i have a requirement, i want to call list of REST services which have different security mechanisms, like, some may have HTTPS and others may have naked HTTP, few others may have basic authentication and remaining may require a "Authorization header" . i want to call all these REST services with different service mechanism from a single HTTP OUT BOUND END POINT . how can i configure the HTTP endpoint to accomplish this ? or should i use different end points to accomplish my requirement .
You can't do that. Some of the attributes of the Http connector/endpoints can be configured as an expression but not all of them.
You'll have to leverage a choice-router and a number of http and https endpoints.
Different service mechanism requires different configuration...
If you want to do it in a single flow, as Victor said you need to use choice router and based on certain condition it will call the rest service it required...
and in each Choice block, you have to configure the calling of each type of rest service with it's security mechanism
Related
I have some REST APIs my backend server listens for (I used node express).
I want to use my friendly url api.mywebsite.com to forward all routes to horribleuglybackendname.aws.com, e.g.
api.mywebsite.com/some/route -> horribleuglybackendname.aws.com/some/route
I want to use API gateway to simply forward any routes to my backend. If I create a HTTP API (not REST) this seems easy to do but if I create a REST API I cannot see how to configure it. Perhaps you can't? If you can't why not? What is the alternative?
Thanks
So it seems $default is for HTTP APIs only. The UI is different between HTTP and REST API configuration. If you want to do a catch-all route for REST APIs you need to use {proxy+}.
This is good (ctrl-f for catch-all and you should be set)
https://aws.amazon.com/blogs/aws/api-gateway-update-new-features-simplify-api-development/
Looking into using Istio to handle Authorization for an application built on a microservices architecture in Kubernetes.
One thing we're looking to accomplish is to decouple the authorization of a service by utilizing Istio Authorization.
Our API Gateway (Kong) will handle the verification/parsing of the JWT tokens and pass along any required attributes (usernames, groups, roles etc) as headers e.g. x-username: homer#somewhere.com (abstracts that from the services)
What we want to accomplish is along with verifying based on roles etc we also want to ensure that the x-username is also the owner of the resource e.g. if they are accessing:
/user/{userID}/resource
That would mean if userId matches the value of the x-username header we can continue serving the request, otherwise we'll send a 401 etc
Is there a way to configure this as part of Istio Authorization?
Thanks in advance for your time
What you're looking for is attribute based access control (abac). Look into authorization engines e.g. Axiomatics that plug straight into Kong and provides that level of access control (ownership check).
Kong authorization handler on GitHub
Technical webcast on the integration
You could also choose to call Axiomatics from Isitio using an adapter based on Istio's authorization template.
Policies in Axiomatics are written using either XACML or ALFA which are the 2 OASIS standards for ABAC / fine-grained authorization.
You could easily write a condition along the lines of:
rule checkOwner{
deny
condition not(owner==user.uid)
}
BTW you probably want to send back a 403 rather than 401. The latter refers to failed authentication.
Question
Can I get nginx to call another microservice inside of AKS k8s prior to it routing to the requested api? - the goal being to speed up requests (fewer hops) and simplify build and deployment (fewer services).
Explanation
In our currently deployed Azure AKS (Kubernetes) cluster, we have an additional service I was hoping to replace with nginx. It's a routing microservice that calls out to a identity API prior to doing the routing.
The reason is a common one I'd imagine, we recieve some kind of authentication token via some pre-defined header(s) (the standard Authorization header, or sometimes some bespoke ones used for debug tokens, and impersonation), we call from the routing API into the identity API with those pre-defined headers and get a user identity object in return.
We then pass on this basic user identity object into the microservices so they have quick and easy access to the user and roles.
A brief explanation would be:
Nginx receives a request, off-loads SSL and route to the requested service.
Routing API takes the authorization headers and makes a call to the Identity API.
Identity API validations the authorization information and returns either an authorization error (when auth fails), or a serialized user identity object.
Router API either returns there and then, for failure, or routes to the requested microservice (by cracking the request path), and attaches the user identity object as a header.
Requested microservice can then turn that user identity object into a Claims Principal in the case of .NET Core for example.
There are obviously options for merging the Router.API and the UserIdentity.API, but keeping the separation of concerns seems like a better move. I'd just to remove the Route.API, in-order to maintain that separation, but get nginx to do that work for me.
ProxyKit (https://github.com/damianh/ProxyKit) could be a good alternative to nginx - it allows you to easily add custom logic to certain requests (for example I lookup API keys based on a tenant in URL) and you can cache the responses using CacheCow (see a recipe in ProxyKit source)
I have a service connecting to an enterprise service which I have no control over. The service requires I make a call to it to initiate a ping to a device and then make subsequent calls to it to get the status. After 20 or so seconds I will get the status back.
I have been thinking of a rest pattern and just getting stuck on the fact that it is not truly restful Id like to reach out for feedback and get some opinions. I could just do a normal get /device/status and hit it over and over again? Or i could break up the call into /device/ping and /device/status or something like that. Any ideas are appreciated!
Thanks
For status, REST standards would suggest a format of '/device/{deviceId}/status'. But if the enterprise service you are connecting to does not support multiple devices; you could go for '/device/status' with 'GET' http verb.
You could use '/device/status' with 'HEAD' http verb as an exposure for the ping call
I will suggest to return the a JMS queue URL in location header in API response. Usually, in device management applications, separate JMS server is deployed. Make use of it - if it's there.
Take a hint from here.
.
To be really RESTFul, a service should comply to REST rules such as using the correct http operation (GET, POST, PUT etc..) for each scenario, e.g use POST to create a new resource or GET to get a resource without modifying the global state.
However, cross-domain calls that use the JSONP approach works only with GET operation by nature.
How do you do to both respect REST rules (meaning we can have some methods that will be accessible only by POST ing a data to them) and make your service accepting cross domain calls ? Is there some best practices to achieve that ?
Thanks !
Riana