How to use RBAC to control API access
In this article, we will look into Role-based Access Control (RBAC) and see how we can use it fine-tune the access of REST API. This articles builds on the previous series of articles, in which the latest one is available here.
Role-based Access Control is a mechanism which allows a “role” to be assigned to a “user” and then control the access of “authentication-items” to these roles
In REST API, different operations can be performed on a resource. These operations are identified by HTTP Request method. These are normally GET, POST, PUT and DELETE. A resource is identified by database model. So an authentication-item is a combination of these two. Thus for a “series” resource, there are four authentication-items, “get-series”, “post-series”, “put-series”, “delete-series”.
The “user” in our case will be identified by the “apikey” query parameter.
Its good to review the Yii approach to RBAC, in this article
- Add a migration to create RBAC tables. Code available here
- Run migrations ( )
- Add API Authentication Manager component in . Code available here
- Add a function in to use the component to check API access. This function generates the authentication-item using the request-method and resource name. Code here
- Add callback handlers of RestfullYii in to check for access. Code here
We will use the following RBAC hierarchy and understand how our API behaves with different combination of these authentication-items.