GraphGrid Security
2.0API Version 1.0
Introduction
GraphGrid Security provides authentication, authorization and user management capabilities for access to secured resources running in GraphGrid. Security implements an OAuth2 protocol that issues access tokens in requests sent by clients or users that want access to API resources. When clients or users make a request to GraphGrid API services they pass the access token in an Authorization Bearer-type header. GraphGrid services perform access token checks to establish a security context and ensure the incoming call has the required level of access permissions for the resources and operation being performed.
This Security API version is 1.0 and as such all endpoints are rooted at /1.0/. For example, http://localhost/1.0/security (requires auth)
would be the base context for this Security API under the GraphGrid API deployed at http://localhost.
This page focuses primarily on the GraphGrid Security service API. For information on endpoint authorization requirements for other services, see here.
Environment
Security requires the following integrations:
- ONgDB 1.0+
- OpenLDAP 2.4+
- PostgreSQL 9.6+
Get Status
Check the status of GraphGrid Security. Will return a 200 OK response if healthy.
Base URL: /1.0/security/status
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/status"
Response
200 OK
Authentication
Request an OAUTH access token to call the GraphGrid API
Base URL: /1.0/security/oauth/token
Method: POST
Content-Type: application/x-www-form-urlencoded
Setting up your OAUTH Token
OAuth requires client authentication in order to request an access
token. To authenticate, generate a Basic Authorization header using client credentials.
Client credentials consist of a client_id and a client_secret.
To generate a basic auth header, separate a client id and secret with a colon and then base64 encode them. Client credentials are configurable, however you may use the default values for a client id and secret:
'CLIENT_ID': 'a3847750f486bd931de26c6e683b1dc4'
'CLIENT_SECRET': '81a62cea53883f4a163a96355d47656e'
You can manually generate the authorization header in a terminal using the default client credentials:
echo -n 'a3847750f486bd931de26c6e683b1dc4:81a62cea53883f4a163a96355d47656e'| base64
After generating our encoded client credentials the full Basic Auth header will look like this:
Authorization: Basic YTM4NDc3NTBmNDg2YmQ5MzFkZTI2YzZlNjgzYjFkYzQ6ODFhNjJjZWE1Mzg4M2Y0YTE2M2E5NjM1NWQ0NzY1NmU=
Parameters
| Key | Value | Description |
|---|---|---|
| grant_type | Either password or client_credentials | The grant type should be either client_credentials if authing for a client, or password if for a user |
| username | Username | The user username. Required if password is selected as grant_type above. |
| password | Password | The user password. Required if password is selected as grant_type above. |
| scope | all | Which oauth scopes to request. Only all is available right now. |
Examples
curl --location --request POST "${API_BASE}/1.0/security/oauth/token" \
--header "Authorization: Basic ${BASIC_AUTH}
" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=graphgrid' \
--data-urlencode 'password=graphgrid'
Responses
Successful Authentication:
{
"access_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"token_type": "bearer",
"refresh_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"expires_in": 35999,
"scope": "all org.create.post org.update.put ...",
"createdAt": "2020-12-08T16:40:22+00:00",
"grn": "grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W",
"username": "graphgrid",
"email": "webmaster@graphgrid.com",
"firstName": "Graph",
"lastName": "Master",
"name": "Graph Master",
"groups": [],
"userStatus": "FULL_ACCESS"
}
This response has the following OAuth 2.0-specification fields:
access_token: The access token
token_type: Type of the token, bearer in this case
refresh_token: The refresh token
expires_in: Time in seconds when it expires
scope: OAuth scopes granted for this particular access token
Errors
Authorization Error:
{
"timestamp": 1607445855422,
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/1.0/security/oauth/token"
}
Authentication Error:
{
"error": "invalid_grant",
"error_description": "Bad credentials"
}
Password and Client Credential Grants
Example Password Grant
curl --request POST \
--url "${API_BASE}/1.0/security/oauth/token" \
--header "Authorization: Basic ${BASIC_AUTH}
" \
--data 'grant_type=password&username={{username}}&password={{password}}'
Response
Successful Password Grant:
{
"access_token": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"token_type": "bearer",
"refresh_token": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"expires_in": 35999,
"scope": "all"
}
Example Client Credentials Grant
curl --request POST \
--url "${API_BASE}/1.0/security/oauth/token" \
--header "Authorization: Basic ${BASIC_AUTH}
" \
--data 'grant_type=client_credentials'
Response
Successful Client Credentials Grant
{
"access_token": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"token_type": "bearer",
"expires_in": 35999,
"scope": "all",
"createdAt": "2020-12-15T18:04:22+00:00"
}
Check Token
Performs validation checks of the username, scope, status, expiration, authorities and clients associated with a particular token.
