DO240 - ch03s03

Red Hat 3scale API Management includes APIcast, which configures an underlying NGINX web server to act as a proxy for your APIs. Many objects in 3scale API Management, such as products and backends, are abstractions for this configuration.

Policies enable higher flexibility and control in how APIcast handles traffic by providing more-granular abstractions for the NGINX proxy configuration.

Configured policies exist within a product as part of a policy chain, which is an ordered list of policies that every request to the product is filtered through.

Figure 3.4: Example of a policy chain processing a request.

In the preceding example diagram, blue boxes represent the policies, and dashed outlines show which policies are optional. Note that the default 3scale APIcast policy is required, as it represents 3scale API Management's routing configuration.

Each policy within a chain can alter or add information to the request before it is sent to the next policy.

Alternatively, a policy might conditionally alter how the request is handled. For example, an authorization policy might short-circuit a request and reject it before it reaches later polices or an API. In this way, policies can potentially improve the performance or resource usage of your system.

Exploring the Standard Policies

The standard policies provided by 3scale API Management address various needs, including the following:

Routing
Authentication and authorization
Request and data conversion
Utility

Policies that customize how APIcast routes incoming requests include the following:

Routing: a general-purpose policy that gives you fine-grained control over how requests are routed.
Header Modification: adds or removes specific headers from requests or responses.
IP Check: configures allowlists and blocklists by using a list of IP addresses or blocks of addresses.

The collection of standard policies also includes policies to handle authentication and authorization tasks, such as the following:

RH-SSO/Keycloak Role Check: integrates with RH-SSO to verify realm roles as a request allowlist or blocklist.
JWT Claim Check: validates JWTs from requests and either allows or blocks the request based on claims within the token.
OAuth 2.0 Token Introspection: communicates with an OIDC token issuer to authorize requests by using tokens.
Anonymous Access: removes the user_key parameter requirement from all requests to the product by supplementing the request with a pre-configured user token.

Policies that provide miscellaneous utility functions include the following:

Custom Metrics: adds hooks into the response to update custom metrics created in the Admin Portal.
Retry: provides basic retry logic to reattempt failed requests to an API.
Maintenance Mode: responds to all requests with a preconfigured status code and message, which is useful for temporarily disabling the product for maintenance.

Adding a Policy to a Product

Currently, you can manage the policies of a product in two ways.

Using the toolbox CLI, you can export and import policy chains by using the 3scale policies super-command. For example, the following commands export an example policy chain as YAML and then re-imports it:

[student@workstation ~]$ 3scale policies export 3scale-tenant \
policy_sandbox >> policy_chain.yml
[student@workstation ~]$ cat policy_chain.yml
---
- name: routing
  version: builtin
  configuration: {}
  enabled: true
- name: apicast
  version: builtin
  configuration: {}
  enabled: true
- name: maintenance_mode
  version: builtin
  configuration: {}
  enabled: true
[student@workstation ~]$ 3scale policies import 3scale-tenant \
policy_sandbox -f policy_chain.yml

The name of the product is policy_sandbox and the -f option specifies the name of the file to import. See the references section for more information about exporting and importing product policy chains by using the toolbox CLI.

In most cases, you use the Admin Portal to manage policies. To add a policy via the Admin Portal, use the Integration → Policies section within the product. This graphical editor enables you to update the product's policy chain.

Figure 3.5: The Policies section within a product in the Admin Portal.

Once added, individual policies can be updated, removed, and reordered within the policy chain.

In the accompanying guided exercise, you practice adding, updating, reordering, and removing policies from a product by using the Admin Portal.

References

Export/Import Product Policy Chain

For a complete list of available policies, as well as more extensive documentation for the standard policies, please visit the APIcast policies chapter of the 3scale API Management documentation at https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html/administering_the_api_gateway/apicast_policies

Discuss Cloud-native API Administration with Red Hat 3scale API Management

Go to community

Welcome to the Cloud-native API Administration (DO240) group in the Red Hat Learning Community!

Deanna

11 sie 2023

We are excited to launch a space dedicated to the Red Hat Training course Cloud-native API Administration with Red Hat 3scale API Management! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO240.Read more about Cloud-native API Administration with Red Hat 3scale API Management here.

Revision: do240-2.11-40390f6