How to enforce separate authentication for different REST endpoints of kie-server ?
Issue
- Users can create an instance of a process, start/complete tasks, execute
Droolsrules using thekie-serverREST endpoints. Many customers are now usingRHSSO 7integrated withBPMS 6.3.xto authenticate and authorize users to use api usingkie-serverrole. - But even with
RHSSOit does not seem to be a good idea to exposekie-servercomplete rest api to javascript based applications, accessible over internet browsers. Is there any recomendation to enforce thekie-serversecurity to more fine graned level? -
Is it even possible to remove/restrict some
kie-serverREST endpoints for external client access? Or is it required to build a a separeted service facade to implement this kind of REST endpoint restrictions?
e.g.(1) Create specific roles for diferent endpoints groups.
RHSSOintegration says that users should givekie-serverrole to users to access those endpoints. But it might be possible to create different roles, like
kie-server-brms
kie-server-processes
kie-server-processdefinitions
kie-server-usertasks
kie-server-processinstances
kie-server-queryprocess
kie-server-querytasks
kie-server-advancedqueries
kie-server-jobexecution
(2) Restrict ruleflow-group execution for specific users while deploying the rules to various containers and restrict access for the container to those user groups.
userRoleA - can execute only rule-group rulesA
userRoleB - can execute only rule-group rulesB
(3) Restrict access to containers created at kie-server/container for specific roles.
roleA can use CONTAINER A
roleB can use CONTAINER B
(4) Just like user can choose capabilities (process runtime, rule runtime) at Kie-Server level, allow users to further customize which endpoints each container should have access to.
CONTAINERA has only Rules related commands
CONTAINERB has only Process Instance or Task related commands
Environment
- Red Hat JBoss BPM Suite (BPMS)
- 6.3.0
- Red Hat Single Sign On (RHSSO)
- 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