Base URL /1.0/security/oauth/check_token
Method: POST
Content-Type: application/x-www-form-urlencoded
Parameters
| Key | Value | Descriptions |
|---|---|---|
| token | Required | The access token to check |
Check Token Request
curl --request POST \
--url "${API_BASE}/1.0/security/oauth/check_token" \
--header "Authorization: Basic ${BASIC_AUTH}
" \
--data "token=${BEARER_TOKEN}"
Successful Check Token Response:
{
"createdAt": "2020-12-15T18:04:22+00:00",
"user_name": "{{username}}",
"scope": ["all"],
"active": true,
"exp": 1608093335,
"authorities": [
"ROLE_CLIENT_INTERNAL",
"ROLE_INTERNAL",
"ROLE_CLIENT_USER",
"ROLE_CLIENT_FREE"
],
"client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
This response has the following OAuth 2.0-specification fields:
user_name: The username associated to this token
scope: OAuth scopes granted for this particular access token
active: Whether the token is active
exp: The expiration time of the token as a unix epoch time
authorities: The associated authority for this token
client_id: The clientId associated to this token
Refresh Token
Refreshes an existing access token.
- Base URL
/1.0/security/oauth/token - Method: POST
- Content-Type: application/x-www-form-urlencoded
Parameters
| Key | Value | Description |
|---|---|---|
| grant_type | refresh_token | The grant type can only be refresh_token |
| refresh_token | Required | The OAuth2 refresh_token from Authentication of the Response of this Request |
Examples
Refresh Token Request
curl --request POST \
--url "${API_BASE}/1.0/security/oauth/token" \
--header "Authorization: Basic ${BASIC_AUTH}
" \
--data 'grant_type=refresh_token&refresh_token={{refresh_token}}'
Responses
Successful Refresh Token Response:
{
"access_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"token_type": "bearer",
"refresh_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"expires_in": 35999,
"scope": "all"
}
This response has the following OAuth 2.0-specification fields:
access_token: The access token
token_type: Type of the token, bearer in this case
refresh_token: The refresh token
expires_in: Time in seconds when it expires
scope: OAuth scopes granted for this particular access token
Access Management
The GraphGrid security architecture primarily uses two types of access control. Role based access control is
used for most endpoints. All /1.0/security/accessmanagement endpoints require the SUPER_ADMIN role.
Roles are determined by LDAP group membership.
We also support graph-based access control, which is used for dynamic showme endpoints. Graph-based controls are only enforced through Geequel queries in showmeSecurityRules.
Groups, policies, and permissions all exist as nodes on the graph. We recommend putting users into groups and then attaching
policies (with associated permissions) to those groups. In a showme security rule, permissions can be enforced by ensuring a path
exists between a :User node and the :SecurityPermission node in question.
Security Groups
Create Security Group
Base URL: /1.0/security/accessmanagement/groups
Method: POST
Content-Type: application/json
Parameters
| Key | Description |
|---|---|
| name | Name for the security group |
| description | Description for the security group |
| users | A list of one or more User objects to be added to the indicated Security Group |
| policies | A list of one or more Policy objects to be added to the indicated Security Group |
Both users and policies lists can be empty. User and Policy objects are formatted as {"grn": "{{grn:...}}"}.
Example Request
curl --location --request POST "${API_BASE}/1.0/security/accessmanagement/groups" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}'" \
--data-raw '{
"name": "group name",
"description": "description",
"users": [
{
"grn": "grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W"
}
],
"policies": [
{
"grn": "grn:gg:securitypolicy:ZzNWbL2iarodGoMK5IcNoQBNujizOU2NxKHjbz2kMyxE"
}
]
}'
Example Response
{
"id": 495,
"labels": [],
"enver": 0,
"createdAt": "2021-03-04T22:01:16.538Z",
"updatedAt": "2021-03-04T22:01:16.554Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitygroup:lNwUlxaposn3KPgnvlRXiIL6zbsuVjhX9ZQTjvz2LVSX",
"name": "name8773386932299557",
"description": "description",
"users": [
{
"id": 21,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-04T18:16:33.853Z",
"updatedAt": "2021-03-04T22:01:16.554Z",
"createdBy": "anonymousUser",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W",
"username": "graphgrid",
"password": null,
"email": "webmaster@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "",
"name": "Graph Master",
"role": null,
"description": null,
"firstName": "Graph",
"lastName": "Master",
"displayEmail": "webmaster@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grnType": "user",
"label": "User"
}
],
"policies": [
{
"id": 309,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-04T21:54:19.889Z",
"updatedAt": "2021-03-04T22:01:16.553Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypolicy:ZzNWbL2iarodGoMK5IcNoQBNujizOU2NxKHjbz2kMyxE",
"name": "name2628625962655193",
"description": "description",
"grnType": "securitypolicy",
"label": "SecurityPolicy"
}
],
"grnType": "securitygroup",
