Hi,
If I want to write my own policy engine (that is more flexible to allow automation) into the OpenZiti Github code, where can I start? Should I be looking at replacing the "controller" directory with my own?
Thanks,
Anita
Welcome, Anita!
Would it meet your needs to have an API implementation for managing policies and perhaps other entities? If so, what programming language? I may be able to local additional resources.
Here is the management API reference: Edge Management API Reference | OpenZiti
FYI: in case of confusion, these "edge" SDKs, they implement the "client" API, not the management API.
Thank you for the reference, Ken.
Would this API allow me to add policies that allow/deny access to certain devices/users/applications.
Example, I want to add a policy like:
Source/Destination/AllowOrDeny
IP_Address_1:Port_1/Resource_1/Deny
IP_Address_2:Port_2/Resource_2/Allow
Identity_1/Resource_1/Deny
etc
1 Like
Yes, that's exactly what it's for. A quick way to orient to the management API is to explore the sub-commands of the ziti edge CLI, which implements Ziti's management API's operations.
❯ ziti edge
Manage the Edge components of a Ziti network using the Ziti Edge REST API
Usage:
ziti edge [command]
Available Commands:
create creates various entities managed by the Ziti Edge Controller
db Database management operations for the Ziti Edge Controller
delete deletes various entities managed by the Ziti Edge Controller
enroll enroll an identity
list Lists various entities managed by the Ziti Edge Controller
login logs into a Ziti Edge Controller instance
logout logs out of a Ziti Edge Controller instance
policy-advisor runs sanity checks on various policy related entities managed by the Ziti Edge Controller
quickstart runs a Controller and Router in quickstart mode
re-enroll re-enrolls various entities managed by the Ziti Edge Controller
show displays various entities managed by the Ziti Edge Controller
trace manages tracing by the Ziti Edge Controller
traceroute runs a traceroute on the service
update updates various entities managed by the Ziti Edge Controller
use changes which saved login to use with a Ziti Edge Controller instance
validate validate model data
verify verifies various entities managed by the Ziti Edge Controller
version Returns the version information reported by the edge controller
Flags:
-h, --help help for edge
Use "ziti edge [command] --help" for more information about a command.
In my opinion, this is the best introduction to the expressiveness of Ziti policies: Policies | OpenZiti
TL;DR Three types of policies and entities form an authorization triangle that must be completed for traffic to flow. You can set permissive router policies if you don't need geofencing or traffic steering and control access exclusively with service policies.
Another wy to describe it, we inside NetFoundry do not give our engineers access to customer resources, unless a customer opens a support ticket and the assigned engineer gets services defined only for the duration the ticket is open - Business Rule Driven Just-in-Time Network Access - all via the API @qrkourier describes.
Ken,
Are there test codes that implement the Edge Management API, specifically the Policy Engine / Controller APIs?
I am going to be using Python for my scripts.
Thank you,
Anita
Yes, but due to API changes, the Python-generated API client for the management API will probably need to be regenerated.
blog: OpenAPI Python Clients
mgmt API client: GitHub - openziti-test-kitchen/openziti-edge-management-python: Python library for the Ziti Management API