MicrogatewayDenyRulesPatch
The IAM-MGW Helm charts provide the necessary Microgateway configuration to protect the IAM. IAMs deployed in SaaS have some customizations on top. In order to satisify special cases for each IAM tenant we expose the MicrogatewayDenyRulesPatch config.
In case there is an unwanted blocked call (i.e. false positive) SEC will have to work with the SaaS Team to get the relevant DenyRule and construct a suitable exception. These will then have to be added via the MicrogatewayDenyRulesPatch config in the saas.yaml.
Configuration Options
Using SaaS API reference
https://docs.airlock.com/saas-public-api/#tag/tenantconfig
Using saas.yaml
End of life: The saas.yaml is deprecated and will not be supported in a future Airlock SaaS version.
The following settings can be configured through the SaaS API reference using an Oauth 2.0 client.
Notice
A saas.yaml file can include at most one MicrogatewayDenyRulesPatch.
Basic Structure
apiVersion: iam.airlock.com/v1
kind: MicrogatewayDenyRulesPatch
spec:
loginapp:
request:
builtIn:
exceptions:
- ruleKeys:
- XSS
blockedData:
parameter:
name:
matcher:
exact: "custom_param"Modules
The DenyRules patch can be configured for two different application modules, corresponding to the IAM modules:
adminapp |
|---|
loginapp |
Each module is optional and can be omitted.
request.builtIn.exceptions |
Microgateway DenyRules exceptions as defined here: https://docs.airlock.com/microgateway/latest/index/api/crds/deny-rules/v1alpha1/index.html#denyrulesspecrequestbuiltinexceptions |
|---|
MicrogatewayHeaderRewritesPatch
The IAM-MGW Helm charts provide the necessary Microgateway configuration to protect the IAM. IAMs deployed in SaaS have some customizations on top. In order to satisify special cases for each IAM tenant we expose the MicrogatewayHeaderRewritesPatch config.
In case there is a call with unwanted behavior (i.e. a missing header due to restrictive allow set) SEC will have to work with the SaaS Team to get the relevant HeaderRewrites and construct a suitable custom header action These will then have to be added via the MicrogatewayHeaderRewritesPatch config in the saas.yaml.
Configuration Options
Using SaaS API reference
https://docs.airlock.com/saas-public-api/
Using saas.yaml
End of life: The saas.yaml is deprecated and will not be supported in a future Airlock SaaS version.
The following settings can be configured through the SaaS API reference using an Oauth 2.0 client.
Notice
A saas.yaml file can include at most one MicrogatewayHeaderRewritesPatch.
Basic Structure
apiVersion: iam.airlock.com/v1
kind: MicrogatewayHeaderRewritesPatch
spec:
loginapp:
request:
allow:
matchingHeaders:
custom:
- name: Allow X-Legacy-Password
headers:
- name:
matcher:
exact: X-Legacy-PasswordModules
The HeaderRewrites patch can be configured for two different application modules, corresponding to the IAM modules:
adminapp |
|---|
loginapp |
Each module is optional and can be omitted.
request.allow.matchingHeaders.custom |
Configure additional allowed request headers. See Microgateway documentation for more configuration details. |
|---|---|
request.add.custom |
Configure headers that are added to the request. See Microgateway documentation for more configuration details. |
response.add.custom |
Configure headers that are added to the response. See Microgateway documentation for more configuration details. |
response.allow.matchingHeaders.custom |
Configure additional allowed response headers. See Microgateway documentation for more configuration details. |