag}`:** Specifies the target **Service** name.
  • **`{objectType}`:** Specifies the target **Resource** or Object (e.g., Config, Product).
  • **`{apiMethods}`:** Specifies the permitted **Action** (e.g., Create, Get, Update).

2. Flow Schema Format

Used to define permissions for the flowSchema, which allows who can access it. 

{
  service_resource_action:"{serviceTag}_{flowTag}_{flowTag}",
}
  • **`{serviceTag}`:** Specifies the target **Service**.
  • **`{flowTag}`:** A variable representing the specific **Resource** or **Action** (Flow).


Authorizer Levels

AppLevel

This level enforces application-wide permissions and has **no single owner**. Users granted application-level administrative rights can manage roles and settings across the entire service.

  • Can change other user roles.
  • Can create new roles.
  • Change site-wide settings.
  • Grants **SuperUser** permissions for lower-level RBAC (e.g., User level or Category level RBAC permissions).
Context: Permissions focus on **application-wide/system-level** rights.

allow the role permission to user appLevel

  • SuperUser
can do all actions:
CREATE | UPDATE | DELETE | GET | LIST
  • VerifiedUser
can do some actions:
CREATE | GET | LIST
  • BasicUser
can do few actions:
GET

example rolePermission

  • AppLevel:superUser (ObjectType belongTo)
{
  roleIdKey:"AppLevel_this-is-uuid-for-role-superUserA",
  service_resource_action:"ServiceTemplate_Config_Create",
  permission: "accept"
}
  • AppLevel:verifiedUser (ObjectType belongTo)
{
   roleIdKey: "AppLevel_this-is-uuid-for-role-verifiedUserA",
   service_resource_action: "ServiceTemplate_Config_Create",
   permission: "accept"
}
  • AppLevel:basicUser (ObjectType belongTo)
{
  userId: "this-is-uuid-for-user-basicUserA",
  roleIdKey: "AppLevel_this-is-uuid-for-role-basicUserA"
}
  • AppLevel:basicUser (FlowSchema)
{
   roleIdKey: "AppLevel_this-is-uuid-for-role-basicUserA",
   service_resource_action: "ServiceTemplate_createSomething_createSomething",
   permission: "accept"
}

example UserRoles

  • AppLevel:superUser
{
 userId: "this-is-uuid-for-user-superUserA",
 roleIdKey: "AppLevel_this-is-uuid-for-role-superUserA"
}
  • AppLevel:verifiedUser
{
  userId: "this-is-uuid-for-user-verifiedUserA",
  roleIdKey: "AppLevel_this-is-uuid-for-role-verifiedUserA"
}

setting for authorizer appLevel

  • APIv1 (REST API)
Uses the `arn` of the authorizer and `request` type in `function.yml`.
    • function.yml
LambdaFunctionHdrApi:
  events:
    - http:
        path: Lambda/LambdaAction
        method: post
        cors: true
        authorizer:
          arn: ${self:custom.iz_authorizerAppLevel}
          type: request
          resultTtlInSeconds: 0
  • APIv2 (HTTP API)
Uses a centralized `authorizers` definition in `serverless.yml` and references the authorizer name in `function.yml`.
    • serverless.yml
provider:
  httpApi:
    cors: true
    payload: "2.0"
    authorizers: ${file(sls_yaml/generatedCode/source/Authorizer.yml)}
    • function.yml (Examples)
# ObjectType belongTo Matching ({serviceTag}/{objectType}/{action})
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /{serviceTag}/{objectType}/{action}
        method: put
        authorizer: authorizerServiceSchema

# Flow Schema Matching ({serviceTag}/{flowTag}/{flowTag})
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /{serviceTag}/{flowTag}/{flowTag}
        method: put
        authorizer: authorizerServiceSchema

UserLevel

Permissions at this level are **linked to a specific user ID**. The user corresponding to that ID is considered the **owner** and always retains full permissions for their own resources.

  • All permissions are linked to one user id.
  • The current user is the owner and always has full permissions for their user id.
  • Available roles are shared by all users.
  • Only the creator of a role can make subsequent changes (initial state).
Context: Permissions focus on **accessing resources tied to a specific User ID**; requires Target ID scoping in the API path.

example permissions:

  • Can administer user roles/permissions linked to this user ID.
  • Can administer sell offers for this user.

allow the role permission to user

  • SuperUser
can do all actions:
CREATE | UPDATE | DELETE | GET | LIST
  • VerifiedUser
can do some actions:
CREATE | GET | LIST
  • BasicUser
can do few actions:
GET

example rolePermission

  • UserLevel:verifiedUser (ObjectType belongTo)
{
  roleIdKey:"UserLevel_this-is-uuid-for-role-verifiedUserA_this-is-uuid-for-user-verifiedUserB",
  service_resource_action:"VariantStandard_Product_AddProduct",
  permission: "accept"
}
  • roleIdKey Structure: The key consists of 3 parts separated by underscores (`_`). The final part (e.g., `this-is-uuid-for-user-verifiedUserB`) represents the **targetId** or the UUID of the user to whom the permission is specifically tied.
  • UserLevel:flowSchema (Flexible)
{
  roleIdKey:"UserLevel_this-is-uuid-for-role-basicUserA_this-is-uuid-for-user-basicUserB",
  service_resource_action:"VariantStandard_CreateSomething_CreateSomething",
  permission: "accept"
}

example userRoles

  • UserLevel:verifiedUser
{
  userId: "this-is-uuid-for-user-verifiedUserB",
  roleIdKey: "UserLevel_this-is-uuid-for-user-verifiedUserA_this-is-uuid-for-user-verifiedUserB"
}

setting for authorizer userLevel

  • APIv1 (REST API)
For LambdaFunctionHdrApi userlevel, the API path must include a **target ID suffix** to specify the resource owner.
    • function.yml
LambdaFunctionHdrApi:
  events:
    - http:
        path: Lambda/LambdaAction${self:custom.api_path_targetid_suffix}
        method: post
        cors: true
        authorizer:
          arn: ${self:custom.iz_authorizerUserLevel}
          type: request
          resultTtlInSeconds: 0
  • APIv2 (HTTP API)
Utilizes the centralized authorizer definition and path placeholders to scope access to the target user ID.
    • serverless.yml
provider:
  httpApi:
    cors: true
    payload: "2.0"
    authorizers: ${file(sls_yaml/generatedCode/source/Authorizer.yml)}
    • function.yml (Examples)
# ObjectType belongTo Matching (e.g., UnitType/unitType/create/{targetUserId})
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /UnitType/unitType/create/{targetUserId}
        method: put
        authorizer: authorizerIdentifiers

# Flow Schema Matching
LambdaFunctionHdrApi:
  events:
    - httpApi:
        path: /{serviceTag}/{flowTag}/{flowTag}/{targetId}
        method: put
        authorizer: authorizerIdentifiers
Retrieved from "https://izara.io/wiki/index.php?title=API_Gateway_Authorizers&oldid=3615"