ManageIQ
Replies: 1 comment 5 replies
-
|
Is the existing RBAC using Roles/Groups/Users insufficient? |
Beta Was this translation helpful? Give feedback.
-
|
That's where I was thinking it would be handled but I am struggling to figure out how implement it to limit the API usage via a role/groups/user. When looking at the role permissions, under the product features, API, it seems I am only able to limit the viewing and not actually set a role to deny API access. Or maybe I am missing something at the role level? |
Beta Was this translation helpful? Give feedback.
-
|
@Fryguy Would you happen to know if there is a specific role or setting that can be used to control API access? We are using ivanchuk-2 btw. |
Beta Was this translation helpful? Give feedback.
-
|
Oh I misunderstood - it seems you want to restrict access to the API entirely? If so, that's not possible because the UI talks to the API, so you'd lose UI access also. I see we also discussed here: https://gitter.im/ManageIQ/api?at=62a1f0b604b736636692bcbe |
Beta Was this translation helpful? Give feedback.
-
|
Yeah no problem, thank you for responding! I was able to sort it out with our internal LTM to only allow the API url's to be accessed from an IP list, which includes the UI/appliance. All seems to be working as expected so far. Thanks again for the responses! |
Beta Was this translation helpful? Give feedback.
-
|
Oh that's a great idea...love that solution! |
Beta Was this translation helpful? Give feedback.
-
Posted this over on the Gitter channel as well. Curious if anyone has a recommendation on a use case I have within our company usage for MIQ. We currently have users using the UI to provision requests (mostly VMWare) and we now have some users requesting to provision requests via the API. We are contemplating building a wrapper API to front the MIQ API to provide some additional business logic but our product management would like us to force users to only use the wrapper API. So basically we would want to block anyone from calling the MIQ API directly.
So question is, what is the best way to restrict the usage of the MIQ API?
I've been looking into tagging but that seems to fall short. I was looking at the actual rails routing and editing the controllers to do some sort of whitelisting but not sure if that is a good idea. We also front our production environment with a load balancer, so thinking maybe we would only allow traffic from the specific IP/host of the wrapper.
Any thoughts/ideas on how to restrict the API access?
Beta Was this translation helpful? Give feedback.
All reactions