IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Reference

core

Comment

Represents a comment from a user.

Attributes

claims

Type: []string

The claims of the author.

content

Type: string

The content of the comment.

date

Type: time

The date of the comment.

Export

Allows you to obtain a JSON object containing policies and other objects from a given namespace. You can then import this JSON object into a different namespace.

Example

{
  "identities": [
    "externalnetworks",
    "networkaccesspolicies"
  ],
  "label": "my-import-name"
}

Relations

POST /export

Exports all policies and related objects of a namespace.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

APIVersion [autogenerated,read_only]

Type: integer

Version of the Microsegmentation Console API used for the exported data.

data [autogenerated]

Type: map[string][]map[string]interface{}

List of all exported data.

identities

Type: []string

The list of identities to export.

label

Type: string

Allows you to define a unique label for this export. When importing the content of the export, this label will be added as a tag that will be used to recognize imported object in a later import.

Hit

This API allows to retrieve a generic hit counter for a given object.

Example

{
  "name": "counter",
  "targetIdentity": "networkaccesspolicy"
}

Relations

GET /hits

Retrieve a matching hit.

Parameters:

  • name (string): The name of the counter.
  • targetID (string): The ID of the object associated to the counter.
  • targetIdentity (string): The identity of the object associated to the counter.

Mandatory Parameters

(name and targetID and targetIdentity) or (targetID and targetIdentity)

POST /hits

Manage hits.

Parameters:

  • reset (boolean): If set the hit will reset to 0.

Attributes

name [required]

Type: string

name of the counter.

Default value:

"counter"
targetID

Type: string

The ID of the referenced object..

targetIdentity [required]

Type: string

The identity of the referenced object.

value [read_only]

Type: integer

The value of the hit.

Import

Imports an export of policies and related objects into the namespace.

Example

{
  "data": {
    "externalnetworks": [
      {
        "associatedTags": [
          "ext:net=tcp"
        ],
        "description": "Represents all TCP traffic on any port",
        "entries": [
          "0.0.0.0/0"
        ],
        "name": "all-tcp",
        "servicePorts": [
          "tcp/1:65535"
        ]
      },
      {
        "associatedTags": [
          "ext:net=udp"
        ],
        "description": "Represents all UDP traffic on any port",
        "entries": [
          "0.0.0.0/0"
        ],
        "name": "all-udp",
        "servicePorts": [
          "udp/1:65535"
        ]
      }
    ],
    "networkaccesspolicies": [
      {
        "action": "Allow",
        "description": "Allows all communication from pu to pu, tcp and udp",
        "logsEnabled": true,
        "name": "allow-all-communication",
        "object": [
          [
            "$identity=processingunit"
          ],
          [
            "ext:net=tcp"
          ],
          [
            "ext:net=udp"
          ]
        ],
        "subject": [
          [
            "$identity=processingunit"
          ]
        ]
      }
    ]
  },
  "mode": "Import"
}

Relations

POST /import

Imports data from a previous export.

Attributes

data [required]

Type: export

Data to import.

mode

Type: enum(ReplacePartial | Import | Remove)

How to import the data: ReplacePartial, Import (default), or Remove. ReplacePartial is deprecated. Use Import instead. While you can use ReplacePartial it will be interpreted as Import.

Default value:

"Import"

ImportReference

Allows you to import and keep a reference.

Example

{
  "constraint": "Unrestricted",
  "data": {
    "externalnetworks": [
      {
        "associatedTags": [
          "ext:net=tcp"
        ],
        "description": "Represents all TCP traffic on any port",
        "entries": [
          "0.0.0.0/0"
        ],
        "name": "all-tcp",
        "servicePorts": [
          "tcp/1:65535"
        ]
      },
      {
        "associatedTags": [
          "ext:net=udp"
        ],
        "description": "Represents all UDP traffic on any port",
        "entries": [
          "0.0.0.0/0"
        ],
        "name": "all-udp",
        "servicePorts": [
          "udp/1:65535"
        ]
      }
    ],
    "networkaccesspolicies": [
      {
        "action": "Allow",
        "description": "Allows all communication from pu to pu, tcp and udp",
        "logsEnabled": true,
        "name": "allow-all-communication",
        "object": [
          [
            "$identity=processingunit"
          ],
          [
            "ext:net=tcp"
          ],
          [
            "ext:net=udp"
          ]
        ],
        "subject": [
          [
            "$identity=processingunit"
          ]
        ]
      }
    ]
  },
  "name": "the name",
  "protected": false
}

Relations

GET /importreferences

Retrieves the list of import references.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /importreferences

Imports data from a previous export and keep a reference.

