- Edited
We are updating the ACL API. The goal is to make it up to date with the current REST API and remove "GET method inheritance" constraint for submodules. All the changes will be done in several steps.
Step 1 (13 Feb 2020)
ACL entry for gw/protocols becomes deprecated. Since this time access to protocols list is always open for ACL tokens. You may still use ACL entries for gw/protocols but you will receive an error message for every API call with such entry in addition to data reply. In 4 weeks (11 Mar 2020) gw/protocols entry will be removed from API.
We will:
- disable GET method inheritance for submodules and allow specifying GET method for submodules
- add new submodules for ACL entries to correspond with the current REST API
- drop gw/protocols support for ACL entries
Here is an example with gw/devices entry to show the scope of changes.
Old API:
- specified GET method was inherited by submodules
- supported submodules:
- "settings", with PUT and DELETE methods (no GET)
New API:
- specified GET method is NOT inherited by submodules
- supports the following submodules (the exact mapping of the current REST API):
- NEW "calculate", with POST method support
- NEW "logs", with GET method support
- NEW "messages", with GET method support
- "settings", with GET NEW, PUT and DELETE methods support
- NEW "snapshots", with GET method support
- NEW "telemetry", with GET method support
If your ACL contains entries with enabled GET method and enabled submodules, these entries are expanded to keep backward compatibility. Here is an example.
Old version:
{
"uri": "gw/devices",
"ids": "all",
"methods": ["GET"],
"submodules": [
{
"name": "settings",
"methods": []
}
]
}
Patched version:
{
"uri": "gw/devices",
"ids": "all",
"methods": ["GET"],
"submodules": [
{
"name": "logs",
"methods": ["GET"]
},
{
"name": "messages",
"methods": ["GET"]
},
{
"name": "settings",
"methods": ["GET"]
},
{
"name": "snapshots",
"methods": ["GET"]
},
{
"name": "telemetry",
"methods": ["GET"]
}
]
}
Explicitly mentioned or omitted GET method for the specified submodule also opens or closes access to the corresponding MQTT flespi topics:
- every "log" submodule regulates corresponding "flespi/log/..." topic
- gw/channels and gw/devices "messages" submodule regulates corresponding "flespi/message/..." topic
- gw/channels "commands-queue", "connections" submodules regulate corresponding "flespi/state/gw/channels/{channel-selector}/{submodule}/#" topics
- gw/devices "telemetry", "settings" submodules regulate corresponding "flespi/state/gw/devices/{device-selector}/{submodule}/#" topics
- gw/streams "channels", "devices" submodules regulate corresponding "flespi/state/gw/streams/{stream-selector}/{submodule}/#" topics
- gw/calcs "devices" submodule regulates corresponding "flespi/state/gw/calcs/{calc-selector}/devices/#" topic
We will also enable sending error messages for the following cases:
- ACL REST API usage in an old manner: i.e. won't specify GET method for a submodule when there is GET method specified for an entry
- sending GET queries to the resource with implicitly enabled GET access (i.e. GET method is inherited for the corresponding submodule in ACL)
This may trigger false positive errors, but we believe it's better to notify as many users as possible before the final API change.
Step 2 (11 Mar 2020)
We stop sending error messages in response to the REST API calls and disable the GET method inheritance for submodules. From this moment all GET requests are denied unless ACL explicitly allows them. All the specified gw/protocols entries will be removed from ACL as unnecessary.