-
Notifications
You must be signed in to change notification settings - Fork 386
Sample Confluence HTML export
Rand McKinney edited this page Jul 25, 2016
·
2 revisions
This is the HTML export of Authentication, authorization, and permissions, a representative Confluence page.
<!DOCTYPE html>
<html>
<head>
<title>LoopBack in API Connect : Authentication, authorization, and permissions</title>
<link rel="stylesheet" href="styles/site.css" type="text/css" />
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body class="theme-default aui-theme-default">
<div id="page">
<div id="main" class="aui-page-panel">
<div id="main-header">
<div id="breadcrumb-section">
<ol id="breadcrumbs">
<li class="first">
<span><a href="index.html">LoopBack in API Connect</a></span>
</li>
</ol>
</div>
<h1 id="title-heading" class="pagetitle">
<span id="title-text">
LoopBack in API Connect : Authentication, authorization, and permissions
</span>
</h1>
</div>
<div id="content" class="view">
<div class="page-metadata">
Created by <span class='author'> Rand McKinney</span>, last modified on Jun 27, 2016
</div>
<div id="main-content" class="wiki-content group">
<p> <div class="aui-message warning shadowed information-macro">
<p class="title">Prerequisites</p>
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
<ul><li style="line-height: 1.4285715;">Install <strong><a href="https://developer.ibm.com/apiconnect/" class="external-link" rel="nofollow">API Connect</a></strong> or <strong><a href="https://docs.strongloop.com/display/SL/Installing+StrongLoop">StrongLoop</a></strong>.</li><li style="line-height: 1.4285715;">Read <a href="https://docs.strongloop.com/display/APIC/LoopBack+core+concepts">LoopBack core concepts</a>.</li></ul>
</div>
</div>
<div style="width: 250px; border: 1px solid green; border-radius: 5px; background-color: #E6E6E6; float: right; margin: 10px 0 0 15px; padding: 10px; font-size: 90%;">
<p style="margin-bottom: 0;">
<b>See also</b>: <ul><li><a href="https://docs.strongloop.com/display/APIC/Managing+users" rel="nofollow">Managing users</a></li><li><a href="https://docs.strongloop.com/display/APIC/Third-party+login+using+Passport" rel="nofollow">Third-party login using Passport</a></li><li><a href="https://docs.strongloop.com/display/APIC/Using+built-in+models#Usingbuilt-inmodels-Accesscontrolmodels" rel="nofollow">Access control models</a></li><li><a href="https://docs.strongloop.com/display/LB/Tutorial%3A+access+control" rel="nofollow">Tutorial: access control</a></li><li><a href="Security-considerations_9634209.html" rel="nofollow">Security considerations</a></li></ul>
</p></div><br /><style type='text/css'>/*<![CDATA[*/
div.rbtoc1469472931409 {padding: 0px;}
div.rbtoc1469472931409 ul {list-style: disc;margin-left: 0px;}
div.rbtoc1469472931409 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1469472931409'>
<ul class='toc-indentation'>
<li><a href='#Authentication,authorization,andpermissions-Accesscontrolconcepts'>Access control concepts</a></li>
<li><a href='#Authentication,authorization,andpermissions-Generalprocess'>General process</a></li>
<li><a href='#Authentication,authorization,andpermissions-Exposingandhidingmodels,methods,andendpoints'>Exposing and hiding models, methods, and endpoints</a>
<ul class='toc-indentation'>
<li><a href='#Authentication,authorization,andpermissions-HidingmethodsandRESTendpoints'>Hiding methods and REST endpoints</a></li>
<li><a href='#Authentication,authorization,andpermissions-Read-Onlyendpointsexample'>Read-Only endpoints example</a></li>
<li><a href='#Authentication,authorization,andpermissions-Hidingendpointsforrelatedmodels'>Hiding endpoints for related models</a></li>
<li><a href='#Authentication,authorization,andpermissions-Hidingproperties'>Hiding properties</a></li>
</ul>
</li>
</ul>
</div></p><p>Most applications need to control who (or what) can access data or call services. Typically, this involves requiring users to login to access protected data, or requiring authorization tokens for other applications to access protected data.</p><p>For a simple example of implementing LoopBack access control, see the GitHub <a href="https://github.com/strongloop/loopback-example-access-control" class="external-link" rel="nofollow">loopback-example-access-control</a> repository.</p><p>LoopBack apps access data through models (see <a href="https://docs.strongloop.com/display/APIC/Defining+models">Defining models</a>), so controlling access to data means putting restrictions on models; that is, specifying who or what can read/write the data or execute methods on the models. </p><p> <div class="aui-message problem shadowed information-macro">
