The following tables discuss how user access control is managed using Fabric commands.
CREATE commands are used to create a user, role or token in the k2auth keyspace in Cassandra:
ASSIGN commands are used to assign a role either for a user or for a token:
GRANT commands are used to enable specific roles to access Fabric. These commands insert records into the Permissions table in the k2auth keyspace in Cassandra. Several GRANT commands can be run for the same LU. The permissions granted by the GRANT command will be appended.
The following GRANT commands are supported:
Below is a list of GRANT OPERATION command parameters:
Parameter Name |
Mandatory |
Description |
Operation |
Yes |
Fabric operations included in the permission. Examples:
Run a help grant; command to view the full list of operations. |
Resource |
Yes |
Fabric resources included in the permission:
|
Role |
Yes |
The permissions are granted to a given role. |
Enables users to give generic access to a given Web Service to access the Fabric database.
Notes:
Below is a list of GRANT WS_NAME command parameters:
Parameter Name |
Mandatory |
Description |
WS_Name |
Yes |
Fabric Web Service name. |
Role |
Yes |
The permissions are granted to a given role. |
Description |
Example |
Allow the role to invoke wsGetCustomerDetails |
grant wsGetCustomerDetails to role1; |
Web Service authorization is performed using the API Key:
Example
create user 'test_read';
create role 'readonly';
grant READ on * to 'readonly';
assign 'readonly' to 'test_read';
assign role 'readonly' to user 'test_read';
create token 'test_read_token' user 'test_read';
When invoking the DELETE WS: /lu/{luName}/{iid} using the 'test_token' token, Fabric throws the following error: "Com.k2view.cdbms.exceptions.UnauthorizedException: test_read is not allowed to perform [DELETE_INSTANCE]"
The following tables discuss how user access control is managed using Fabric commands.
CREATE commands are used to create a user, role or token in the k2auth keyspace in Cassandra:
ASSIGN commands are used to assign a role either for a user or for a token:
GRANT commands are used to enable specific roles to access Fabric. These commands insert records into the Permissions table in the k2auth keyspace in Cassandra. Several GRANT commands can be run for the same LU. The permissions granted by the GRANT command will be appended.
The following GRANT commands are supported:
Below is a list of GRANT OPERATION command parameters:
Parameter Name |
Mandatory |
Description |
Operation |
Yes |
Fabric operations included in the permission. Examples:
Run a help grant; command to view the full list of operations. |
Resource |
Yes |
Fabric resources included in the permission:
|
Role |
Yes |
The permissions are granted to a given role. |
Enables users to give generic access to a given Web Service to access the Fabric database.
Notes:
Below is a list of GRANT WS_NAME command parameters:
Parameter Name |
Mandatory |
Description |
WS_Name |
Yes |
Fabric Web Service name. |
Role |
Yes |
The permissions are granted to a given role. |
Description |
Example |
Allow the role to invoke wsGetCustomerDetails |
grant wsGetCustomerDetails to role1; |
Web Service authorization is performed using the API Key:
Example
create user 'test_read';
create role 'readonly';
grant READ on * to 'readonly';
assign 'readonly' to 'test_read';
assign role 'readonly' to user 'test_read';
create token 'test_read_token' user 'test_read';
When invoking the DELETE WS: /lu/{luName}/{iid} using the 'test_token' token, Fabric throws the following error: "Com.k2view.cdbms.exceptions.UnauthorizedException: test_read is not allowed to perform [DELETE_INSTANCE]"