API Access
Manage access to your APIs.
Introduction
API owners need to control access to their APIs, deciding who can use them and how. This is where the APIAccess resource comes in handy. By creating an APIAccess object and linking it to specific user groups and targeted APIs, owners can precisely manage access control to their APIs.
APIAccess behaviour
Basic Usage
Let's start with a basic example. Suppose you want to grant the customer
user group access
to the flight-api
API. Here's how you can achieve that:
- APIAccess
- API
apiVersion: hub.traefik.io/v1alpha1
kind: APIAccess
metadata:
name: flight-customer
namespace: apps
spec:
groups:
- customer
apis:
- name: flight-api
apiVersion: hub.traefik.io/v1alpha1
kind: API
metadata:
name: flight-api
namespace: apps
spec:
openApiSpec:
path: /openapi.yaml
Both the APIAccess and the API must exist in the same namespace.
Everyone
To allow every authenticated user to access an API, set the everyone
option to true.
apiVersion: hub.traefik.io/v1alpha1
kind: APIAccess
metadata:
name: flight-everyone
spec:
everyone: true
apis:
- name: flight-api
When Users / Consumers belong to multiple groups, they will inherit access from each group they belong to. Please refer to the documentation about user management for more information.
API Selector
There are 2 ways to select APIs within your APIAccess:
- Reference the targeted API names in the
apis
fields as shown in the example above. - Alternatively, you can select multiple APIs using the advanced
apiSelector
mechanism.
Let's add some labels on your API objects and use standard Kubernetes labels selectors in APIAccesses:
- Flight API
- Ticket API
- Sales APIAccess
- Admin APIAccess
apiVersion: hub.traefik.io/v1alpha1
kind: API
metadata:
name: flight-api
namespace: apps
labels:
area: customers
module: erp
spec:
openApiSpec:
path: /openapi.yaml
apiVersion: hub.traefik.io/v1alpha1
kind: API
metadata:
name: ticket-api
namespace: apps
labels:
area: tickets
module: crm
spec:
openApiSpec:
path: /openapi.yaml
apiVersion: hub.traefik.io/v1alpha1
kind: APIAccess
metadata:
name: sales
namespace: apps
spec:
groups:
- customer
apiSelector:
matchLabels:
module: crm
apiVersion: hub.traefik.io/v1alpha1
kind: APIAccess
metadata:
name: admins
namespace: apps
spec:
groups:
- admin
apiSelector:
matchExpressions:
- key: area
operator: Exists
Multiple APIAccess objects can select the same APIs.
Advanced Selector Examples
- This won't select any APIs
- This will select all APIs
spec:
// no apiSelector
spec:
apiSelector: {}
Please refer to the detailed documentation about Label selectors.
Combining Selectors and API Names
The following example combines API selection by name
, matchLabels
and matchExpressions
.
The selected APIs will include "my-api-1", "my-api-2" and all APIs with the "product" area label set,
along with an audience of either "dev" or "admin".
apiVersion: hub.traefik.io/v1alpha1
kind: APIAccess
metadata:
name: admin-access
namespace: apps
spec:
groups:
- support
apis:
- name: my-api-1
- name: my-api-2
apiSelector:
matchLabels:
area: product
matchExpressions:
- operator: in
key: audience
value: ["dev", "admin"]
OperationFilter
By default, when granting access to an API for a group of users, all of its operations are accessible.
However, you can use the operationFilter
to limit exposure to a subset of operations.
This feature allows you to selectively grant access to a defined set of operations, as specified in the API, using operationSets.
The feature provides fine-grained control over API exposure, enabling precise management of which operations are accessible.
When you add an operationFilter
to an APIAccess, it applies to every API of this APIAccess.
To simultaneously expose all and selected operations of your APIs, you need to use two distinct APIAccess objects: one for exposing all operations; the other for exposing selected operations, that is, to apply operation sets/filters. You can leverage both the UI or the Hub Static Analyzer that explain in details how accesses will propagate.
If an operation-filtering APIAccess and a non-granular APIAccess overlap, the non-granular will take precedence and provide full access to that API.
Example
In the following example, the group intern
has permissions for two operationSets: get-employees
and get-payrolls
, which are defined in the API Object.
- APIAccess
- API
apiVersion: hub.traefik.io/v1alpha1
kind: APIAccess
metadata:
name: intern-api
namespace: apps
spec:
groups:
- intern
apis:
- name: my-api
operationFilter:
include:
- get-employees
- get-payrolls
apiVersion: hub.traefik.io/v1alpha1
kind: API
metadata:
name: my-api
namespace: apps
spec:
openApiSpec:
path: /openapi.yaml
operationSets:
- name: get-employees
matchers:
methods: ["GET"]
path: "/employees"
- name: get-payrolls
matchers:
methods: ["GET"]
path: "/payrolls"
Related Content
- Lean more about authentication & authorization
- Get familiar with users and groups management