Enable URL Authorization for REST Handlers

Edit the rsgateway_permissions.yaml file to customize access to OpenAPI3, JSON, or named REST services.

Procedure

  1. Configure the rsgateway_permissions.yaml file with a ConfigMap in the Helm values file.
    For example:
    rsgateway:
  configuration:
    container:
      configmap:
        rsgateway-extensions.yaml: |-
           rest:
             subscriber_create_basic:
               roles: MTX_ROLE_CUST_ONE,MTX_ROLE_CUST_TWO

    This enables calling of the subscriber_create_basic service by providing a user with role MTX_ROLE_CUST_ONE or MTX_ROLE_CUST_TWO permissions (required for calling the subscriber_create_basic service).

    Note: RS Gateway looks first for the permissions file in /opt/mtx/conf/. If there is no file there, it uses the rsgateway_permissions.yaml on the classpath.
  2. Edit the file with your custom permissions.
    You must specify the URL, the request type (GET, POST, PUT, DELETE), and the associated role or roles. For example, to customize JSON services access, add the following:
    rsgateway:
  configuration:
    container:
      configmap:
        rsgateway_permissions.yaml: |-
          "/data/json/webappstatus":
            GET:
            - RSG_DEBUG
          "/data/json":
            GET:
            - RSG_READ
            - RSG_DEBUG
            POST:
            - RSG_CREATE
  3. Apply the configuration and restart RS Gateway with a command similar to the following: 
    helm upgrade ag1 matrixx/matrixx --namespace matrixx-webapps-gateways -f matrixx-webapps-gateways_values.yaml --version 5270

    Where matrixx-webapps-gateways_values.yaml is a Helm values file that defines the ConfigMaps and enables RS Gateway.

Results

The files are dynamically created and mounted to /sync/conf, which is synchronized with /opt/mtx/conf in the component container at start-up, using rsync. Now the following applies:
  • To perform a GET operation on /data/json/webappstatus, users must have the role RSG_DEBUG.
  • To perform a GET operation on /data/json, users must have the role RSG_READ or RSG_DEBUG.
  • To perform a POST operation on /data/json, users must have the role RSG_CREATE.

What to do next

For a description of RS Gateway roles, see the related RS Gateway roles discussion. For information about supported encoding algorithms (such as bcrypt), see the discussion about password encoding in MATRIXX Security.

For more information about configuring MATRIXX gateways and web apps, including how to use configuration sources for configuration, see the discussion about configuring MATRIXX gateways and web apps in MATRIXX Configuration.