"label": "SecurityGroup"
}
Update Security Group
Base URL: /1.0/security/accessmanagement/groups/{{groupGrn}}
Method: PUT
Content-Type: application/json
Parameters and request body format are the same as with Create Security Group
List Security Groups
Base URL: /1.0/security/accessmanagement/groups/
Method: GET
Example Response
[
{
"id": 495,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-04T22:01:16.538Z",
"updatedAt": "2021-03-04T22:01:16.554Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitygroup:lNwUlxaposn3KPgnvlRXiIL6zbsuVjhX9ZQTjvz2LVSX",
"name": "name8773386932299557",
"description": "description",
"users": [
{
"id": 21,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-04T18:16:33.853Z",
"updatedAt": "2021-03-04T22:01:16.554Z",
"createdBy": "anonymousUser",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W",
"username": "graphgrid",
"password": null,
"email": "webmaster@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "",
"name": "Graph Master",
"validationToken": null,
"role": null,
"description": null,
"firstName": "Graph",
"lastName": "Master",
"displayEmail": "webmaster@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grnType": "user",
"label": "User"
}
],
"policies": [
{
"id": 309,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-04T21:54:19.889Z",
"updatedAt": "2021-03-04T22:01:16.553Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypolicy:ZzNWbL2iarodGoMK5IcNoQBNujizOU2NxKHjbz2kMyxE",
"name": "name2628625962655193",
"description": "description",
"grnType": "securitypolicy",
"label": "SecurityPolicy"
}
],
"grnType": "securitygroup",
"label": "SecurityGroup"
}
]
Add User(s) to Security Group
Users can be added to a Security Group by grn or by group name.
Add User(s) by Security Group grn
Adds one or more Users (by user grn) to the SecurityGroup with the provided grn.
Base URL: /1.0/security/accessmanagement/groups/{grn}/addusersbygrn
Method: PUT
Content-Type: application/json
Parameters
| Key | Value | Description |
|---|---|---|
| grn | String | The grn of the SecurityGroup to which users are to be added |
| users | List \<User> | A list of one or more User objects to be added to the indicated Security Group |
Request
curl --location --request PUT "${API_BASE}/1.0/security/accessmanagement/groups/{{grn}}/addusersbygrn" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"users": [
{
"grn": "grn:gg:user:1234"
},
{
"grn": "grn:gg:user:5678"
}
]
}'
Responses
Successful Add User(s) to Security Response:
{
"id": 21860347,
"labels": [],
"enver": 0,
"createdAt": "2019-07-09T20:44:10+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:securitygroup:DJjKMu2Y1VTvt0jecr96yqANbd3NWTIRln9nnPTzultH",
"name": "name2442659568121723",
"description": "description",
"users": [
{
"id": 21583880,
"labels": [],
"enver": 0,
"createdAt": "2018-01-01T07:00:00+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:user:w9ei3nx7e2qyRj9PozZXUxleAGi7hby1uKuCWuup3dBP",
"username": "graphgrid,
"password": null,
"email": "webmaster+test105@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "",
"name": "test684 test543",
"validationToken": null,
"role": null,
"description": null,
"firstName": "test684",
"lastName": "test543",
"displayEmail": "webmaster+test105@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grnType": "user",
"label": "User"
}
],
"policies": [],
"grnType": "securitygroup",
"label": "SecurityGroup"
}
Add User(s) by Group Name
Adds one or more Users (by user grn) to the SecurityGroup with the provided name.
- Base URL
/1.0/security/accessmanagement/groups/{name}/addusersbyname - Method: PUT
- Content-Type: applicaton/json
Parameters
| Key | Value | Description |
|---|---|---|
| name | String | The name of the SecurityGroup to which users are to be added |
| users | List \<User> | A list of one or more User objects to be added to the indicated SecurityGroup |
Request
curl --location --request PUT "${API_BASE}/1.0/security/accessmanagement/groups/{{name}}/addusersbyname" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"users": [
{
"grn": "grn:gg:user:1234"
},
{
"grn": "grn:gg:user:5678"
}
]
}'
Responses
Successful Add User(s) to Security Group by Group Name Response:
{
"id": 21860347,
"labels": [],
"enver": 0,
"createdAt": "2019-07-09T20:44:10+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:securitygroup:DJjKMu2Y1VTvt0jecr96yqANbd3NWTIRln9nnPTzultH",
"name": "name2442659568121723",
"description": "description",
"users": [
{
"id": 21583880,
"labels": [],
"enver": 0,
"createdAt": "2018-01-01T07:00:00+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:user:w9ei3nx7e2qyRj9PozZXUxleAGi7hby1uKuCWuup3dBP",
"username": "graphgrid",
"password": null,
"email": "webmaster+test105@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "",
"name": "test684 test543",
"validationToken": null,
"role": null,
"description": null,
"firstName": "test684",
"lastName": "test543",
"displayEmail": "webmaster+test105@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grnType": "user",
"label": "User"
}
],
"policies": [],
"grnType": "securitygroup",
"label": "SecurityGroup"
}
Remove User(s) from Security Group
Users can be removed from a Security Group by grn or by group name.
