README
¶
Amazon API Gateway Provider
The API Gateway Provider is a virtual RBAC provider that combines Cognito User Pools and a custom Dynamo DB to build RBAC relationships to create equivalent IDQL policy.
This provider is currently experimental and depends on undocumented configuration to run. Please contact gerry@strata.io for more information.
See: Tutorial: Build a CRUD API with Lambda and DynamoDB.
| Feature | Description | Platform Support | Provider Support |
|---|---|---|---|
| RBAC | Support for basic translation of role-based access policy | Yes | Yes |
| ABAC | Support for attribute conditions | No | No |
| Type | Virtual policy Cognito directory, Dynamo DB for use with Amazon API Gateway | Cognito, DynamoDb, API Gateway | Virtual RBAC |
| Attribute Mapping | Attribute names in policy can be mapped to platform | N/A | |
| Hexa CLI | Supported in the Hexa CLI application | Yes | |
| Discovery | Supports discovery of Policy Application Points | List UserPools and Resources | Yes |
| Get Policies | Supports retrieval of all policies from a PAP | Conversion | Yes |
| Set Policies | Supports the ability to apply a set of policies to a PAP | Conversion | Yes |
| Reconcile | Returns the differences between an existing set of policies (e.g. at the source) and another set (updates) | virtual |
Policy Support Notes
The following is an example IDQL mapped Policy:
{
"meta": {
"version": "0.6",
"providerType": "RARmodel"
},
"subject": {
"members": [
"Read.Profile1",
"Read.Profile2",
"Read.Profile3",
"Read.Profile4"
]
},
"actions": [
{
"actionUri": "http:GET"
}
],
"object": {
"resource_id": "/profile"
}
}
DynamoDB Resource Policies Table
| Resource (String) | Action (String) | Members |
|---|---|---|
| /profile | GET | ["Read.Profile1","Read.Profile2","Read.Profile3","Read.Profile4"] |
| /analytics | GET | ["Read.Analytics"] |
| /humanresources/eu | GET | [] |
| /humanresources/uk | GET | ["Read.HR_UK"] |
| /humanresources/us | GET | ["Read.HR_US"] |
| /developer | GET | ["Read.Developer"] |
Limitations:
- Condition clauses cannot be mapped (RBAC only)
Documentation
¶
Index ¶
- Constants
- type AwsApiGatewayProvider
- func (a *AwsApiGatewayProvider) DiscoverApplications(integrationInfo policyprovider.IntegrationInfo) (apps []policyprovider.ApplicationInfo, err error)
- func (a *AwsApiGatewayProvider) GetPolicyInfo(info policyprovider.IntegrationInfo, appInfo policyprovider.ApplicationInfo) ([]hexapolicy.PolicyInfo, error)
- func (a *AwsApiGatewayProvider) Name() string
- func (a *AwsApiGatewayProvider) SetPolicyInfo(info policyprovider.IntegrationInfo, ...) (status int, foundErr error)
- type AwsApiGatewayProviderOpt
- type AwsApiGatewayProviderService
- func (s *AwsApiGatewayProviderService) DiscoverApplications(_ policyprovider.IntegrationInfo) ([]policyprovider.ApplicationInfo, error)
- func (s *AwsApiGatewayProviderService) GetPolicyInfo(appInfo policyprovider.ApplicationInfo) ([]hexapolicy.PolicyInfo, error)
- func (s *AwsApiGatewayProviderService) SetPolicyInfo(appInfo policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (int, error)
Constants ¶
View Source
const ProviderTypeAwsApiGW string = "awsapigw"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AwsApiGatewayProvider ¶
type AwsApiGatewayProvider struct {
// contains filtered or unexported fields
}
func NewAwsApiGatewayProvider ¶
func NewAwsApiGatewayProvider(opts ...AwsApiGatewayProviderOpt) *AwsApiGatewayProvider
func (*AwsApiGatewayProvider) DiscoverApplications ¶
func (a *AwsApiGatewayProvider) DiscoverApplications(integrationInfo policyprovider.IntegrationInfo) (apps []policyprovider.ApplicationInfo, err error)
func (*AwsApiGatewayProvider) GetPolicyInfo ¶
func (a *AwsApiGatewayProvider) GetPolicyInfo(info policyprovider.IntegrationInfo, appInfo policyprovider.ApplicationInfo) ([]hexapolicy.PolicyInfo, error)
func (*AwsApiGatewayProvider) Name ¶
func (a *AwsApiGatewayProvider) Name() string
func (*AwsApiGatewayProvider) SetPolicyInfo ¶
func (a *AwsApiGatewayProvider) SetPolicyInfo(info policyprovider.IntegrationInfo, applicationInfo policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (status int, foundErr error)
type AwsApiGatewayProviderOpt ¶
type AwsApiGatewayProviderOpt func(provider *AwsApiGatewayProvider)
func WithCognitoClientOverride ¶
func WithCognitoClientOverride(cognitoClientOverride awscognito.CognitoClient) AwsApiGatewayProviderOpt
func WithPolicyStoreSvcOverride ¶
func WithPolicyStoreSvcOverride(policyStoreSvcOverride dynamodbpolicy.PolicyStoreSvc) AwsApiGatewayProviderOpt
type AwsApiGatewayProviderService ¶
type AwsApiGatewayProviderService struct {
// contains filtered or unexported fields
}
func NewAwsApiGatewayProviderService ¶
func NewAwsApiGatewayProviderService(cognitoClient awscognito.CognitoClient, policySvc dynamodbpolicy.PolicyStoreSvc) *AwsApiGatewayProviderService
func (*AwsApiGatewayProviderService) DiscoverApplications ¶
func (s *AwsApiGatewayProviderService) DiscoverApplications(_ policyprovider.IntegrationInfo) ([]policyprovider.ApplicationInfo, error)
func (*AwsApiGatewayProviderService) GetPolicyInfo ¶
func (s *AwsApiGatewayProviderService) GetPolicyInfo(appInfo policyprovider.ApplicationInfo) ([]hexapolicy.PolicyInfo, error)
func (*AwsApiGatewayProviderService) SetPolicyInfo ¶
func (s *AwsApiGatewayProviderService) SetPolicyInfo(appInfo policyprovider.ApplicationInfo, policyInfos []hexapolicy.PolicyInfo) (int, error)
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.