<p class="title">Enabling LoopBack authentication</p>
<span class="aui-icon icon-problem">Icon</span>
<div class="message-content">
<p>To enable access control, you must call <code>enableAuth()</code>. For example, in a boot script <code>server/boot/authentication.js</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: jscript; gutter: false" style="font-size:12px;">module.exports = function enableAuthentication(server) {
server.enableAuth();
};</pre>
</div></div>
</div>
</div></p><h2 id="Authentication,authorization,andpermissions-Accesscontrolconcepts">Access control concepts</h2><p>LoopBack's access control system is built around a few core concepts. </p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th class="confluenceTh">Term</th><th class="confluenceTh">Description</th><th class="confluenceTh">Responsibility</th><th class="confluenceTh">Example</th></tr><tr><td class="confluenceTd">Principal</td><td class="confluenceTd">An entity that can be identified or authenticated.</td><td class="confluenceTd">Represents identities of a request to protected resources.</td><td class="confluenceTd"><ul style="list-style-type: square;"><li>A user</li><li>An application</li><li>A role (please note a role is also a principal)</li></ul></td></tr><tr><td class="confluenceTd">Role</td><td class="confluenceTd">A group of principals with the same permissions.</td><td class="confluenceTd">Organizes principals into groups so they can be used.</td><td class="confluenceTd"><ul style="list-style-type: square;"><li>Dynamic role: <ul style="list-style-type: square;"><li>$everyone (for all users)</li><li>$unauthenticated (unauthenticated users)</li><li>$owner (the principal is owner of the model instance)<br /><br /></li></ul></li><li>Static role: admin (a defined role for administrators)</li></ul></td></tr><tr><td class="confluenceTd">RoleMapping</td><td class="confluenceTd">Assign principals to roles</td><td class="confluenceTd">Statically assigns principals to roles.</td><td class="confluenceTd"><ul style="list-style-type: square;"><li>Assign user with id 1 to role 1</li><li>Assign role 'admin' to role 1</li></ul></td></tr><tr><td colspan="1" class="confluenceTd">ACL</td><td colspan="1" class="confluenceTd">Access control list</td><td colspan="1" class="confluenceTd"><span>Controls if a principal can perform a certain operation against a model.</span></td><td colspan="1" class="confluenceTd"><ul style="list-style-type: square;"><li>Deny everyone to access the project model</li><li>Allow 'admin' role to execute find() method on the project model</li></ul></td></tr></tbody></table></div><h2 id="Authentication,authorization,andpermissions-Generalprocess">General process</h2><p>The general process to implement access control for an application is:</p><ol><li><strong>Specify user roles</strong>. Define the user roles that your application requires. For example, you might create roles for anonymous users, authorized users, and administrators. </li><li><strong>Define access for each role and model method</strong>. For example, you might enable anonymous users to read a list of banks, but not allow them to do anything else.<br />LoopBack models have a set of built-in methods, and each method maps to either the READ or WRITE access type. In essence, this step amounts to specifying whether access is allowed for each role and each Model + access type, as illustrated in the example below.</li><li><strong>Implement authentication</strong>: in the application, add code to create (register) new users, login users (get and use authentication tokens), and logout users.</li></ol><p><h2 id="Authentication,authorization,andpermissions-Exposingandhidingmodels,methods,andendpoints">Exposing and hiding models, methods, and endpoints</h2><p>To expose a model over REST, set the <code>public</code> property to true in <code>/server/model-config.json</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: jscript; gutter: false" style="font-size:12px;">...