Remove User(s) by grn
Removes one or more Users (by user grn) from the SecurityGroup with the provided grn.
- Base URL
/1.0/security/accessmanagement/groups/{grn}/removeusersbygrn - Method: PUT
- Content-Type: application/json
Parameters
| Key | Value | Description |
|---|---|---|
| grn | string | The grn of the SecurityGroup from which users are to be removed |
| users | List \<User> | A list of one or more User objects to be removed from the indicated SecurityGroup. |
Request
curl --location --request PUT "${API_BASE}/1.0/security/accessmanagement/groups/{{grn}}/addusersbygrn" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"users": [
{
"grn": "grn:gg:user:1234"
},
{
"grn": "grn:gg:user:5678"
}
]
}'
Responses
Successful Remove User(s) from Security Group by group grn Response:
{
"id": 21860347,
"labels": [],
"enver": 0,
"createdAt": "2019-07-09T20:44:10+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:securitygroup:DJjKMu2Y1VTvt0jecr96yqANbd3NWTIRln9nnPTzultH",
"name": "name2442659568121723",
"description": "description",
"users": [
{
"id": 21583880,
"labels": [],
"enver": 0,
"createdAt": "2018-01-01T07:00:00+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:user:w9ei3nx7e2qyRj9PozZXUxleAGi7hby1uKuCWuup3dBP",
"username": "graphgrid",
"password": null,
"email": "webmaster+test105@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "",
"name": "test684 test543",
"validationToken": null,
"role": null,
"description": null,
"firstName": "test684",
"lastName": "test543",
"displayEmail": "webmaster+test105@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grnType": "user",
"label": "User"
}
],
"policies": [],
"grnType": "securitygroup",
"label": "SecurityGroup"
}
Remove User(s) by group name
Removes one or more Users (by user grn) from the SecurityGroup with the provided name.
- Base URL
/1.0/security/accessmanagement/groups/{name}/removeusersbyname - Method: PUT
- Content-Type: application/json
Parameters
| Key | Value | Description |
|---|---|---|
| name | string | The name of the SecurityGroup from which users are to be removed |
| users | List \<String> | A list of one of more User grns to be removed from the indicated SecurityGroup |
Request
Remove User(s) from Security Group by group name:
curl --location --request PUT "${API_BASE}/1.0/security/accessmanagement/groups/{{group-name}}/removeusersbyname" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"users": [
{
"grn": "grn:gg:user:1234"
},
{
"grn": "grn:gg:user:5678"
}
]
}'
Responses
Successful Remove User(s) from Security Group by group name Response:
{
"id": 21860347,
"labels": [],
"enver": 0,
"createdAt": "2019-07-09T20:44:10+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:securitygroup:DJjKMu2Y1VTvt0jecr96yqANbd3NWTIRln9nnPTzultH",
"name": "name2442659568121723",
"description": "description",
"users": [
{
"id": 21583880,
"labels": [],
"enver": 0,
"createdAt": "2018-01-01T07:00:00+00:00",
"updatedAt": "2019-07-09T20:44:11+00:00",
"createdBy": "webmasteratgraphgriddotcom",
"lastModifiedBy": "webmasteratgraphgriddotcom",
"grn": "grn:gg:user:w9ei3nx7e2qyRj9PozZXUxleAGi7hby1uKuCWuup3dBP",
"username": "graphgrid",
"password": null,
"email": "webmaster+test105@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "",
"name": "test684 test543",
"validationToken": null,
"role": null,
"description": null,
"firstName": "test684",
"lastName": "test543",
"displayEmail": "webmaster+test105@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grnType": "user",
"label": "User"
}
],
"policies": [],
"grnType": "securitygroup",
"label": "SecurityGroup"
}
Policies
Create Policy
- Base URL
/1.0/security/accessmanagement/policies - Method: POST
- Content-Type: application/json
Parameters
| Key | Type | Description |
|---|---|---|
| name | string | The name of the security policy |
| description | string | A description for the security policy |
| users | List \<Users> | A list of User objects |
| groups | List \<Groups> | A list of Security Group objects |
| permissions | List \<Permissions> | A list of Security Permissions objects |
All lists above can be empty. User, Group, and Permissions objects are all formatted as {"grn": "{{grn:...}}"}.
Request
curl --location --request POST "${API_BASE}/1.0/security/accessmanagement/policies" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"name": "testPolicy",
"description": "some description",
"users": [],
"groups": [],
"permissions": []
}'
Response
{
"id": 496,
"labels": [],
"enver": 0,
"createdAt": "2021-03-05T16:06:42.207Z",
"updatedAt": "2021-03-05T16:06:42.316Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypolicy:9p6XDste5W28K4wtz50pyPnKIsXyx0edcNa35NN1dyzL",
"name": "testPolicy",
"description": "some description",
"users": [],
"groups": [],
"permissions": [],
"grnType": "securitypolicy",
"label": "SecurityPolicy"
}
Update Policy
- Base URL
/1.0/security/accessmanagement/policies/{{policyGrn}} - Method: PUT
- Content-Type: application/json
Parameters and request body format are the same as with Create Policy
List Policies
- Base URL
/1.0/security/accessmanagement/policies - Method: GET
Example Response
[
{
"id": 496,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-05T16:06:42.207Z",
"updatedAt": "2021-03-05T16:06:42.316Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypolicy:9p6XDste5W28K4wtz50pyPnKIsXyx0edcNa35NN1dyzL",
"name": "testPolicy",
"description": "some description",
"users": null,
"groups": null,
"permissions": null,
"grnType": "securitypolicy",
"label": "SecurityPolicy"
}
]
Get Policy
- Base URL
/1.0/security/accessmanagement/policies/{{policyGrn}} - Method: GET
Example Response
{
"id": 496,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-05T16:06:42.207Z",
"updatedAt": "2021-03-05T16:06:42.316Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypolicy:9p6XDste5W28K4wtz50pyPnKIsXyx0edcNa35NN1dyzL",
"name": "testPolicy",
"description": "some description",
"users": null,
"groups": null,
"permissions": null,
"grnType": "securitypolicy",
"label": "SecurityPolicy"
}
Permissions
Create Permission
- Base URL
/1.0/security/accessmanagement/permissions - Method: POST
- Content-Type: application/json
Parameters
| Key | Type | Description |
|---|---|---|
| name | string | The name of the permission |
| description | string | A description for the permission |
| users | List \<Users> | A list of User objects |
| groups | List \<Groups> | A list of Security Group objects |
| policies | List \<Permissions> | A list of Security Policy objects |
All lists above can be empty. User, Group, and Policy objects are all formatted as {"grn": "{{grn:...}}"}.
Request
curl --location --request POST "${API_BASE}/1.0/security/accessmanagement/permissions"\
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"name": "testPermission",
"description": "description",
"users": [],
"groups": [],
"policies": []
}'
Response
{
"id": 537,
"labels": [],
"enver": 0,
"createdAt": "2021-03-05T16:22:51.658Z",
"updatedAt": "2021-03-05T16:22:51.689Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypermission:SlAXY15KK9AOYHBMx8rbc2inrtK3oL9ZxDHxHF5fxZYW",
"name": "testPermission",
"description": "description",
"users": [],
"groups": [],
"policies": [],
"grnType": "securitypermission",
"label": "SecurityPermission"
}
Update Permission
- Base URL
/1.0/security/accessmanagement/permissions/{{permissionGrn}} - Method: PUT
- Content-Type: application/json
Parameters and request body format are the same as with Create Permission
List Permissions
- Base URL
/1.0/security/accessmanagement/permissions - Method: GET
Example Response
[
{
"id": 537,
"labels": ["TemporaryReplicationLabel"],
"enver": 0,
"createdAt": "2021-03-05T16:22:51.658Z",
"updatedAt": "2021-03-05T16:22:51.689Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypermission:SlAXY15KK9AOYHBMx8rbc2inrtK3oL9ZxDHxHF5fxZYW",
"name": "testPermission",
"description": "description",
"users": null,
"groups": null,
"policies": null,
"grnType": "securitypermission",
"label": "SecurityPermission"
}
]
Get Permission
- Base URL
/1.0/security/accessmanagement/permissions/{{policyGrn}} - Method: GET
Example Response
{
"id": 537,
"labels": [],
"enver": 0,
"createdAt": "2021-03-05T16:22:51.658Z",
"updatedAt": "2021-03-05T16:22:51.689Z",
"createdBy": "graphgrid",
"lastModifiedBy": "graphgrid",
"grn": "grn:gg:securitypermission:SlAXY15KK9AOYHBMx8rbc2inrtK3oL9ZxDHxHF5fxZYW",
"name": "testPermission",
"description": "description",
"users": null,
"groups": null,
"policies": null,
"grnType": "securitypermission",
"label": "SecurityPermission"
}
Roles
Roles are determined by LDAP group membership. User roles are:
- ROLE_USER
- ROLE_TEMP_USER
- ROLE_ADMIN
- ROLE_SUPER_ADMIN
- ROLE_INTERNAL
- ROLE_OWNER
Get Roles for User
Get roles for a user by username.
