API Gateway Authorizers: Difference between revisions
Jump to navigation
Jump to search
(Created page with "= Overview = Each request from an external service to backend services passes the API Gateway which sets an optional authorizer for the request. Authorizers are setup in the...") |
No edit summary |
||
Line 2: | Line 2: | ||
Each request from an external service to backend services passes the API Gateway which sets an optional authorizer for the request. Authorizers are setup in the [[Service - User Account|User Account Service]]. | Each request from an external service to backend services passes the API Gateway which sets an optional authorizer for the request. Authorizers are setup in the [[Service - User Account|User Account Service]]. | ||
= Authorizer Levels= | |||
== AppLevel == | |||
There is no “owner” for this level, users with application level permissions to administer roles can do so | |||
#Can change other user roles. | |||
#Can create new roles | |||
#Change site-wide settings | |||
#SuperUser permissions for lower level RBAC (eg: User level or Category level RBAC permissions)TODO: so, you all need to give the role permission to user) | |||
=== allow the role permission to user appLevel === | |||
*'''SuperUser''' | |||
:can do all actions: | |||
:: CREATE | UPDATE | DELETE | GET | LIST | |||
*'''VerifiedUser''' | |||
:can do some actions: | |||
:: CREATE | GET | LIST | |||
*'''BasicUser ''' | |||
:can do few actions: | |||
:: GET | |||
==== example reloPermission ==== | |||
*'''AppLevel:superUser''' | |||
<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"roleIdKey":"AppLevel_this-is-uuid-for-role-superUserA", | |||
"service_resource_action":"ServiceTemplate_Config_Create", | |||
"permission": "accept" | |||
} | |||
</syntaxhighlight> | |||
*'''AppLevel:verifiedUser''' | |||
<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"roleIdKey": "AppLevel_this-is-uuid-for-role-verifiedUserA", | |||
"service_resource_action": "ServiceTemplate_Config_Create", | |||
"permission": "accept" | |||
} | |||
</syntaxhighlight> | |||
*'''AppLevel:basicUser''' | |||
<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"roleIdKey": "AppLevel_this-is-uuid-for-role-basicUserA", | |||
"service_resource_action": "UserAccountAppLevel_UserRole_Get", | |||
"permission": "accept" | |||
} | |||
</syntaxhighlight> | |||
==== example UserRoles ==== | |||
*'''AppLevel:superUser''' | |||
<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"userId": "this-is-uuid-for-user-superUserA", | |||
"roleIdKey": "AppLevel_this-is-uuid-for-role-superUserA" | |||
} | |||
</syntaxhighlight> | |||
*'''AppLevel:verifiedUser''' | |||
<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"userId": "this-is-uuid-for-user-verifiedUserA", | |||
"roleIdKey": "AppLevel_this-is-uuid-for-role-verifiedUserA" | |||
} | |||
</syntaxhighlight> | |||
*'''AppLevel:basicUser''' | |||
<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"userId": "this-is-uuid-for-user-basicUserA", | |||
"roleIdKey": "AppLevel_this-is-uuid-for-role-basicUserA" | |||
} | |||
</syntaxhighlight> | |||
==== setting for authorizer appLevel ==== | |||
*function.yml | |||
:For LambdaFunctionHdrApi applevel | |||
<syntaxhighlight lang="JavaScript"> | |||
LambdaFunctionHdrApi: | |||
events: | |||
- http: | |||
path: Lambda/LambdaAction | |||
method: post | |||
cors: true | |||
authorizer: | |||
arn: ${self:custom.iz_authorizerAppLevel} | |||
type request | |||
resultTtlInSeconds: 0 | |||
</syntaxhighlight> | |||
== UserLevel == | |||
* All permissions are linked to one user id. | |||
* Has an owner (the current user), that user always has full permissions for their user id. | |||
* Available roles are shared by all users, any user can create new roles and add permissions, roles can then be used by any users. | |||
* Only the creator of the role can make changes later (for the start - in future we can add RBAC management of user level roles). | |||
=== example permissions: === | |||
* Can administer users roles/permissions | |||
* Can administer sell offers for this user | |||
=== allow the role permission to user === | |||
:[[Allow the role permission to user appLevel]] | |||
==== example rolePermission ==== | |||
* Create role permission, user can do action, can create in seed data or run from | |||
https://us-east-2.console.aws.amazon.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk : '''RolePermissionCreateHdrApi''' | |||
*'''UserLevel:verifiedUser''' | |||
:<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"roleIdKey":"UserLevel_this-is-uuid-for-role-verifiedUserA_this-is-uuid-for-role-verifiedUserB", | |||
"service_resource_action":"VariantStandard_Product_AddProduct", | |||
"permission": "accept" | |||
} | |||
</syntaxhighlight> | |||
==== example userRoles ==== | |||
* Create userRoles, user have role, can create from | |||
**https://us-east-2.console.aws.amazon.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk : UserRolesCreateHdrApi | |||
*'''UserLevel:verifiedUser''' | |||
:<syntaxhighlight lang="JavaScript"> | |||
{ | |||
"userId": "this-is-uuid-for-user-verifiedUserB", | |||
"roleIdKey": "UserLevel_this-is-uuid-for-user-verifiedUserA_this-is-uuid-for-user-verifiedUserB" | |||
} | |||
</syntaxhighlight> | |||
==== setting for authorizer userLevel ==== | |||
*function.yml | |||
:For LambdaFunctionHdrApi userlevel, need to add adds targetid to api route/path | |||
<syntaxhighlight lang="JavaScript"> | |||
LambdaFunctionHdrApi: | |||
events: | |||
- http: | |||
path: Lambda/LambdaAction${self:custom.api_path_targetid_suffix} | |||
method: post | |||
cors: true | |||
authorizer: | |||
arn: ${self:custom.iz_authorizerUserLevel} | |||
type request | |||
resultTtlInSeconds: 0 | |||
</syntaxhighlight> |
Revision as of 12:39, 10 October 2022
Overview
Each request from an external service to backend services passes the API Gateway which sets an optional authorizer for the request. Authorizers are setup in the User Account Service.
