Skip to main content

Frontier

Frontier by Raystack is a role-based cloud-native user management system and authorization server for your applications and API endpoints. With Frontier, you can assign roles to users or groups of users to configure policies that determine whether a particular user has the ability to perform a certain action on a given resource. Guardian supports access management to the following resources in Frontier:

  1. Organization
  2. Group
  3. Project

Compatible version of Frontier :

Use version v0.7.24 or above of Frontier for Guardian to work properly.

Authentication

Guardian requires authentication email of an administrator user having access to all Organizations in Frontier.

Example Credential config for Frontier provider:

---
credentials:
host: http://localhost:12345
auth_email: "guardian_test@test.com"
auth_header: X-Frontier-Email

Example provider config for Frontier provider:

Config

sample.config.yaml
type: frontier
urn: frontier-provider-urn
credentials:
host: http://localhost:7400
auth_email: john.doe@raystack.org
auth_header: X-Frontier-Email
allowed_account_types:
- user
resources:
- type: group
policy:
id: policy_id
version: 1
roles:
- id: member
name: Member
permissions:
- app_group_member
- id: admin
name: Admin
permissions:
- app_group_owner
- type: project
policy:
id: policy_id
version: 1
roles:
- id: admin
name: Admin
permissions:
- app_project_owner
- id: manager
name: Manager
permissions:
- app_project_manager
- id: member
name: Member
permissions:
- app_project_member
- type: organization
policy:
id: policy_id
version: 1
roles:
- id: admin
name: Admin
permissions:
- app_organization_owner
- id: manager
name: Manager
permissions:
- app_organization_manager
- app_organization_accessmanager
- id: member
name: Member
permissions:
- app_organization_viewer

Frontier Credentials

Fields
hoststring Required. Frontier instance host Example: http://localhost:12345
auth_emailemail Required. Email address of an account that has Organization Administration permission
auth_headerstring Required. Header name for authentication. Default: X-Frontier-Email

Frontier Resource Type

  • organization
  • group
  • project

Frontier Resource Permission

Resource TypePermission NameDetails
organizationapp_organization_ownerOrganization Owner
organizationapp_organization_managerOrganization Manager
organizationapp_organization_accessmanagerOrganization Access Manager
organizationapp_organization_viewerOrganization Viewer
projectapp_project_ownerProject Owner
projectapp_project_managerProject Manager
projectapp_project_memberProject Member
groupapp_group_ownerGroup Owner
groupapp_group_memberGroup Member