- Base URL
/1.0/security/accessmanagement/roles/{{username}} - Method: GET
Example Response
{
"username": null,
"email": null,
"active": null,
"validated": null,
"phoneNumber": null,
"name": null,
"role": null,
"description": null,
"firstName": null,
"lastName": null,
"displayEmail": null,
"displayUsername": null,
"onboarded": null,
"grn": null,
"createdBy": null,
"lastModifiedBy": null,
"createdAt": null,
"updatedAt": null,
"enver": null,
"id": null,
"labels": null,
"label": null,
"grnType": null,
"groups": null,
"roles": ["ROLE_SUPER_ADMIN", "ROLE_ADMIN", "ROLE_USER", "ROLE_INTERNAL"],
"clientRoles": null
}
Add Role to User
- Base URL
/1.0/security/accessmanagement/roles/add/{{username}} - Method: PUT
- Content-Type: application/json
Parameters
| Key | Type | Description |
|---|---|---|
| roles | List \<string> | List of roles to add |
Request
curl --location --request PUT "${API_BASE}/1.0/security/accessmanagement/roles/add/testuser" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"roles": ["ROLE_ADMIN"]
}'
Response
{
"username": null,
"email": null,
"active": null,
"validated": null,
"phoneNumber": null,
"name": null,
"role": null,
"description": null,
"firstName": null,
"lastName": null,
"displayEmail": null,
"displayUsername": null,
"onboarded": null,
"grn": null,
"createdBy": null,
"lastModifiedBy": null,
"createdAt": null,
"updatedAt": null,
"enver": null,
"id": null,
"labels": null,
"label": null,
"grnType": null,
"groups": null,
"roles": ["ROLE_ADMIN", "ROLE_USER"],
"clientRoles": null
}
Remove Role from User
- Base URL
/1.0/security/accessmanagement/roles/remove/{{username}} - Method: PUT
- Content-Type: application/json
Parameters
| Key | Type | Description |
|---|---|---|
| roles | List \<string> | List of roles to add |
Request
curl --location --request PUT "${API_BASE}/1.0/security/accessmanagement/roles/remove/testuser" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"roles": ["ROLE_ADMIN"]
}'
Response
{
"username": null,
"email": null,
"active": null,
"validated": null,
"phoneNumber": null,
"name": null,
"role": null,
"description": null,
"firstName": null,
"lastName": null,
"displayEmail": null,
"displayUsername": null,
"onboarded": null,
"grn": null,
"createdBy": null,
"lastModifiedBy": null,
"createdAt": null,
"updatedAt": null,
"enver": null,
"id": null,
"labels": null,
"label": null,
"grnType": null,
"groups": null,
"roles": ["ROLE_USER"],
"clientRoles": null
}
Users
Create User
Create a user account.
Base URL: /1.0/security/user/new?signIn=false&skipAllNotificationEmails=false
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/user/new?signIn=false&skipAllNotificationEmails=false" \
--header 'Content-Type: application/json' \
--header "${BEARER_TOKEN}" \
--data-raw '{
"firstName": "Graph",
"lastName": "Master",
"email": "GraphsRLife@graphgrid.com",
"username": "GraphMaster",
"password": "12345678",
"role": 2
}'
To meet security requirements, the password must be at least 16 characters and include one of each of the following: lower case letter, upper case letter, number, special character (!#$%&*+,-./:;<=>?@{|}~\"'()[]^`_)
Response
{
"metadata": {
"grn": "grn:gg:user:8Cp2IfowdQtldW1Gc9VKXWZAOb7XQEcjUOOzMdG6MprQ",
"name": "Graph Master",
"username": "GraphMaster",
"email": "GraphsRLife@graphgrid.com"
}
}
To add a user to an existing security group, simply pass in the group name. You may also optionally pass in a user's phone number. The request body's raw-data would look like this:
{
"firstName": "Graph",
"lastName": "Master",
"email": "GraphsRLife@graphgrid.com",
"username": "GraphMaster",
"password": "12345678",
"role": 2,
"phoneNumber": "1800",
"groups": ["{{groupName}}"]
}
Confirm Email
Confirm a user email through Sendy services.
Base URL: /1.0/security/users/confirmemail?email={{email}}&token={{userValidationToken}}
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/user/confirmemail?email=webmaster%40graphgrid.com&token=123456" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
200 OK
Confirm Phone Number
Cofirm a user phone number through Amazon SQS services.
Base URL: /1.0/security/user/confirmphonenumber?username={{username}}&phoneNumber=+1{{phoneNumber}}&token={{userValidationToken}}
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/user/confirmphonenumber?username=calloremailme&phoneNumber=+118001234567&token=123456" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
200 OK
Update User
Update a user's information. This request allows the following attributes to be updated: password, role, email, phone number, name, username, firstname, lastname, and groups.
Base URL: /1.0/security/user/{{userGrn}}
Method: PUT
Request
curl --location --request PUT "${API_BASE}/1.0/security/user/grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"lastName": "Captain"
}'
Response
{
"metadata": {
"grn": "grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W",
"name": "Graph Captain",
"username": "graphgrid",
"email": "webmaster@graphgrid.com"
}
}
Update Password
Update a user's password. A user with the role of SUPER ADMIN can change a password without the user's old password.