"Role": {
"dataSource": "db",
"public": false
},
...</pre>
</div></div><h3 id="Authentication,authorization,andpermissions-HidingmethodsandRESTendpoints">Hiding methods and REST endpoints</h3><p>If you don't want to expose certain create, retrieve, update, and delete operations, you can easily hide them by calling <code><a href="https://apidocs.strongloop.com/loopback/#model-disableremotemethod" class="external-link" rel="nofollow">disableRemoteMethod()</a></code> on the model. For example, following the previous example, by convention custom model code would go in the file <code>common/models/location.js</code>. You would add the following lines to "hide" one of the predefined remote methods:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>common/models/location.js</b></div><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: jscript; gutter: false" style="font-size:12px;">var isStatic = true;
MyModel.disableRemoteMethod('deleteById', isStatic);</pre>
</div></div><p>Now the <code>deleteById()</code> operation and the corresponding REST endpoint will not be publicly available.</p><p>For a method on the prototype object, such as <code>updateAttributes()</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>common/models/location.js</b></div><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: jscript; gutter: false" style="font-size:12px;">var isStatic = false;
MyModel.disableRemoteMethod('updateAttributes', isStatic);</pre>
</div></div> <div class="aui-message warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
<p>Be sure to call <code>disableRemoteMethod()</code> on your own custom model, not one of the built-in models; in the example below, for instance, the calls are <code>MyUser.disableRemoteMethod()</code> <em>not</em> <code>User.disableRemoteMethod()</code>.</p>
</div>
</div>
<p>Here's an example of hiding all methods of the <code>MyUser</code> model, except for <code>login</code> and <code>logout</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: jscript; gutter: false" style="font-size:12px;">MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("upsert", true);
MyUser.disableRemoteMethod("updateAll", true);
MyUser.disableRemoteMethod("updateAttributes", false);
MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);
MyUser.disableRemoteMethod("deleteById", true);
MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);
MyUser.disableRemoteMethod('__count__accessTokens', false);
MyUser.disableRemoteMethod('__create__accessTokens', false);
MyUser.disableRemoteMethod('__delete__accessTokens', false);
MyUser.disableRemoteMethod('__destroyById__accessTokens', false);
MyUser.disableRemoteMethod('__findById__accessTokens', false);
MyUser.disableRemoteMethod('__get__accessTokens', false);
MyUser.disableRemoteMethod('__updateById__accessTokens', false);</pre>
</div></div><h3 id="Authentication,authorization,andpermissions-Read-Onlyendpointsexample">Read-Only endpoints example</h3><p>You may want to only expose read-only operations on your model hiding all POST, PUT, DELETE verbs</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>common/models/model.js</b></div><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: js; gutter: false" style="font-size:12px;">Product.disableRemoteMethod('create', true); // Removes (POST) /products
Product.disableRemoteMethod('upsert', true); // Removes (PUT) /products
Product.disableRemoteMethod('deleteById', true); // Removes (DELETE) /products/:id
Product.disableRemoteMethod("updateAll", true); // Removes (POST) /products/update
Product.disableRemoteMethod("updateAttributes", false); // Removes (PUT) /products/:id
Product.disableRemoteMethod('createChangeStream', true); // removes (GET|POST) /products/change-stream</pre>
</div></div><p> </p><h3 id="Authentication,authorization,andpermissions-Hidingendpointsforrelatedmodels">Hiding endpoints for related models</h3><p>To disable a REST endpoints for related model methods, use <a href="https://apidocs.strongloop.com/loopback/#model-disableremotemethod" class="external-link" rel="nofollow">disableRemoteMethod()</a>. </p> <div class="aui-message hint shadowed information-macro">
<span class="aui-icon icon-hint">Icon</span>
<div class="message-content">
<p><span>For more information, see </span><a href="https://docs.strongloop.com/display/APIC/Accessing+related+models">Accessing related models</a><span>.</span></p>
</div>
</div>
<p>For example, if there are post and tag models, where a post hasMany tags, add the following code to <code style="line-height: 1.4285715;">/common/models/post.js</code> to disable the remote methods for the related model and the corresponding REST endpoints: </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>common/models/model.js</b></div><div class="codeContent panelContent pdl">
<pre class="theme: Emacs; brush: jscript; gutter: false" style="font-size:12px;">module.exports = function(Post) {
Post.disableRemoteMethod('__get__tags', false);
Post.disableRemoteMethod('__create__tags', false);
Post.disableRemoteMethod('__destroyById__accessTokens', false); // DELETE
Post.disableRemoteMethod('__updateById__accessTokens', false); // PUT
};</pre>
</div></div><h3 id="Authentication,authorization,andpermissions-Hidingproperties">Hiding properties</h3><p>To hide a property of a model exposed over REST, define a hidden property. See <a href="https://docs.strongloop.com/display/APIC/Model+definition+JSON+file#ModeldefinitionJSONfile-Hiddenproperties">Model definition JSON file (Hidden properties)</a>.</p></p>
</div>
</div> </div>
<div id="footer" role="contentinfo">
<section class="footer-body">
<p>Document generated by Confluence on Jul 25, 2016 11:55</p>
<div id="footer-logo"><a href="http://www.atlassian.com/">Atlassian</a></div>
</section>
</div>
</div> </body>
</html>