Conversation
Signed-off-by: Joe Winchester <winchest@uk.ibm.com>
|
😺 Thank you for creating this PR! To publish your content to Zowe Docs, follow these required steps.
Need help? Contact the Doc Squad in the #zowe-doc Slack channel. |
|
If you have addressed this issue already, refresh this page in your browser to remove this comment. |
| :::info Role: system administrator | ||
| ::: | ||
|
|
||
| As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for priviledge escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. |
There was a problem hiding this comment.
I think this property should also be listed here docs/appendix/zowe-yaml-configuration.md.
There was a problem hiding this comment.
Good catch !
I've added a section to https://github.com/zowe/docs-site/pull/4925/changes#diff-4aa9da9e24586a19b2d4ccf057707a6f4b9f0f7cb559d83c4c8339e0ad437d39.
|
|
||
| 1. Define the resource class by running the command: | ||
|
|
||
| ```racf |
There was a problem hiding this comment.
Could we include the equivalent commands for TSS and ACF2 as well?
| apiml: | ||
| gateway: | ||
| security: | ||
| delegatePassticket: false |
There was a problem hiding this comment.
shouldn't be true in this example?
There was a problem hiding this comment.
Yes my bad - thank you for picking that up
|
Left few comments, otherwise LGTM. Leaving it for @janan07 review |
|
As a side-note: There also used to be a file |
| :::info Role: system administrator | ||
| ::: | ||
|
|
||
| As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for priviledge escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. |
There was a problem hiding this comment.
priviledge -> privilege
There was a problem hiding this comment.
Good catch - thank you. Fix in the latest PR commit.
| components: | ||
| gateway: | ||
| apiml: | ||
| gateway: | ||
| security: | ||
| delegatePassticket: false |
There was a problem hiding this comment.
There is an indentation of 4 spaces, which is fine. But we are usually using 2 spaces in examples. I would suggest to use 2 spaces.
There was a problem hiding this comment.
Yes my bad for using 4 as I had done tab indents.
2 is the right indent for yaml so I've fixed this in the latest commit
| ``` | ||
| { | ||
| "applId": "APPLID", | ||
| "emailId": "email@domain.com" |
There was a problem hiding this comment.
There was a problem hiding this comment.
Good catch - fixed in the latest commit.
Thank you !
Signed-off-by: Joe Winchester <winchest@uk.ibm.com>
Signed-off-by: Joe Winchester <winchest@uk.ibm.com>
Corrected indentation in YAML example and improved formatting. Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com>
| components: | ||
| gateway: | ||
| apiml: | ||
| security: | ||
| delegatePassticket: true |
There was a problem hiding this comment.
There was a problem hiding this comment.
Good catch @Martin-Zeithaml . Yes that should be like you suggested
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
|
|
||
| <summary>Click here for command details to configure user access using Top Secret.</summary> | ||
|
|
||
| **For Top Secret:** |
There was a problem hiding this comment.
TSS commands are missing.
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com>
Updated configuration steps for enabling delegated PassTicket. Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com>
PR to support the APIML PR zowe/api-layer#4368