diff options
author | Christian Grothoff <christian@grothoff.org> | 2021-01-20 22:19:15 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2021-01-20 22:19:15 +0100 |
commit | 771e46d672149a9aed348fe9b5621a6b99fe18e4 (patch) | |
tree | 8ad1ca15affc3d54073099c61cd4833cb5bfbfcc /libeufin | |
parent | 2746d09ef06cc06581f5448727ed8bd8d47706ed (diff) | |
parent | a1869a5950c97042f7c2570c99a7d6a648758f80 (diff) | |
download | docs-771e46d672149a9aed348fe9b5621a6b99fe18e4.tar.gz docs-771e46d672149a9aed348fe9b5621a6b99fe18e4.tar.bz2 docs-771e46d672149a9aed348fe9b5621a6b99fe18e4.zip |
Merge branch 'master' of git+ssh://git.taler.net/docs
Diffstat (limited to 'libeufin')
-rw-r--r-- | libeufin/api-nexus.rst | 75 | ||||
-rw-r--r-- | libeufin/nexus-tutorial.rst | 44 |
2 files changed, 118 insertions, 1 deletions
diff --git a/libeufin/api-nexus.rst b/libeufin/api-nexus.rst index 96cdbefb..ef1a3c00 100644 --- a/libeufin/api-nexus.rst +++ b/libeufin/api-nexus.rst @@ -102,11 +102,84 @@ User Management Return list of users. +.. _nexus-permissions-api: + +Permissions API +--------------- + +The permissions API manages authorization of access of subjects (usually users) +to resources. + +Permissions are modeled a set of ``(subject, resource, permission)`` triples. +Subjects and resources consist of a type and an identifier. + +Superusers are not subject to further permission checks, they are allowed +to do any operation. + +The following subject types are currently supported: + +* ``user``: An authenticated user. The subject ID + is interpreted as the user ID. + +The following permissions are currently defined: + +* ``facade.talerWireGateway.history``: Allows querying the + transaction history through a Taler wire gateway facade. +* ``facade.talerWireGateway.transfer``: Allows creating payment initiations + to transfer money via a Taler wire gateway facade. + +The following resource IDs are currently supported: + +* ``facade``: A LibEuFin facade. The resource ID is interpreted as the + facade name. + +.. http:get:: {nexusbase}/permissions + + List all permissions. + + **Response** + + .. ts:def:: QueryPermissionsResponse + + interface QueryPermissionsResponse { + permissions: { + subjectType: string; + subjectId: string; + resourceType: string; + resourceId: string; + permissionName: string + }[]; + } + +.. http:post:: {nexusbase}/permissions + + Modify permissions. + + **Request** + + .. ts:def:: QueryPermissionsResponse + + interface QueryPermissionsResponse { + action: "grant" | "revoke"; + permission: { + subjectType: string; + subjectId: string; + resourceType: string; + resourceId: string; + permissionName: string + }; + } + + **Response** + + The response is an empty JSON object. + + Test API -------- -.. http:post:: {nexusBase}/bank-accounts/{acctid}/test-camt-ingestion/{type} +.. http:post:: {nexusbase}/bank-accounts/{acctid}/test-camt-ingestion/{type} This call allows tests to **directly** give Nexus a Camt document. After the processing, all the payment(s) details should be ingested as if the diff --git a/libeufin/nexus-tutorial.rst b/libeufin/nexus-tutorial.rst index 8c0d941f..6ef78829 100644 --- a/libeufin/nexus-tutorial.rst +++ b/libeufin/nexus-tutorial.rst @@ -446,3 +446,47 @@ existing bank account / connection pair. At this point, the additional *taler-wire-gateway* (FIXME: link here to API here) API becomes offered by the Nexus. The purpose is to let a Taler exchange to rely on Nexus to manage its bank account. + + +Managing Permissions and Users +============================== + +This guide has so far assumed that a superuser is accessing the LibEuFin Nexus. +However, it is advisable that the Nexus is accessed with users that only have a +minimal set of permissions. + +The Nexus currently only has support for giving non-superusers access to Taler +wire gateway facades. + +To create a new user, use the ``users`` subcommand of the CLI: + +.. code-block:: console + + $ libeufin-cli users list + # [ ... shows available users ... ] + + $ libeufin-cli users create $USERNAME + # [ ... will prompt for password ... ] + +Permissions are managed with the ``permissions`` subcommand. +The following commands grant permissions to view the transaction history +and create payment initiations with a Taler wire gateway facade: + + +.. code-block:: console + + $ libeufin-cli permissions grant \ + user $USERNAME \ + facade $FACADENAME \ + facade.talerWireGateway.history + + $ libeufin-cli permissions grant \ + user $USERNAME \ + facade $FACADENAME \ + facade.talerWireGateway.transfer + +The list of all granted permissions can be reviewed: + +.. code-block:: console + + $ libeufin-cli permissions list |