Authorizer Levels
AppLevel
There is no “owner” for this level, users with application level permissions to administer roles can do so
- Can change other user roles.
- Can create new roles
- Change site-wide settings
- SuperUser permissions for lower level RBAC (eg: User level or Category level RBAC permissions)TODO: so, you all need to give the role permission to user)
allow the role permission to user appLevel
- SuperUser
- can do all actions:
- CREATE | UPDATE | DELETE | GET | LIST
- VerifiedUser
- can do some actions:
- CREATE | GET | LIST
- BasicUser
- can do few actions:
- GET
example reloPermission
- AppLevel:superUser
{
"roleIdKey":"AppLevel_this-is-uuid-for-role-superUserA",
"service_resource_action":"ServiceTemplate_Config_Create",
"permission": "accept"
}
- AppLevel:verifiedUser
{
"roleIdKey": "AppLevel_this-is-uuid-for-role-verifiedUserA",
"service_resource_action": "ServiceTemplate_Config_Create",
"permission": "accept"
}
- AppLevel:basicUser
{
"roleIdKey": "AppLevel_this-is-uuid-for-role-basicUserA",
"service_resource_action": "UserAccountAppLevel_UserRole_Get",
"permission": "accept"
}
example UserRoles
- AppLevel:superUser
{
"userId": "this-is-uuid-for-user-superUserA",
"roleIdKey": "AppLevel_this-is-uuid-for-role-superUserA"
}
- AppLevel:verifiedUser
{
"userId": "this-is-uuid-for-user-verifiedUserA",
"roleIdKey": "AppLevel_this-is-uuid-for-role-verifiedUserA"
}
- AppLevel:basicUser
{
"userId": "this-is-uuid-for-user-basicUserA",
"roleIdKey": "AppLevel_this-is-uuid-for-role-basicUserA"
}
setting for authorizer appLevel
- function.yml
- For LambdaFunctionHdrApi applevel
LambdaFunctionHdrApi:
events:
- http:
path: Lambda/LambdaAction
method: post
cors: true
authorizer:
arn: ${self:custom.iz_authorizerAppLevel}
type request
resultTtlInSeconds: 0
UserLevel
- All permissions are linked to one user id.
- Has an owner (the current user), that user always has full permissions for their user id.
- Available roles are shared by all users, any user can create new roles and add permissions, roles can then be used by any users.
- Only the creator of the role can make changes later (for the start - in future we can add RBAC management of user level roles).
example permissions:
- Can administer users roles/permissions
- Can administer sell offers for this user
allow the role permission to user
example rolePermission
- Create role permission, user can do action, can create in seed data or run from
https://us-east-2.console.aws.amazon.com/apigateway/home?region=us-east-2#/apis/rwnhg855jd/resources/y8erkk : RolePermissionCreateHdrApi
- UserLevel:verifiedUser
{ "roleIdKey":"UserLevel_this-is-uuid-for-role-verifiedUserA_this-is-uuid-for-role-verifiedUserB", "service_resource_action":"VariantStandard_Product_AddProduct", "permission": "accept" }
example userRoles
- Create userRoles, user have role, can create from
- UserLevel:verifiedUser
{ "userId": "this-is-uuid-for-user-verifiedUserB", "roleIdKey": "UserLevel_this-is-uuid-for-user-verifiedUserA_this-is-uuid-for-user-verifiedUserB" }
setting for authorizer userLevel
- function.yml
- For LambdaFunctionHdrApi userlevel, need to add adds targetid to api route/path
LambdaFunctionHdrApi:
events:
- http:
path: Lambda/LambdaAction${self:custom.api_path_targetid_suffix}
method: post
cors: true
authorizer:
arn: ${self:custom.iz_authorizerUserLevel}
type request
resultTtlInSeconds: 0