Skip to content

Protect Config API using Cedarling

Jump to bottom
Kiran Mali edited this page Oct 7, 2025 · 7 revisions

Currently, Config-API is using the OAuth scope to protect the endpoint. In this new approach, we are going to provide Cedarling authz. The user can switch between OAuth and Cedarling protection.

Policy Store

https://github.com/kdhttps/admin-ui-cedarling-config/blob/agama-lab-policy-designer/84c511a8d416187492bf7af0501282952347214dc5a6.json

Principals

These are the kinds of principles we can add to our schema and policy store:

  • Admin: full control across all system settings, manage roles and permissions
  • Identity Manager: manages user lifecycle (create/update/disable users, set passwords, manage settings for clients, scripts)
  • Developer: create & manage OAuth clients, redirect URIs, client secrets for App

Resources

Resources take fron Config API endpoints. Check swagger here.

  • Configuration
    • UserManagament
    • Acrs
    • Attribute
    • CacheConfiguration
      • InMemoryCacheConfiguration
      • MemcachedConfiguration
      • NativePersistanceCacheConfiguration
      • RedisCacheConfiguration
    • ConfigAPIConfiguration
    • DatabaseConfiguration
    • JansAssets
    • JWKConfiguration
    • LDAPDatabaseConfiguration
    • LoggingConfiguration
    • Logs
    • MessageConfiguration
    • OrganizationConfiguration
    • PluginsConfiguration
    • MessageConfiguration
      • PostgresMessageConfiguration
      • RedisMessageConfiguration
    • PropertiesConfiguration
    • SMTPConfigurationResource
    • HealthCheck
      • AuthServerHealthCheck
      • StatResource
  • AuthnAuthz
    • AuthSessionManagement
    • ClientAuthorization
    • OAuthClients
    • OAuthScope
    • OAuthUMA
    • Token
    • CustomScript
    • Agama
  • SSAResource

Action

  • POST
  • PUT
  • DELETE
  • PATCH
  • GET

Policies

Admin

Admin can access configuration

@id("AdminCanManageConfiguration")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"admin",
  action in [Gluu::Flex::ConfigAPI::Action::"GET",
  Gluu::Flex::ConfigAPI::Action::"POST",
  Gluu::Flex::ConfigAPI::Action::"PUT",
  Gluu::Flex::ConfigAPI::Action::"DELETE",
  Gluu::Flex::ConfigAPI::Action::"PATCH"],
  resource is Gluu::Flex::ConfigAPI::ConfigurationResource
);

Admin can access Authn Authz services

@id("AdminCanManageAuthnAuthz")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"admin",
  action in [Gluu::Flex::ConfigAPI::Action::"GET",
  Gluu::Flex::ConfigAPI::Action::"POST",
  Gluu::Flex::ConfigAPI::Action::"PUT",
  Gluu::Flex::ConfigAPI::Action::"DELETE",
  Gluu::Flex::ConfigAPI::Action::"PATCH"],
  resource is Gluu::Flex::ConfigAPI::ConfigurationResource
);

Admin can access SSA

@id("AdminCanDeleteSSA")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"admin",
  action in [Gluu::Flex::ConfigAPI::Action::"DELETE"],
  resource is Gluu::Flex::ConfigAPI::ConfigurationResource
);

Manager

Manager can access User management service

@id("ManagerCanAccessUserManagement")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"manager",
  action in [Gluu::Flex::ConfigAPI::Action::"GET",
  Gluu::Flex::ConfigAPI::Action::"POST",
  Gluu::Flex::ConfigAPI::Action::"PUT",
  Gluu::Flex::ConfigAPI::Action::"DELETE",
  Gluu::Flex::ConfigAPI::Action::"PATCH"],
  resource is Gluu::Flex::ConfigAPI::UserManagament
);

Manager can access Authn Authz services

@id("ManagerCanAccessAuthnAuthz")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"manager",
  action in [Gluu::Flex::ConfigAPI::Action::"GET",
  Gluu::Flex::ConfigAPI::Action::"POST",
  Gluu::Flex::ConfigAPI::Action::"PUT",
  Gluu::Flex::ConfigAPI::Action::"DELETE",
  Gluu::Flex::ConfigAPI::Action::"PATCH"],
  resource is Gluu::Flex::ConfigAPI::AuthnAuthzResource
);

Developer

Developer can manage clients

@id("DeveloperCanAccessClients")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"developer",
  action in [Gluu::Flex::ConfigAPI::Action::"GET",
  Gluu::Flex::ConfigAPI::Action::"POST",
  Gluu::Flex::ConfigAPI::Action::"PUT",
  Gluu::Flex::ConfigAPI::Action::"DELETE",
  Gluu::Flex::ConfigAPI::Action::"PATCH"],
  resource is Gluu::Flex::ConfigAPI::OAuthClientsResource
);

Developer can manage scripts

@id("DeveloperCanAccessCustomScript")
permit(
  principal in Gluu::Flex::ConfigAPI::Role::"developer",
  action in [Gluu::Flex::ConfigAPI::Action::"GET",
  Gluu::Flex::ConfigAPI::Action::"POST",
  Gluu::Flex::ConfigAPI::Action::"PUT",
  Gluu::Flex::ConfigAPI::Action::"DELETE",
  Gluu::Flex::ConfigAPI::Action::"PATCH"],
  resource is Gluu::Flex::ConfigAPI::CustomScriptResource
);

Clone this wiki locally