Skip to main content

The most recent patch for this version is 26.1.6.  Learn more  

Version: 26.1

Authorization Hub integration

Authorization Hub is Axiomatics' control plane system for authorization domains, policies, attributes, and attribute connectors. It stores policies and configurations that ADS retrieves for policy evaluation. Earlier versions of the control plane were known as Axiomatics Services Manager (ASM) or ADM; these names may still appear in older documentation or API paths but refer to the same system.

By connecting APD to Authorization Hub you can push and pull attribute, attribute connectors and policies between the two components.

tip

In the control plane, an authorization domain is identified by a project (namespace) and a domain name.

To connect to a Authorization Hub, add a hub block within the repositories section in your build.gradle file.

build.gradle
alfa {
 project 'Project 1'
    repositories {
        hub {
            environment 'Dev'
            host 'https://adm.dev.myorg'
            domainName 'domain1'
            envVariable 'LDAP_PIP_URL', 'http://ldap-dev.myorg.com' 
            oidcCredentials {
                client_id 'apd'
                client_secret '<secret>'
            }
        }
    }
}
PropertyDescription
environmentA label for this Authorization Hub connection, used only to name the Gradle tasks APD generates (for example, axiomatics-hub-dev) and has no effect on the actual Authorization Hub connection. Choose a name that reflects the target environment, such as dev, qa, or prod.
hostProtocol and hostname of Authorization Hub.
realmThe OIDC realm in Authorization Hub. Default is hub.
domainNameThe domain name in Authorization Hub.
envVariableOptional property. Sets environment variable if you run this domain with ADS from within Axiomatics Policy DevOps. Multiple envVariables properties are possible. Comma separated key,value.
client_idThe client ID to use for OIDC authentication to Authorization Hub.
client_secretThe client secret to use for OIDC authentication to Authorization Hub.
Important

The Authorization Hub project is set globally in the alfa{} section and will be the same for all repository entries.

Adding an Authorization Hub repository generates a new Gradle task group axiomatics-hub-<environment>with related tasks. The screenshot below shows the result after adding an hub repository with the environment name "dev" to build.gradle. The task group axiomatics-hub-dev is created, containing two tasks: runAdsWithDev..., and testDev....

Certificates

Any certificates required for TLS communication with Authorization Hub or ADS should be added to the appropriate truststore (for example, the operating system's truststore or Java's truststore). Alternatively, you can specify a custom truststore (JKS or PKCS12 format) using standard Java system properties.

gradle.properties
# Restart Gradle deamon (../gradlew --stop) after changing these lines, otherwise changes may not be loaded
systemProp.javax.net.ssl.trustStore=mycacerts.jks
systemProp.javax.net.ssl.trustStorePassword=changeit
systemProp.javax.net.ssl.trustStoreType=JKS

or

./gradlew -Djavax.net.ssl.truststore=mycacerts.jks
...
Important

You should restart the Gradle daemon using ./gradlew --stop to apply any changes.

Tasks

  • runAdsWithDev-DevStaging

    Starts a local ADS instance with the Authorization Hub domain, using a random, unencrypted local HTTP port and basic authentication (username: pdp-user, password: secret).

    note

    You can add environment variables using envVariable 'KEY', 'VALUE' within the hub block.

    runAdsWithDev-DevStaging output
    *  Executing task: gradle: runAdsWithMDP-myDomain

    > Task :spawnAdsWithMDPmyDomain
    Repo is type Authorization Hub
    Location of domain is https://<host>/api/adm/namespaces/4d8885b6-6245-46ff-90ec-6f1f37105ed5/names/myDomain/domain

    > Task :waitToStartAdsMDP
    ADS successfully started!

    > Task :runAdsWithMDP-myDomain
    ADS is running on port 58387. To see ADS output run gradle with --info. Stop it with Ctrl-C!
    <========-----> 66% EXECUTING [2m 17s]
    > :runAdsWithMDP-myDomain
    tip

    To start ADS with DEBUG level logging enabled, use the --info switch.

  • testDev-DevStaging

    Runs the system tests on the Authorization Hub domain and stores the test report in the build/reports/tests/testDev directory.

    testDev output
    > Task :spawnAdsWithDev
    Location of domain.yaml is https://adm.dev.myorg/adm/api/namespaces/JanesNamespace/names/JanesDev/domain

    > Task :testDev
           ...test results
    note

    Ensure that the mainpolicy is set within the alfa section of your build.gradle file in order to identify system tests.

  • DictionaryPushTo{environment}

    Pushes the attribute dictionary (attributes.yaml) to Authorization Hub.

  • DictionaryPullFrom{environment}

    Pulls the attribute dictionary from Authorization Hub and merges it into attributes.yaml. Requires a clean git working tree.

  • AttributeConnectorsPushTo{environment}

    Pushes all attribute connectors from src/authorizationDomain/attributeConnectors/ to Authorization Hub.

  • AttributeConnectorsPullFrom{environment}

    Pulls all attribute connectors from Authorization Hub into src/authorizationDomain/attributeConnectors/.

  • PolicyPushTo{environment}

    Pushes all ALFA policies from src/authorizationDomain/alfaSpecifications/ to Authorization Hub as a policy package.

  • PolicyPullFrom{environment}

    Pulls all ALFA policies from Authorization Hub into src/authorizationDomain/alfaSpecifications/. Requires a clean git working tree.

  • AllPushTo{environment}

    Composite task. Pushes the entire authorization domain to Authorization Hub in the following order:

    1. Dictionary
    2. Attribute connectors
    3. Policies

  • AllPullFrom{environment}

    Composite task. Pulls the entire authorization domain from Authorization Hub in the following order:

    1. Dictionary
    2. Connectors
    3. Policies

    Then, it regenerates the ALFA and Java dictionaries.