Authentication and Entitlements

Every REST API operation requires authentication, for the user to access the endpoints, and authorization for the specific action. AMP uses a plugin architecture to allow pluggable authentication and authorization mechanismss, called the “Entitlements” subssytem.

There is a range of solutions available out of the box, from simple user/passwords identified in AMP configuration, through to OIDC integration with all well-known providers for single-sign on (SSO). These can each define a role for that user, with a small set of common roles present out of the box.

A much wider range of sophisticated use cases, including integrating to custom SSO identity providers, and defining context-specific authorization for tasks, is supported by providing custom org.apache.brooklyn.rest.security.provider.SecurityProvider and org.apache.brooklyn.api.mgmt.entitlement.entitlement.EntitlementManager implementations, with instructions for creating the latter available in Custom Extensions.

Authentication and Entitlements

Defining Auth Explicitly in Configuration

RBAC Built-in Roles

LDAP Integration

OIDC and OAuth with Dex

Entitlements