DELETE /importreferences/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /importreferences/:id

Retrieves the object with the given ID.

GET /recipes/:id/importreferences

Returns the list of import references that depend on a recipe.

POST /recipes/:id/importreferences

Create an import request for the given recipe.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

claims [autogenerated,read_only]

Type: []string

Contains the claims of the client that performed the import.

constraint

Type: enum(Unrestricted | Unique | NamespaceUnique)

Define the import constraint. If Unrestricted, import can be deployed multiple times. If Unique, only one import is allowed in the current namespace and its child namespaces. If NamespaceUnique, only one import is allowed in the current namespace.

Default value:

"Unrestricted"
createTime [autogenerated,read_only]

Type: time

Creation date of the object.

data [required]

Type: export

Data to import.

description [max_length=1024]

Type: string

Description of the object.

label [autogenerated]

Type: string

Label used for the imported data.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ImportRequest

Allows you to send an import request to create objects to a namespace where the requester doesn’t normally have the permission to do so (other than creating import requests).

The requester must have the permission to create the request in their namespace and the target namespace.

When the request is created, the status is set to Draft. The requester can edit the content as much as desired. When ready to send the request, update the status to Submitted. The request will then be moved to the target namespace. At that point nobody can edit the content of the requests other than adding comments.

The requestee will now see the request, and will either

  • Set the status as Approved. This will create the objects in the target namespace.

  • Set the status as Rejected. The request cannot be edited anymore and can be deleted.

  • Set the status back as Draft. The request will go back to the requester namespace so that the requester can make changes. Once the change are ready, the requester will set back the status as Submitted.

The data format is the same as Export.

Example

{
  "data": {
    "networkaccesspolicies": [
      {
        "action": "Allow",
        "description": "Allows Acme to access service A",
        "logsEnabled": true,
        "name": "allow-acme",
        "object": [
          [
            "$identity=processingunit",
            "$namespace=/acme/prod",
            "app=query"
          ]
        ],
        "subject": [
          [
            "$identity=processingunit",
            "app=partner-data"
          ]
        ]
      }
    ]
  },
  "protected": false,
  "requesterClaims": [
    "@auth:realm=vince",
    "@auth:account=acme"
  ],
  "status": "Draft",
  "targetNamespace": "/acme/prod"
}

Relations

GET /importrequests

Retrieves the list of import requests.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /importrequests

Creates a new import request.

DELETE /importrequests/:id

Delete an existing import request.

GET /importrequests/:id

Retrieve a single existing import request.

PUT /importrequests/:id

Update an existing import request.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

comment

Type: string

A new comment that will be added to commentFeed.

commentFeed [autogenerated,read_only]

Type: []comment

List of comments that have been added to that request.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

data [required]

Type: map[string][]map[string]interface{}

Data to import.

description [max_length=1024]

Type: string

Description of the object.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

requesterClaims [autogenerated,read_only]

Type: []string

The identity claims of the requester; populated by the Microsegmentation Console.

requesterNamespace [autogenerated,read_only]

Type: string

The namespace from which the request originated; populated by the Microsegmentation Console.

status

Type: enum(Draft | Submitted | Approved | Rejected)

Allows the content to be changed. Submitted: the request moves to the target namespace for approval. Approved: the data will be created immediately. Rejected: the request cannot be changed anymore and can be deleted.

Default value:

"Draft"
targetNamespace [required,creation_only]

Type: string

The namespace where the request will be sent. The requester can set any namespace but needs to have an authorization to post the request in that namespace.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Poke

When available, poke can be used to update various information about the parent. For instance, for enforcers, poke will be used as the heartbeat.

