How to enforce separate authentication for different REST endpoints of kie-server ?

Solution Unverified - Updated -

Issue

  • Users can create an instance of a process, start/complete tasks, execute Drools rules using the kie-server REST endpoints. Many customers are now using RHSSO 7 integrated with BPMS 6.3.x to authenticate and authorize users to use api using kie-server role.
  • But even with RHSSO it does not seem to be a good idea to expose kie-server complete rest api to javascript based applications, accessible over internet browsers. Is there any recomendation to enforce the kie-server security to more fine graned level?
  • Is it even possible to remove/restrict some kie-server REST endpoints for external client access? Or is it required to build a a separeted service facade to implement this kind of REST endpoint restrictions?
    e.g.

    (1) Create specific roles for diferent endpoints groups. RHSSO integration says that users should give kie-server role to users to access those endpoints. But it might be possible to create different roles, like

kie-server-brms
kie-server-processes
kie-server-processdefinitions
kie-server-usertasks
kie-server-processinstances
kie-server-queryprocess
kie-server-querytasks
kie-server-advancedqueries
kie-server-jobexecution

(2) Restrict ruleflow-group execution for specific users while deploying the rules to various containers and restrict access for the container to those user groups.

userRoleA - can execute only rule-group rulesA
userRoleB - can execute only rule-group rulesB

(3) Restrict access to containers created at kie-server/container for specific roles.

roleA can use CONTAINER A
roleB can use CONTAINER B

(4) Just like user can choose capabilities (process runtime, rule runtime) at Kie-Server level, allow users to further customize which endpoints each container should have access to.

CONTAINERA has only Rules related commands
CONTAINERB has only Process Instance or Task related commands

Environment

  • Red Hat JBoss BPM Suite (BPMS)
    • 6.3.0
  • Red Hat Single Sign On (RHSSO)
    • 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content