All requests to
extension services must be authenticated through the vCloud API. Extension
services can participate in vCloud API REST authorization by controlling access
to their objects and operations through new or existing rights and roles.
An extension service that does
not enable the use of
vCloud Director REST authorization implicitly grants permission for all
users to perform all operations that the service uses. A service can use the
native
vCloud Director REST authorization model by taking the following steps:
1 |
Define resource classes that
represent references to service-specific object types.
|
2 |
Define resource class
actions that specify the actions that are implemented for those object types.
|
3 |
Define ACL rules specifying
the rights required to perform an operation on objects of a specific type.
|
Participation in the
Authorization Framework
To participate in the
authorization framework, a service must include an
AuthorizationEnabled
element with a value of
true in its registration request.
<vmext:AuthorizationEnabled>true</vmext:AuthorizationEnabled>
It must also define at least one resource class, specify at least
one action for that class, and define an ACL rule that constrains use of the
action on the class.
Resource Classes and
Actions
A service uses the following
constructs to define the objects, operations, and permissions that constitute
its authorization model.
Resource Classes
|
Set of rules for
creating references to service-specific objects. Like other object references
in the vCloud API, resource classes are a
Link element that
specifies the MIME
type of the resource
and includes an
href (URL) that can be
used to retrieve the resource. The rules include a MIME type, a URL pattern,
and a template for creating an
id attribute value in URN form.
|
Resource Class Actions
|
Combination of a URL
pattern that specifies a resource class and an HTTP method that implements an
action on a resource of that class. The action uses the specified method in a
request to a URL that matches the specified pattern.
|
ACL Rules
|
Specifies the rights
that an organization or user have to an operation defined as a resource class
action.
|
Service Resource
|
A member of a resource
class distinguished by a specific
id. If an extension
service needs to define a resource class action or an ACL rule that applies to
a specific resource, the service must create it as a
ServiceResource and
give it a UUID or other unique identifier.
|
Querying for
Organization and User Rights
The vCloud API query service
implements several queries that return a list of rights that a specified user
or organization is granted. A user can make a request that specifies one or
more entity references and returns a summary of user rights to the specified
entities.