-
Notifications
You must be signed in to change notification settings - Fork 5
/
apiary.apib
306 lines (213 loc) · 14.6 KB
/
apiary.apib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
FORMAT: 1A
HOST: http://az.lab.fiware.org/
TITLE: FIWARE Authorization PDP API Specification
DATE: 16 September 2016
VERSION: 5.2
PREVIOUS_VERSION: 4.4
APIARY_PROJECT: authorizationpdp
GITHUB_SOURCE: https://github.com/authzforce/fiware.git
SPEC_URL: http://authzforce.github.io/fiware/authorization-pdp-api-spec/
CSS: http://www.fiware.org/fabre.css
CSS-PDF: http://www.fiware.org/fabre_pdf.css
# FIWARE Authorization PDP API Specification
This specification defines a RESTful API of an Authorization Policy Decision Point (PDP) compliant with the OASIS XACML standard. More specifically, it defines RESTful interfaces for:
* Managing XACML-compliant authorization policies;
* Requesting authorization decisions based on those policies, in a XACML-compliant request-response format;
* Managing multiple PDPs, one per domain (aka tenant), in order to provide multi-tenancy.
This APIARY blueprint gives a user-friendly description of the API.
However, the official API reference is available in a WADL (Web Application Description Language)
and XML schema files on the [Github repository of AuthzForce REST API model project](https://github.com/authzforce/rest-api-model/tree/release-5.2.0/src/main/resources).
From this WADL (and associated XSD files), you can generate code automatically for various languages, e.g. Apache CXF's WADL2Java plugin for Java.
## Editors
+ Cyril DANGERVILLE, Thales Services
## Status
This is a work in progress and is changing on a daily basis.
## Copyright
Copyright © 2014-2016 by [THALES](http://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/Thales_sv).
## License
This specification is licensed under the [FIWARE Open Specification License (implicit patents license)](https://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/FI-WARE_Open_Specification_Legal_Notice_%28implicit_patents_license%29).
## Conformance
All the interfaces described by this specification are mandatory and must be implemented in order to be compliant with.
## Terminology
### Policy and PolicySet
A *Policy* is a set of *Rules*, and a *PolicySet* is a set of *Policy* elements.
A *Rule* consists of a condition on the access request attributes, and a decision – *Permit* or *Deny* - to apply if the condition holds true for the request.
A *Policy* (resp. *PolicySet*) combines multiple *Rules* (resp. *Policies*) and therefore multiple decisions together in various ways (defined in the standard) to make the final decision.
### PDP (Policy Decision Point)
The PDP provides authorization decisions based on various attributes given at runtime by PEPs (Policy Enforcement Points) about each incoming access request,
and XACML policies that define multiple rules checking whether those attributes (and therefore the access request) satisfy certain conditions.
The attributes provided by the PEP (see below) about each access request may be attributes about the request itself: The request URL, the HTTP method;
about the requester: The access requester ID, requester role. The PDP may add attributes to the context on its own, such as the current date and time when the requested is received.
By replacing all the attribute references in the policy with these input values, PDP is able to evaluate the policy and determine whether the access should be granted.
### PAP (Policy Administration Point)
The PAP provides an interface for policy administrators to manage XACML policies to be enforced by the PDP. This endpoint is provided by the Authorization PDP GE as well as a RESTful API interface.
The IdM GE also provides a form of graphical interface for the PAP, as part of its access management feature. This feature actually uses the Authorization PDP GE’s PAP API as backend.
### Domain
The API is designed to be multi-tenant, i.e. it allows users or organizations to work on authorization policies in complete isolation from each other. In this document, we use the term *domain* instead of *tenant*.
In this context, a domain mostly consists of a specific dedicated PDP with specific policies. We may use the terms *domain*, *administration domain* and *policy administration domain* interchangeably in this document.
# Group Domains
## Resource for all Domains [/domains]
Policy administration domains.
### Add domain [POST]
Create a new administration domain with defined properties, including one called `externalId`. We use the same definition for this property as in the [SCIM schema, § 3.1](https://tools.ietf.org/html/rfc7643#section-3.1).
The response is the relative link to the REST resource created for the domain with a unique (opaque) ID assigned by the service.
+ Request (application/xml)
<domainProperties xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
externalId="my.test.domain">
<description>This is a test domain.</description>
</domainProperties>
+ Response 200 (application/xml)
<link xmlns="http://www.w3.org/2005/Atom" rel="item" href="1234ABCD" title="1234ABCD"/>
### Get domains [GET /domains{?externalId}]
Retrieve links to domains.
+ Parameters
+ externalId: my.test.domain (string, optional) - If specified, only a link to the domain with a matching `externalId` is returned, or none if no match.
+ Response 200 (application/xml)
<resources xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:atom="http://www.w3.org/2005/Atom">
<atom:link rel="item" href="1234ABCD" title="1234ABCD"/>
</resources>
# Group Domain
## Resource of a specific administration Domain [/domains/{domainId}]
Policy administration domain, dedicated to specific tenant or project or workspace, logically isolated from other domains
+ Parameters
+ domainId: 1234ABCD (string, required) - Domain ID
### Get Domain Sub-resources [GET]
Retrieves links to sub-resources in the domain. This must include a link to the PDP (`/pdp` as described later on) as specified by the [REST Profile of XACML v3.0 Version 1.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html), in test assertion [urn:oasis:names:tc:xacml:3.0:profile:rest:assertion:home:pdp](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/cs02/xacml-rest-v1.0-cs02.html#_Toc399235433).
+ Response 200 (application/xml)
<domainProperties xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
externalId="my.test.domain">
<description>This is a test domain.</description>
</domainProperties>
### Delete domain [DELETE]
Delete the domain.
+ Response 200 (application/xml)
<domainProperties xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
externalId="my.test.domain">
<description>This is a test domain.</description>
</domainProperties>
## Resource Domain properties [/domains/{domainId}/properties]
Policy administration domain properties
### Update domain properties [PUT]
Update the properties of the domain. In this example, we change the `externalId` and description.
+ Request (application/xml)
<domainProperties xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
externalId="my.test.domain0">
<description>This is a test domain and I want to use it.</description>
</domainProperties>
+ Response 200 (application/xml)
<domainProperties xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
externalId="my.test.domain0">
<description>This is a test domain and I want to use it.</description>
</domainProperties>
### Get domain properties [GET]
Get the properties of the domain.
+ Response 200 (application/xml)
<domainProperties xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
externalId="my.test.domain0">
<description>This is a test domain and I want to use it.</description>
</domainProperties>
# Group Domain Policy Administration Point
## Resource Domain PAP - Policies [/domains/{domainId}/pap/policies]
Policy Administration Point interface to manage the policies of the domain.
### Add/update a policy [POST]
Add/update a policy (XACML `PolicySet`) in the domain. The response is the relative link to the REST resource created for the policy version.
If there is no existing policy with a `PolicySetId` matching the one in the request, this adds a new policy resource.
If a policy exists with same `PolicySetId` but a different `Version`, this adds a new resource for this new policy version under the policy resource.
If a policy exists with the same `PolicySetId` and `Version`, this must raise a conflict error and the operation must be canceled.
+ Request (application/xml)
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1" Version="1.0" ... />
+ Response 200 (application/xml)
<link xmlns="http://www.w3.org/2005/Atom" rel="item" href="P1/1.0" title="Policy 'P1' v1.0"/>
### Get policies [GET /domains/{domainId}/pap/policies]
Get the list of domain's policies. The response is the list of links to all policy resources.
+ Response 200 (application/xml)
<resources xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:atom="http://www.w3.org/2005/Atom">
<atom:link rel="item" href="P1" title="P1"/>
<atom:link rel="item" href="P1" title="P2"/>
...
