Authorization Framework for Extension Service Operations

All requests to extension services must be authenticated through the VMware Cloud Director API. Extension services can participate in VMware Cloud Director API REST authorization by controlling access to their objects and operations through new or existing rights and roles.

An extension service that does not enable the use of VMware Cloud Director REST authorization implicitly grants permission for all users to perform all operations that the service uses. A service can use the native VMware Cloud Director REST authorization model by taking the following steps:

Define resource classes that represent references to service-specific object types.
Define resource class actions that specify the actions that are implemented for those object types.
Define ACL rules specifying the rights required to perform an operation on objects of a specific type.

Participation in the Authorization Framework

To participate in the authorization framework, a service must include an AuthorizationEnabled element with a value of true in its registration request.

<vmext:AuthorizationEnabled>true</vmext:AuthorizationEnabled>

It must also define at least one resource class, specify at least one action for that class, and define an ACL rule that constrains use of the action on the class.

Resource Classes and Actions

A service uses the following constructs to define the objects, operations, and permissions that constitute its authorization model.

Resource Classes: Set of rules for creating references to service-specific objects. Like other object references in the VMware Cloud Director API, resource classes are a Link element that specifies the MIME type of the resource and includes an href (URL) that can be used to retrieve the resource. The rules include a MIME type, a URL pattern, and a template for creating an id attribute value in URN form.
Resource Class Actions: Combination of a URL pattern that specifies a resource class and an HTTP method that implements an action on a resource of that class. The action uses the specified method in a request to a URL that matches the specified pattern.
ACL Rules: Specifies the rights that an organization or user have to an operation defined as a resource class action.
Service Resource: A member of a resource class distinguished by a specific id. If an extension service needs to define a resource class action or an ACL rule that applies to a specific resource, the service must create it as a ServiceResource and give it a UUID or other unique identifier.

Querying for Organization and User Rights

The VMware Cloud Director API query service implements several queries that return a list of rights that a specified user or organization is granted. A user can make a request that specifies one or more entity references and returns a summary of user rights to the specified entities.