Base URL: /1.0/security/user/{{grn}}/updatePassword
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/user/grn:gg:user:HjdEQDeFQNkkpr0b6Hfo2Iozlil6XT36sJnz6r4OG6LT/updatePassword" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"oldPassword": "12345678",
"newPassword": "1SecureP@ssword"
}'
Response
200 OK
Resend Verification Email
Resend a user verification email.
Base URL: /1.0/security/user/resentVerificationEmail?email={{email}}
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/user/resendVerificationEmail?webmaster@graphgrid.com" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
200 OK
Delete User
Delete a user.
Base URL: /1.0/security/user/{{grn}}
Method: DELETE
Request
curl --location --request DELETE "${API_BASE}/1.0/security/user/grn:gg:user:gnv7X4RIh3v1Ml1TfMdkA9xkc8atvkX5GrkDn0DSLDB4" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
200 OK
Get Currently Logged In User
Retrieve the information of the currently logged in user.
BaseURL: /1.0/security/user
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/user" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
{
"username": "graphgrid",
"email": "webmaster@graphgrid.com",
"active": null,
"validated": null,
"phoneNumber": "12345",
"name": "Graph Captain",
"validationToken": null,
"role": null,
"description": null,
"firstName": "Graph",
"lastName": "Captain",
"displayEmail": "webmaster@graphgrid.com",
"displayUsername": "graphgrid",
"onboarded": null,
"grn": "grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W",
"createdBy": "anonymousUser",
"lastModifiedBy": "anonymousUser",
"createdAt": "2021-03-18T18:32:30.405Z",
"updatedAt": "2021-03-18T17:34:08.782Z",
"enver": 0,
"id": 41,
"labels": [],
"label": "User",
"grnType": "user",
"groups": [],
"roles": ["ROLE_ADMIN", "ROLE_INTERNAL", "ROLE_SUPER_ADMIN", "ROLE_USER"],
"clientRoles": []
}
Get Authorities
Returns list of security roles.
Base URL: /1.0/security/user/getAuthorities
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/user/getAuthorities" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
["ROLE_ADMIN", "ROLE_INTERNAL", "ROLE_SUPER_ADMIN", "ROLE_USER"]
Logout
Logout user.
BaseURL: /1.0/security/logout
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/logout" \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=9c6a174d-1620-4c76-a840-be21da4d2058'
Response
200 OK
Two-Factor Authentication
Super admins can enable, and disable 2fa for other users, otherwise these endpoints have to be called by the user themselves.
Enable Two-Factor Authentication
Setup Two-Factor authentication for a user.
Base URL: /1.0/security/user/{{grn}}/2fa/enable
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/user/grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W/2fa/enable" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
A 200 OK response returns a QR code to retrieve an authentication code.
Confirm Two-Factor Authentication
Confirms the authentication code. Returns a list of recovery codes.
Base URL: /1.0/security/user/{{grn}}/2fa/confirm?code={{authenticationCode}}
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/user/grn:gg:user:12WyCzP1GmLPtS2m0LHz80fVawI2cNRv9DTy6DbN8Mv2/2fa/confirm?code=654321" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
[
12345678,
91011121,
11314151,
61718192,
02122232,
42526272,
81930313,
03132333,
34353637,
38394041
]
Get Two-Factor Authentication Recovery Codes
Returns the recovery codes for two-factor authentication.
Base URL: /1.0/security/user/{{grn}}/2fa/recoverycodes
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/user/grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W/2fa/recoverycodes" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
[
12345678,
91011121,
11314151,
61718192,
02122232,
42526272,
81930313,
03132333,
34353637,
38394041
]
Disable Two-Factor Authentication
Disable two-factor authentication.
Base URL: /1.0/security/user/{{grn}}/2fa/disable/
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/user/grn:gg:user:EeTO5wqULpuk1Xr8T8JQ2VcT5075cTvAWdmpjEDXnl9W/2fa/disable" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Client Endpoints and Permissions
Create ApiClient
Create a client user.
Base URL: /1.0/security/apiclient
Method: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/apiclient"\
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"clientId": "testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9",
"clientSecret": "test_Client_1357a327-86a7-4b2a-991a-23c55c7434f4",
"name": "Test Client",
"email": "@",
"defaultDailyCallLimit": 15,
"defaultMinuteCallLimit": 5,
"role": 4,
"scopes": "all",
"siteUrl": "https://test-securitytest-1616179236-3fcf2f5a-76b2-4ab4-a011-13acdcc3cb97.graphgrid.com"
}'
Response
{
"name": "Test Client",
"description": null,
"telephoneNumber": null,
"clientId": "testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9",
"clientSecret": "test_Client_1357a327-86a7-4b2a-991a-23c55c7434f4",
"email": "@",
"callbackUrl": null,
"imageUrl": null,
"siteUrl": "https://test-securitytest-1616179236-3fcf2f5a-76b2-4ab4-a011-13acdcc3cb97.graphgrid.com",
"ownerGrn": null,
"defaultDailyCallLimit": 15,
"defaultMinuteCallLimit": 5,
"role": 4,
"scopes": "all",
"grantTypes": "authorization_code,client_credentials,refresh_token",
"autoApproveScopes": null,
"accessTokenValidity": null,
"refreshTokenValidity": null
}
Self Service
Creates a client user and generates clientId and clientSecret.
