stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Fernando <pradee...@gmail.com>
Subject Re: RESTful API for Stratos Controller
Date Fri, 04 Oct 2013 17:27:17 GMT
Hi Devs,


I came up with implemented the above feature and the patch can be found at,
[1]

*How it works*

- The web-app to Carbon runtime state exchange happens via OSGi services
- The JAX-RS application is using Apache CXF as the REST engine
- Authentication and Authorization of incoming requests are handled using
two seperate JAX-RS providers registered against the service class
- Authentication/Authorization is closely integrated to the underlying
carbon authentication/authorizaiton framework
- I have defined two new annotation classes to capture method level
permission details
    * @AuthorizationAction("PermissionString") - allows the admin service
writer to annotate a certain operation with permission string. Request get
authorized only if the invoking user has enough permissions
    * @SuperTenantService (true|false) - only the super-tenant user can
access the service
- During the deployment time, the authorization handler get injected with
service bean. It process all the authorization related annotation and
builds a information model. When a request comes in it verifies the
expected permission vs bearing permission.

*Challenges/Approaches that did not work.*

CXF project provides a AuthorizationFilter called
SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
@RolesAllowed annotation to identify authorized users. However it does not
suit well for the Carbon authorization system. Hence I came up with my own
Annotation types, which closely resembles, params used in existing WS admin
services.


*Authentication mechanism is pluggable *

 - Right now there is only one authenticator. It uses basic-auth to
authenticate incoming requests. It is possible to plug in other kinds of
authenticators.

*How to write your new RESTful admin service*

    @POST
    @Path("/tenant/create")
    @Consumes("application/json")
    @Produces("application/json")
    @AuthorizationAction("/permission/protected/manage/monitor/tenants")
    @SuperTenantService(true)
    public String addTenant(TenantInfoBean tenantInfoBean) {

      return success;
    }

*Sample Request from CURL*

curl -X POST -H "Content-Type: application/json" -d
'{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
foo@bar.com","tenantDomain":"frank.com"}}'  -v -u admin:admin
https://localhost:9443/stratos/admin/tenant/create


*TODO*
*
*
This is more of the framework for implementing RESTful admin APIs. I have
implemented two Operations for the moment. We have to populate the service
bean with rest of the API. Its matter of porting existing code to new
service bean. What is more important is, to carefully design REST endpoints.

Unlike WS endpoints, we have to be careful with REST endpoint / where the
parameter goes in endpoint / HTTP method used / etc. I will spawn a
separate thread on the topic.

I have applied the patches to the JIRA. Would be great if the code can be
committed to the main trunk. :)


[1] https://issues.apache.org/jira/browse/STRATOS-90
[2] http://cxf.apache.org/docs/secure-jax-rs-services.html

thanks,
--Pradeep

Mime
View raw message