</resources>
## Resource Domain PAP - Policy [/domains/{domainId}/pap/policies/{policyId}]
A policy in the domain.
+ Parameters
+ policyId: P1 (string, required) - Policy ID, more precisely the XACML `PolicySetId`.
### Get policy [GET]
Get the policy, i.e. the links to all versions of the policy.
+ Response 200 (application/xml)
<resources xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:atom="http://www.w3.org/2005/Atom">
<atom:link rel="item" href="1.0" title="1.0"/>
<atom:link rel="item" href="1.1" title="1.1"/>
<atom:link rel="item" href="2.0" title="2.0"/>
...
</resources>
### Delete policy [DELETE]
Delete the policy, i.e. all policy versions. The response is the list of all the versions of the removed policy before removal.
+ Response 200 (application/xml)
<resources xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:atom="http://www.w3.org/2005/Atom">
<atom:link rel="item" href="1.0" title="1.0"/>
<atom:link rel="item" href="1.1" title="1.1"/>
<atom:link rel="item" href="2.0" title="2.0"/>
...
</resources>
## Resource Domain PAP - Policy version [/domains/{domainId}/pap/policies/{policyId}/{version}]
A policy version.
+ Parameters
+ version: 1.0 (string, required) - Policy version, more precisely the XACML `PolicySet` `Version`.
### Get policy version [GET]
Get a specific version of a policy.
+ Response 200 (application/xml)
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1" Version="1.0" ... />
### Delete policy version [DELETE]
Delete a specific version of a policy. The response is the removed policy version.
+ Response 200 (application/xml)
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1" Version="1.0" ... />
## Resource Domain PAP - PDP properties [/domains/{domainId}/pap/pdp.properties]
Policy Administration Point interface to manage PDP properties:
* One or more optional `feature` elements: extra implementation-specific feature ID. A `feature` element may have a `type` attribute to indicate the category/type of feature, and a `enabled` attribute to indicate whether the feature is actually enabled or not.
* One mandatory `rootPolicyRefExpression` element of type `{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}IdReferenceType` (XACML v3.0): expression (with version pattern(s)) to be matched by the PolicySet's `PolicySetId` and `Version` to be enforced by the PDP as root policy. This policy and any other policy referenced (directly or indirectly) from it via XACML PolicySetIdReference must correspond to a resource under URL path '/policies'.
The documentation of any implementation of this GE must mention what is the default value for this element.
### Update PDP properties [PUT]
+ Request (application/xml)
<pdpPropertiesUpdate
xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5">
<feature
type="urn:ow2:authzforce:feature-type:pdp:request-filter"
enabled="true">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax</feature>
...(content omitted)...
<rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpPropertiesUpdate>
+ Response 200 (application/xml)
<pdpProperties
xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
lastModifiedTime="2016-05-28T14:21:35.730Z">
<feature
type="urn:ow2:authzforce:feature-type:pdp:request-filter"
enabled="false">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-strict</feature>
<feature
type="urn:ow2:authzforce:feature-type:pdp:request-filter"
enabled="true">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax</feature>
...(content omitted)...
<rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpProperties>
### Get PDP properties [GET]
Get a specific version of a policy.
+ Response 200 (application/xml)
<pdpProperties
xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"
lastModifiedTime="2016-05-28T14:21:35.730Z">
<feature
type="urn:ow2:authzforce:feature-type:pdp:request-filter"
enabled="false">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-strict</feature>
<feature
type="urn:ow2:authzforce:feature-type:pdp:request-filter"
enabled="true">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax</feature>
...(content omitted)...
<rootPolicyRefExpression>root</rootPolicyRefExpression>
</pdpProperties>
# Group Domain Policy Decision Point
## Resource Domain PDP [/domains/{domainId}/pdp]
Policy Decision Point.
### Request authorization decision [POST]
+ Request (application/xml)
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ... />
+ Response 200 (application/xml)
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ... />