Base URL: /1.0/security/apiclient/selfservice
Methood: POST
Request
curl --location --request POST "${API_BASE}/1.0/security/apiclient/selfservice" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"name": "Test Client",
"siteUrl": "https://test-securitytest-1616179086-ec4d3f93-03f9-4ede-926a-ae24f74234eb.graphgrid.com"
}'
Response
{
"name": "Test Client",
"description": null,
"telephoneNumber": null,
"clientId": "94f774835bb01b1a10e464ac2826c8bd",
"clientSecret": "2beca289305c6a8b7b339fdf35095ac2",
"email": "94f774835bb01b1a10e464ac2826c8bd@graphgrid.com",
"callbackUrl": null,
"imageUrl": null,
"siteUrl": "https://test-securitytest-1616179080-7e30ec0f-37ee-4675-9ca1-18efe40d2c68.graphgrid.com",
"ownerGrn": null,
"defaultDailyCallLimit": 15,
"defaultMinuteCallLimit": 5,
"role": 4,
"scopes": "all,org.create.post,org.update.put,org.getByUser.get,org.getByGrnOrName.get,cluster.destroyDeployment.post,cluster.runDeployment.post,cluster.getByGrnOrNameOrOrgGrn.get",
"grantTypes": "authorization_code,client_credentials,refresh_token",
"autoApproveScopes": null,
"accessTokenValidity": null,
"refreshTokenValidity": null
}
Read ApiClient
Get a client user by clientId. Returns the client user.
BaseURL: /1.0/security/apiclient
Method: GET
Request
curl --location --request GET "${API_BASE}/1.0/security/apiclient/testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Update ApiClient
Update a client user.
Base URL: /1.0/security/apiclient/{{clientId}}
Method: PUT
Request
curl --location --request PUT "${API_BASE}/1.0/security/apiclient/testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"clientId": "testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9",
"clientSecret": "test_Client_1357a327-86a7-4b2a-991a-23c55c7434f4",
"name": "Captain Test Client",
"email": "@",
"defaultDailyCallLimit": 20,
"defaultMinuteCallLimit": 5,
"role": 4,
"scopes": "all",
"siteUrl": "https://test-securitytest-1616179856-78c7de62-ef75-4785-812f-98b049a9b66b.graphgrid.com"
}'
Response
{
"name": "Captain Test Client",
"description": null,
"telephoneNumber": null,
"clientId": "testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9",
"clientSecret": "test_Client_1357a327-86a7-4b2a-991a-23c55c7434f4",
"email": "@",
"callbackUrl": null,
"imageUrl": null,
"siteUrl": "https://test-securitytest-1616179853-753cefd9-392c-43f2-bdd9-933ccb54c8bf.graphgrid.com",
"ownerGrn": null,
"defaultDailyCallLimit": 20,
"defaultMinuteCallLimit": 5,
"role": 4,
"scopes": "all",
"grantTypes": "authorization_code,client_credentials,refresh_token",
"autoApproveScopes": null,
"accessTokenValidity": null,
"refreshTokenValidity": null
}
Delete ApiClient
Delete a client user.
Base URL: /1.0/security/apiclient/{{clientId}}
Method: DELETE
Request
curl --location --request DELETE "${API_BASE}/1.0/security/apiclient/testClient_a3916c8c-26ee-489c-8c80-d3b1110bd3f9" \
--header "Authorization: Bearer ${BEARER_TOKEN}"
Response
200 OK
Client Permissions
There are three client groups that a client user may exist: client_frees, client_internals, and client_users. For client permissions, there must be an ldap client that connects directly to an ldap instance to modify permissions.
Error Handling
Across GraphGrid services a best practice approach to logging errors is followed. A different and appropriate log level per log statement is assigned.
The log levels used are DEBUG, INFO, WARN, and ERROR.
Log information does not surface sensitive internal system and infrastructure details such as access keys, secrets and the like.
How to access and consume logs can be seen here. An example of an ERROR log that may appear is
for an internal issue such as an expected service not being available. If this error is recoverable GraphGrid will continue to try to connect
using an exponential back-off. This is an area where it may require an operational step to start a service that has been intentionally stopped.
These errors available in the logs can be helpful operationally.