From 88e1e4c1a8456c6f23ecefd43da56dfc49724981 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Wed, 8 Jan 2025 10:34:18 +0100 Subject: [PATCH] doc structure refactoring Signed-off-by: Andrew Jandacek --- .../configuration-saf-resource-checking.md | 48 +++++++------------ 1 file changed, 17 insertions(+), 31 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-saf-resource-checking.md b/docs/user-guide/api-mediation/configuration-saf-resource-checking.md index 315922c49d..c574158808 100644 --- a/docs/user-guide/api-mediation/configuration-saf-resource-checking.md +++ b/docs/user-guide/api-mediation/configuration-saf-resource-checking.md @@ -25,6 +25,7 @@ dummy is the lowest priority provider. This is the dummy implementation and is d :::note Verification of the SAF resource uses the first available provider based on the specified priority. The default configuration resolves to the **native** provider. ::: +### Setting your SAF resource checking provider Select a specific provider by specifying the `components.gateway.apiml.security.authorization.provider` key in the `zowe.yaml` file. Use the parameter value to strictly define a provider. @@ -43,6 +44,19 @@ strictly define a provider. * **Dummy** `components.gateway.apiml.security.authorization.provider: dummy` +### Setting the native provider to perform SAF resource check (Default setting) + +The Native provider is the easiest approach to use the SAF resource checking feature on the mainframe. + +Enable this provider when classes `com.ibm.os390.security.PlatformAccessControl` and `com.ibm.os390.security.PlatformReturned` +are available on the classpath. This approach uses the method described in [Class PlatformAccessControl](https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.zsecurity.api.80.doc/com.ibm.os390.security/com/ibm/os390/security/PlatformAccessControl.html?view=kc#checkPermission-java.lang.String-java.lang.String-java.lang.String-int-) in the IBM documentation. + +:::note +Ensure that the version of Java on your system has the same version of classes and method signatures. +::: + +### Setting the endpoint provider to perform SAF resouce check + To use the endpoint provider, you also need to enable the endpoint property and customize the URL corresponding to the SAF resource authorization. By default, the ZSS API is configured and used. 1. Open the file `zowe.yaml`. @@ -53,6 +67,7 @@ To use the endpoint provider, you also need to enable the endpoint property and When using ZSS, the default value the property `components.gateway.apiml.security.authorization.endpoint.url` is `https://:/zss/api/v1/saf-auth` + - **haInstance_hostname** Zowe instance hostname from the configuration. - **gateway_port** @@ -60,40 +75,11 @@ To use the endpoint provider, you also need to enable the endpoint property and 3. Restart Zowe. -## REST endpoint call - -The REST provider calls the external API to retrieve information about access rights. To enable the feature outside of the mainframe, for example when running in Docker, you can use a REST endpoint call using the `GET` method: - -- Method: `GET` -- URL: `{base path}/{userId}/{class}/{entity}/{level}` -- Response: - ```json5 - { - "authorized": "{true|false}", - "error": "{true|false}", - "message": "{message}" - } - ``` -:::note -For more information about this REST endpoint call, see [ZSS implementation](https://github.com/zowe/zss/blob/master/c/authService.c). -::: - -### Native - -The Native provider is the easiest approach to use the SAF resource checking feature on the mainframe. - -Enable this provider when classes `com.ibm.os390.security.PlatformAccessControl` and `com.ibm.os390.security.PlatformReturned` -are available on the classpath. This approach uses the method described in [Class PlatformAccessControl](https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.zsecurity.api.80.doc/com.ibm.os390.security/com/ibm/os390/security/PlatformAccessControl.html?view=kc#checkPermission-java.lang.String-java.lang.String-java.lang.String-int-) in the IBM documentation. - -:::note -Ensure that the version of Java on your system has the same version of classes and method signatures. -::: - -### Dummy implementation +### Setting the dummy provider to perform SAF resource check Use the Dummy provider for testing purpose outside of the mainframe. -1. In the folder where the application is running, create the file `saf.yml`. Alternatively, you can create the file `mock-saf.yml` in the +In the folder where the application is running, create the file `saf.yml`. Alternatively, you can create the file `mock-saf.yml` in the test module (root folder). :::caution Important: