...
Application Consumer - It is our Application itself which uses the consumer JWT key to access the API’s.
External Consumers - Users/Applications which are external/Third Party.
Internal Consumers - Users which are working as part of organization.
Fork the sunbird repo and edit kong-api/defaults/main.yml file and raise a PR.
| Code Block |
|---|
git clone https://github.com/YourGitId/sunbird-devops.git
vi kong-consumer/defaults/main.yml
# Raise a PR to latest release branch in sunbird-devops |
CONSUMER ACL[ACCESS CONTROL LISTS]
These play a vital role in providing permissions for the consumers and they need to be taken special care. We have categorized ACLs in entities and roles. Each entity will have SuperAdmin, Admin, Create, Update, Access roles. Like for instance org API’s the below permissions.
ENTITY | Reason For ACL Creation | ROLE |
app | application configuration related APIS | SuperAdmin - [ Super Natural Powers ] |
content | content related apis | Admin - [ Audit, vaildate, flag, retires, block ] |
course | course and batch related apis | Update - [ Update, Sync ] |
data | data related apis | Access - [ Get, List, Read, Enroll ] |
dialcode | dial related apis | Create - [ Create ] |
channel | channel related apis | Temp - [temporary ACL for API's which are kept for legacy purpose and will be removed in a period of 6 months] |
sso | echo api for sso authentication | |
kongConsumer | onboard consumers, kong consumer apis | |
location | location apis | |
mobile | mobile app, mobile device apis | |
mobileOpenRAP | openrap apis | |
mobileTeacherAid | teacheraid apis | |
note | note related apis | |
org | org, tenants related apis | |
experiment | experiment related apis | |
user | user related APIs | |
framework | used for framework and master category and term apis | |
page | page section related apis | |
announcement | announcement related apis | |
device | device profile or device register apis | |
badge | badge related apis | |
telemetry | telemetry related apis | |
assertion | assertion related apis | |
license | neo4j license and other license related apis | |
object | object related apis | |
form | forms related apis | |
plugin | plugin related apis | |
certificate | certificate related apis | |
itemSet | itemset related apis | |
desktop | desktop app, desktop device apis |
for instance we have createOrg API as mentioned in this document and it clearly belongs to Entity “org” and ROLE as create so all our For instance org API’s will have the ACL’s as per the standards mentioned below Entity and role mapping as described in the above table. If there is any need for new entities then it can be added on demand.below table.
ORG APIS | PERMISSIONS |
orgSuperAdmin | Bulk Upload/Delete of organisations |
orgAdmin | Add/Remove member from organisation |
orgCreate | create organisation |
orgUpdate | Update organisation details |
orgAccess | read organisation details |
CREATING CONSUMERS:
As mentioned Above we have 3 types of consumers, we can create new consumers by updating the variable in the private inventory as mentioned below.
| Code Block |
|---|
# Consumer groups with ACL mapping username1_acls: - orgCreate username2_acls: - orgAccess # Consumers to be on-boarded with consumer group kong_consumers: - username: kong_username1-user groups: "{{ username1_acls }}" state: present - username: kong_username2-user groups: "{{ username2_acls }}" state: absent |
Line 1 describes how you can add a consumer group where you provide list of ACL’s which consumer will get access to.
Line 9 This block contains the consumers to acl definition, here we provide the consumer name username as kong_username -user and the groups the user needs access to, which was defined in the line 1.
...