dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3489 from ItalyPaleAle/api-denylist 

Added docs for API denylists
This commit is contained in:
Hannah Hunter 2023-06-07 15:14:25 -04:00 committed by GitHub
parent cb8a157ecf 26fb85a1c6
commit 3c39fb0b28
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 73 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
daprdocs/content/en/operations/configuration/api-allowlist.md
View File

@ -6,14 +6,18 @@ weight: 4500
description: "Choose which Dapr sidecar APIs are available to the app"
---
In certain scenarios such as zero trust networks or when exposing the Dapr sidecar to external traffic through a frontend, it's recommended to only enable the Dapr sidecar APIs that are being used by the app. Doing so reduces the attack surface and helps keep the Dapr APIs scoped to the actual needs of the application.
In certain scenarios, such as zero trust networks or when exposing the Dapr sidecar to external traffic through a frontend, it's recommended to only enable the Dapr sidecar APIs that are being used by the app. Doing so reduces the attack surface and helps keep the Dapr APIs scoped to the actual needs of the application.
Dapr allows developers to control which APIs are accessible to the application by setting an API allow list using a [Dapr Configuration]({{<ref "configuration-overview.md">}}).
Dapr allows developers to control which APIs are accessible to the application by setting an API allowlist or denylist using a [Dapr Configuration]({{<ref "configuration-overview.md">}}).
### Default behavior
If an API allow list section is not specified, the default behavior is to allow access to all Dapr APIs.
Once an allow list is set, only the specified APIs are accessible.
If no API allowlist or denylist is specified, the default behavior is to allow access to all Dapr APIs.
- If only a denylist is defined, all Dapr APIs are allowed except those defined in the denylist
- If only an allowlist is defined, only the Dapr APIs listed in the allowlist are allowed
- If both an allowlist and a denylist are defined, the allowed APIs are those defined in the allowlist, unless they are also included in the denylist. In other words, the denylist overrides the allowlist for APIs that are defined in both.
- If neither is defined, all APIs are allowed.
For example, the following configuration enables all APIs for both HTTP and gRPC:
@ -28,9 +32,11 @@ spec:
samplingRate: "1"
```
### Enabling specific HTTP APIs
### Using an allowlist
The following example enables the state `v1.0` HTTP API and block all the rest:
#### Enabling specific HTTP APIs
The following example enables the state `v1.0` HTTP API and blocks all other HTTP APIs:
```yaml
apiVersion: dapr.io/v1alpha1
@ -41,14 +47,14 @@ metadata:
spec:
api:
allowed:
- name: state
version: v1.0
protocol: http
- name: state
version: v1.0
protocol: http
```
### Enabling specific gRPC APIs
#### Enabling specific gRPC APIs
The following example enables the state `v1` gRPC API and block all the rest:
The following example enables the state `v1` gRPC API and blocks all other gRPC APIs:
```yaml
apiVersion: dapr.io/v1alpha1
@ -59,9 +65,47 @@ metadata:
spec:
api:
allowed:
- name: state
version: v1
protocol: grpc
- name: state
version: v1
protocol: grpc
```
### Using a denylist
#### Disabling specific HTTP APIs
The following example disables the state `v1.0` HTTP API, allowing all other HTTP APIs:
```yaml
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: myappconfig
namespace: default
spec:
api:
denied:
- name: state
version: v1.0
protocol: http
```
#### Disabling specific gRPC APIs
The following example disables the state `v1` gRPC API, allowing all other gRPC APIs:
```yaml
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: myappconfig
namespace: default
spec:
api:
denied:
- name: state
version: v1
protocol: grpc
```
### List of Dapr APIs
@ -70,12 +114,18 @@ The `name` field takes the name of the Dapr API you would like to enable.
See this list of values corresponding to the different Dapr APIs:
| Name | Dapr API |
| ------------- | ------------- |
| state | [State]({{< ref state_api.md>}})|
| invoke | [Service Invocation]({{< ref service_invocation_api.md >}}) |
| secrets | [Secrets]({{< ref secrets_api.md >}})|
| bindings | [Output Bindings]({{< ref bindings_api.md >}}) |
| publish | [Pub/Sub]({{< ref pubsub.md >}}) |
| actors | [Actors]({{< ref actors_api.md >}}) |
| metadata | [Metadata]({{< ref metadata_api.md >}}) |
| API group | HTTP API | [gRPC API](https://github.com/dapr/dapr/blob/master/pkg/grpc/endpoints.go) |
| ----- | ----- | ----- |
| [Service Invocation]({{< ref service_invocation_api.md >}}) | `invoke` (`v1.0`) | `invoke` (`v1`) |
| [State]({{< ref state_api.md>}})| `state` (`v1.0` and `v1.0-alpha1`) | `state` (`v1` and `v1alpha1`) |
| [Pub/Sub]({{< ref pubsub.md >}}) | `publish` (`v1.0` and `v1.0-alpha1`) | `publish` (`v1` and `v1alpha1`) |
| [(Output) Bindings]({{< ref bindings_api.md >}}) | `bindings` (`v1.0`) |`bindings` (`v1`) |
| [Secrets]({{< ref secrets_api.md >}})| `secrets` (`v1.0`) | `secrets` (`v1`) |
| [Actors]({{< ref actors_api.md >}}) | `actors` (`v1.0`) |`actors` (`v1`) |
| [Metadata]({{< ref metadata_api.md >}}) | `metadata` (`v1.0`) |`metadata` (`v1`) |
| [Configuration]({{< ref configuration_api.md >}}) | `configuration` (`v1.0` and `v1.0-alpha1`) | `configuration` (`v1` and `v1alpha1`) |
| [Distributed Lock]({{< ref distributed_lock_api.md >}}) | `lock` (`v1.0-alpha1`)<br/>`unlock` (`v1.0-alpha1`) | `lock` (`v1alpha1`)<br/>`unlock` (`v1alpha1`) |
| Cryptography | `crypto` (`v1.0-alpha1`) | `crypto` (`v1alpha1`) |
| [Workflow]({{< ref workflow_api.md >}}) | `workflows` (`v1.0-alpha1`) |`workflows` (`v1alpha1`) |
| [Health]({{< ref health_api.md >}}) | `healthz` (`v1.0`) | n/a |
| Shutdown | `shutdown` (`v1.0`) | `shutdown` (`v1`) |