We have updated our Terms of Service, Code of Conduct, and Addendum.

How can I set policies for an API role?

I’ve cloned user, and am now trying to add more GET polices. However, looks like ‘GET’ /system/something, ‘POST’ etc can’t be added as NewPolicy - only GroupFull etc available.
Can this be done in the UI?
or only using POST /system/roles?
or do I need to post new Policy , POST /system/policies?

Best Answer

  • Chris
    Chris Posts: 13 mod
    edited July 2023 Answer ✓

    It doesnt appear you can use the UI to do this. The only thing available in the UI are the default policies.

    However, you can approach this 1 of 2 ways, which youve kind of laid out above, you can re-create the role via API with the specific API policies as you see with what is similar to the user role.

    i.e:

    curl -X POST "http://IP:9000/api/v1/system/roles" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_user\",\"policy\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
    

    However, if you already have the role created, you can then use the API to create a new policy and just apply it to that role:

    i.e

    curl -X POST "http://IP:9000/api/v1/system/policies" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_policy\",\"template\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
    

    Something like above will create a policy with the specific attributes that you need and then you can assign it to the existing role.

Answers

  • Chris
    Chris Posts: 13 mod
    edited July 2023 Answer ✓

    It doesnt appear you can use the UI to do this. The only thing available in the UI are the default policies.

    However, you can approach this 1 of 2 ways, which youve kind of laid out above, you can re-create the role via API with the specific API policies as you see with what is similar to the user role.

    i.e:

    curl -X POST "http://IP:9000/api/v1/system/roles" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_user\",\"policy\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
    

    However, if you already have the role created, you can then use the API to create a new policy and just apply it to that role:

    i.e

    curl -X POST "http://IP:9000/api/v1/system/policies" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"id\":\"api_policy\",\"template\":[\"GET /master/groups\",\"GET /system/info\",\"GET /system/info/*\",\"GET /system/logs\",\"GET /system/logs/search\",\"GET /system/logs/notifications.log\",\"GET /system/logs/group/${groupName}/*\",\"GET /system/settings\",\"GET /system/settings/*\",\"GET /system/instance/distributed\",\"GET /system/instance/distributed/*\",\"GET /version\"]}"
    

    Something like above will create a policy with the specific attributes that you need and then you can assign it to the existing role.