How can I set policies for an API role?
I’ve cloned user, and am now trying to add more GET polices. However, looks like ‘GET’ /system/something, ‘POST’ etc can’t be added as NewPolicy - only GroupFull etc available.
Can this be done in the UI?
or only using POST /system/roles?
or do I need to post new Policy , POST /system/policies?
Best Answer
-
It doesnt appear you can use the UI to do this. The only thing available in the UI are the default policies.
However, you can approach this 1 of 2 ways, which youve kind of laid out above, you can re-create the role via API with the specific API policies as you see with what is similar to the user role.
i.e:
curl -X POST "http://IP:9000/api/v1/system/roles" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_user\",\"policy\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
However, if you already have the role created, you can then use the API to create a new policy and just apply it to that role:
i.e
curl -X POST "http://IP:9000/api/v1/system/policies" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_policy\",\"template\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
Something like above will create a policy with the specific attributes that you need and then you can assign it to the existing role.
0
Answers
-
It doesnt appear you can use the UI to do this. The only thing available in the UI are the default policies.
However, you can approach this 1 of 2 ways, which youve kind of laid out above, you can re-create the role via API with the specific API policies as you see with what is similar to the user role.
i.e:
curl -X POST "http://IP:9000/api/v1/system/roles" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_user\",\"policy\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
However, if you already have the role created, you can then use the API to create a new policy and just apply it to that role:
i.e
curl -X POST "http://IP:9000/api/v1/system/policies" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_policy\",\"template\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
Something like above will create a policy with the specific attributes that you need and then you can assign it to the existing role.
0