How to enforce separate authentication for different REST endpoints of kie-server ?
Issue
- Users can create an instance of a process, start/complete tasks, execute
Drools
rules using thekie-server
REST endpoints. Many customers are now usingRHSSO 7
integrated withBPMS 6.3.x
to authenticate and authorize users to use api usingkie-server
role. - But even with
RHSSO
it does not seem to be a good idea to exposekie-server
complete rest api to javascript based applications, accessible over internet browsers. Is there any recomendation to enforce thekie-server
security to more fine graned level? -
Is it even possible to remove/restrict some
kie-server
REST endpoints for external client access? Or is it required to build a a separeted service facade to implement this kind of REST endpoint restrictions?
e.g.(1) Create specific roles for diferent endpoints groups.
RHSSO
integration says that users should givekie-server
role to users to access those endpoints. But it might be possible to create different roles, like
kie-server-brms
kie-server-processes
kie-server-processdefinitions
kie-server-usertasks
kie-server-processinstances
kie-server-queryprocess
kie-server-querytasks
kie-server-advancedqueries
kie-server-jobexecution
(2) Restrict ruleflow-group
execution for specific users while deploying the rules to various containers
and restrict access for the container to those user groups.
userRoleA - can execute only rule-group rulesA
userRoleB - can execute only rule-group rulesB
(3) Restrict access to containers created at kie-server/container
for specific roles.
roleA can use CONTAINER A
roleB can use CONTAINER B
(4) Just like user can choose capabilities (process runtime, rule runtime) at Kie-Server level, allow users to further customize which endpoints each container should have access to.
CONTAINERA has only Rules related commands
CONTAINERB has only Process Instance or Task related commands
Environment
- Red Hat JBoss BPM Suite (BPMS)
- 6.3.0
- Red Hat Single Sign On (RHSSO)
- 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.