8. Management API and Authorization API#

Important

This section covers a highly technical topic. It addresses app developers who want to integrate an app with the Guardian. Familiarity with using the command line and working with an HTTP API, is necessary to understand this section.

The Management API and Authorization API are the REST APIs for the Guardian. Read the Developer quick start for concrete examples of using the APIs.

8.1. Management API#

The Management API is a general-purpose CRUD interface for managing Guardian objects. When installing an app that integrates with the Guardian, the join script must register the app and create any Guardian elements that it needs, using this API.

After the join script completes, the app has no more need to contact the Management API. However, guardian administrators and guardian app administrators may use this API to modify roles and capabilities.

8.1.1. API documentation#

OpenAPI/Swagger documentation for the API locates at /guardian/management/docs on the server where you installed the Management API.

The API requires authentication. Click the Authorize button at the top of the page. The default client doesn’t require a client_secret. When signing in, use the credentials of either a guardian administrator or a guardian app administrator.

Important

Only the capabilities have a DELETE endpoint. For more information, see No object deletion.

8.1.2. Guardian naming conventions#

When creating an object in the Management API, the name for the object must always use lower-case ASCII alphanumeric, with hyphens or underscores to separate words.

For example, if you want to create a role for users who manage a pet store, you can name the role pet-store-manager.

With the exception of apps and namespaces themselves, all objects belong to a namespace. This documentation often represent the full name of an object as a three-part string, with each section separated by colons: <app-name>:<namespace-name>:<object-name>

For example, if the pet-store-manager role belongs to the namespace stores for the app inventory-manager, then the complete representation of the role is inventory-manager:stores:pet-store-manager.

8.1.3. Registering an app#

Before an app can use the Management API, it needs to register itself at the /guardian/management/apps/register endpoint.

Listing 8.1 shows an example for registration.

Listing 8.1 Register an app#
$ MANAGEMENT_SERVER="$(hostname).$(ucr get domainname)/guardian/management"

$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $keycloak_token" \
    -d '{"name":"my-app", "display_name":"My App"}' \
    $MANAGEMENT_SERVER/apps/register

After registration, an app must at the bare minimum register the permissions that it needs. However, other Guardian objects are optional and a guardian app administrator may manually create them later.

Caution

There is another endpoint, /guardian/management/apps that also creates an app. However, the register endpoint also does additional setup steps for the app, such as creating a guardian app administrator role that you can use to manage the app.

Unless you know what you are doing, avoid using the /guardian/management/apps endpoint.

8.1.4. Conditions#

When constructing a capability, the list of available conditions is available with a GET request to the /guardian/management/conditions endpoint. Each condition provides a documentation string and a list of parameters it needs. For more information about the Guardian’s built-in conditions, refer to Conditions Reference.

If the Guardian doesn’t provide a condition that you need, you can create it through the /guardian/management/conditions/app-name/namespace-name endpoint. This action requires the knowledge of Rego. And you must submit the Rego code in base64 encoding to the Guardian. For more information, see Registering custom conditions in the Developer quick start.

8.1.5. Contexts#

Contexts are a special feature of the Guardian that allows guardian administrators to tell apps about where a role applies.

For example, if Happy Employees installs the Cake Express app, Happy Employees can create a london context and a berlin context and populate them with the cake-express:cakes:cake-orderer role. Happy Employees can then create a capability where users can only order cakes for people in the same context.

Some of the built-in Guardian conditions explicitly support contexts, such as:

Important

An app must explicitly support contexts and send them as part of requests to the Authorization API to use contexts within a capability. Apps must specify in their documentation whether or not they support contexts.

8.2. Authorization API#

The Authorization API helps an app determine whether an actor is authorized to perform a particular action within the app.

8.2.1. API documentation#

OpenAPI/Swagger documentation for the API locates at /guardian/authorization/docs on the server where you installed the Authorization API.

The API requires authentication. Click the Authorize button at the top of the page. The default client doesn’t require a client_secret.

8.2.2. Endpoint overview#

The Authorization API has the following primary endpoints:

  1. /guardian/authorization/permissions

  2. /guardian/authorization/permissions/with-lookup

  3. /guardian/authorization/permissions/check

  4. /guardian/authorization/permissions/check/with-lookup

The endpoints 1-2 answer the question “What are all the permissions an actor has?”

The endpoints 3-4 answer the question “Does the user have a specific set of permissions?” You must supply a list of permissions that you want to verify.

In both cases, you must specify an actor, and you can optionally specify targets for use in answering these questions.

8.2.2.1. About with-lookup endpoints#

Some apps maintain all their own data in regards to actors and targets. This means that they don’t need access to Univention Directory Manager (UDM) to verify capabilities. All examples in the Developer quick start use endpoints without lookup.

However, endpoints ending in with-lookup search for the actor and targets in UDM and use the results in checking capabilities. To use the UDM lookup feature, supply the LDAP distinguished name dn as the id of the actor and targets.

You don’t need to supply any attributes or roles in the request, if you use the with-lookup endpoints.

8.2.2.2. General permissions versus target permissions#

The Authorization API endpoints allow an app to evaluate permissions for an actor.

A general permission is a permission that exists, regardless of whether there are any targets present in the API request. When listing all permissions, you must set include_general_permissions to true in the request, if you want to see these permissions. For an example, see Listing all general permissions in the Developer quick start guide.

Target permissions require one or more targets to be present in the targets field of the request. For an example, see Listing all target permissions in the Developer quick start guide.

8.2.2.3. Old target versus new target#

When sending targets to the Authorization API, a target consists of an old_target and a new_target. The old_target represents the existing state of the target, and the new_target represents the future state of the target.

If the app doesn’t care about an old and new state of the target, then the request only requires the old_target. All built-in conditions evaluate the old_target.

For example, a condition could verify that the new_target user password isn’t the same as the old_target password.

8.2.3. Custom endpoints#

The Authorization API has an experimental endpoint, /guardian/authorization/app-name/namespace-name/endpoint-name, that allows an app to define its own custom Rego code to evaluate permissions.

The endpoint doesn’t have UDM access, so the app must supply all of its own data for actors and targets.

Important

Don’t use this endpoint, because it isn’t implemented.