Frontier
Frontier by Raystack is a role-based cloud-native user management system and authorization server for your applications and API endpoints. With Frontier, you can assign roles to users or groups of users to configure policies that determine whether a particular user has the ability to perform a certain action on a given resource. Guardian supports access management to the following resources in Frontier:
- Organization
- Group
- Project
Compatible version of Frontier :
Use version v0.7.24 or above of Frontier for Guardian to work properly.
Authentication
Guardian requires authentication email of an administrator user having access to all Organizations in Frontier.
Example Credential config for Frontier provider:
---
credentials:
host: http://localhost:12345
auth_email: "guardian_test@test.com"
auth_header: X-Frontier-Email
Example provider config for Frontier provider:
Config
sample.config.yaml
type: frontier
urn: frontier-provider-urn
credentials:
host: http://localhost:7400
auth_email: john.doe@raystack.org
auth_header: X-Frontier-Email
allowed_account_types:
- user
resources:
- type: group
policy:
id: policy_id
version: 1
roles:
- id: member
name: Member
permissions:
- app_group_member
- id: admin
name: Admin
permissions:
- app_group_owner
- type: project
policy:
id: policy_id
version: 1
roles:
- id: admin
name: Admin
permissions:
- app_project_owner
- id: manager
name: Manager
permissions:
- app_project_manager
- id: member
name: Member
permissions:
- app_project_member
- type: organization
policy:
id: policy_id
version: 1
roles:
- id: admin
name: Admin
permissions:
- app_organization_owner
- id: manager
name: Manager
permissions:
- app_organization_manager
- app_organization_accessmanager
- id: member
name: Member
permissions:
- app_organization_viewer
Frontier Credentials
| Fields | |
|---|---|
host | string Required. Frontier instance host Example: http://localhost:12345 |
auth_email | email Required. Email address of an account that has Organization Administration permission |
auth_header | string Required. Header name for authentication. Default: X-Frontier-Email |
Frontier Resource Type
- organization
- group
- project
Frontier Resource Permission
| Resource Type | Permission Name | Details |
|---|---|---|
| organization | app_organization_owner | Organization Owner |
| organization | app_organization_manager | Organization Manager |
| organization | app_organization_accessmanager | Organization Access Manager |
| organization | app_organization_viewer | Organization Viewer |
| project | app_project_owner | Project Owner |
| project | app_project_manager | Project Manager |
| project | app_project_member | Project Member |
| group | app_group_owner | Group Owner |
| group | app_group_member | Group Member |