-
Notifications
You must be signed in to change notification settings - Fork 0
Policy Checks
- ⏬ Getting Started
- ⏬ Deploy and Configure the Policy Decision Point
- ⏬ Chart Configuration
- ⏬ Integration Guide
- ⏬ Policy Management
- ⏬ Policy Language
- ⏬ Terms and Conditions API
▶️ Policy Checks (this page)- ⏬ Policy Decision Endpoint API
When launched, the PDP will answer to all requests that start with the configured path. The requests should be accompained by an "Authorization: Bearer <valid_RPT>" for all endpoints except for the /validate
Examples, given the example values of:
- Ingress path configured by default in Helm deployment: "/pdp"
- PDP is at pdp.domain.com/policy
- For Validate policies : "/policy/validate"
| Token | Request to PDP | PDP Action | PDP answer |
|---|---|---|---|
| No RPT/OAuth token | pdp.domain.com | None (request does not get to PDP endpoint) | None (the PDP doesn't see this request) |
| No RPT/OAuth token and Valid data | pdp.domain.com/policy/validate with a json as data | Validates the policy access related to the json request | Return a response with Permit access |
| No RPT/OAuth token and Not valid data | pdp.domain.com/policy/validate with a json as data | Validates the policy access related to the json request | Return a response with Deny access |
| RPT/OAuth token + Policy information as data | pdp.domain.com/policy/ | Register Policy in MongoDB | Policy_id for the policy just created |
| No RPT/OAuth token + Policy information as data | pdp.domain.com/policy/ | Register Policy in MongoDB | 401 |
| RPT/OAuth token + Policy information as data | pdp.domain.com/policy/<policy_id or ObjectId(policy_id)> | Performs the operations of Get/Update/Delete policy | Get: Return the policy Update: "updated" or "no changes made" Delete: 204 if exists |
| No RPT/OAuth token + Policy information as data | pdp.domain.com/policy/<policy_id or ObjectId(policy_id)> | Performs the operations of Get/Update/Delete policy | 401 |
- Parameters:
- headers: The response will be a json format so the Content-Type must be set to application/json
- data: The data will be a json format
- Response:
- 200: Returns a decision whether the data sent matches the requirements. Possible values "Permit" or "Deny"
- Example:
curl -XGET 'http://<HOSTNAME>/policy/validate' -H 'Content-Type: application/json' -d '{"Request": {"AccessSubject": [{"Attribute": [{"AttributeId": "user_name","Value": "<USER_NAME>","DataType": "string","IncludeInResult":"True"}]}],"Action": [{"Attribute": [{"AttributeId": "action-id","Value": "get"}]}],"Resource": [{"Attribute": [{"AttributeId": "resource-id","Value": "<RESOURCE_ID>","DataType": "string","IncludeInResult":"True"}]}]}}'
The default validation endpoint will check the T&C attached to the resources policies to ensure that only granted access users can access it.
The API will expose an endpoint to interact with the policies. The main endpoints for the policy operations exposed by the API are now secured with OAuth/OIDC, it would accept both OAuth access_token and JWT id_token in order to authorize the user and both are expected on the header. This check will retrieve the UUID for the user and insert it on the data model of the policy storage, so when any call is made against a policy, the API will double check if the UUID of the requester matches the one associated to the policy in order to operate against it.
In case of the default resources registered by the PEP the ownership check wont be used and instead the policy check will look if the user has operator grant by querying the user info endpoint for the isOperator custom attribute.
⏭️ Next step: Policy Decision Point API