Public and trusted methods

The `protection` property in pronghorn.json

To support public or trusted methods, you must set the protection key at the root layer inside a method in pronghorn.json. Itential Platform supports two values for this property, both of which override the default role-based authorization.

The first value is public, which allows anyone — regardless of whether they are an Itential Platform user — to access the route. This is the least secure option and should only be used for data that is acceptable for public exposure.

The second value is trusted, which allows anyone logged into Itential Platform to access the route, regardless of their groups or roles. This is useful for common methods used by all users that do not require specific authorization controls. For example, the GET /whoami route is required for all users, as it allows them to see information about themselves. While more secure than public, trusted should be used sparingly as it bypasses role-based authorization.

When overriding the protection key in the 2023.1 and 2023.2 release versions of Itential Platform, you must not have any roles defined on the method. Those roles will no longer be useful and would only add confusion about which authorization scheme is required. By default, role-based authorization is used if the protection property is not set.

Example configuration

The following shows the protection property set to authenticated:

1 {
2   "name": "exampleMethod",
3   "summary": "Example method",
4   "description": "Example method",
5   "roles": [],
6   "route": {
7     "path": "/method",
8     "verb": "GET"
9   },
10   "input": [],
11   "output": {
12     "name": "method",
13     "type": "object",
14     "schema": {
15       "title": "method",
16       "type": "object"
17     }
18   },
19   "protection": "authenticated"
20 }