Relations

GET /enforcers/:id/poke

Sends a poke empty object. This is used to ensure a enforcer is up and running.

Parameters:

  • cpuload (float): Deprecated.
  • enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the enforcer along with the poke.
  • forceFullPoke (boolean): If set, it will trigger a full poke (slower).
  • memory (integer): Deprecated.
  • processes (integer): Deprecated.
  • sessionClose (boolean): If set, terminates a session for a enforcer.
  • sessionID (string): If set, sends the current session ID of a enforcer.
  • status (enum(Registered | Connected | Disconnected)): If set, changes the status of the enforcer along with the poke.
  • ts (time): time of report. If not set, local server time will be used.
  • version (string): If set, version of the current running enforcer.
  • zhash (integer): Can be set to help Microsegmentation Console target the correct shard where the enforcer is stored.
GET /processingunits/:id/poke

Sends a poke empty object. This will send a snapshot of the processing unit to the time series database.

Parameters:

  • enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the processing unit alongside with the poke.
  • forceFullPoke (boolean): If set, it will trigger a full poke (slower).
  • notify (boolean): Can be sent to trigger a ProcessingUnitRefresh event that will be handled by the enforcer. If this is set, all other additional parameters will be ignored.
  • status (enum(Initialized | Paused | Running | Stopped)): If set, changes the status of the processing unit alongside with the poke.
  • ts (time): time of report. If not set, local server time will be used.
  • zhash (integer): Can be set to help backend target the correct shard where the processing unit is stored.

PolicyRenderer

Allows you to render policies of a given type for a given set of tags.

Example

{
  "processMode": "Subject",
  "tags": [
    "a=a",
    "b=b"
  ],
  "type": "APIAuthorization"
}

Relations

POST /policyrenderers

Render a policy of a given type for a given set of tags.

Attributes

policies [autogenerated,read_only]

Type: []policyrule

List of policies rendered for the given set of tags.

processMode

Type: enum(Subject | Object)

Subject (default): Set if the processMode should use the subject. Object: Set if the processMode should use the object. This only has effect when rendering an SSH authorization for now.

Default value:

"Subject"
tags [required]

Type: []string

List of tags of the object to render the hook for.

type [required]

Type: enum(APIAuthorization | EnforcerProfile | File | Hook | Infrastructure | NamespaceMapping | Network | ProcessingUnit | Quota | Syscall | TokenScope | SSHAuthorization | UserAccess)

Type of policy to render.

Perform a full text search on the database.

Relations

Perform a full text search on the database.

Parameters:

  • q (string): search query.

Mandatory Parameters

q

Attributes

object [autogenerated,read_only]

Type: object

Contains the matched object.

objectID [autogenerated,read_only]

Type: string

Contains the ID of the match.

objectIdentity [autogenerated,read_only]

Type: string

Contains the identity of the match.

objectNamespace [autogenerated,read_only]

Type: string

Contains the namespace of the match.

score [autogenerated,read_only]

Type: float

Contains the score of the match.

core/account

Account

Allows you to view and manage basic information about your account like your name, password, and whether or not two-factor authentication is enabled.

Example

{
  "OTPEnabled": false,
  "SSHCARenew": false,
  "accessEnabled": false,
  "company": "Acme",
  "email": "user@acme.com",
  "firstName": "John",
  "lastName": "Doe",
  "localCARenew": false,
  "name": "acme"
}

Relations

GET /accounts

Retrieves all accounts. This is a private API that can only be done by the system.

Parameters:

  • associatedBillingID (string): internal parameters.
  • name (string): internal parameters.
  • status (string): internal parameters.
  • q (string): Filtering query. Consequent q parameters will form an or.
POST /accounts

Creates a new account.

DELETE /accounts/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /accounts/:id

Retrieves the object with the given ID.

PUT /accounts/:id

Updates the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

OTPEnabled

Type: boolean

Enable or disable two-factor authentication.

OTPQRCode [autogenerated,read_only]

Type: string

Returns the base64-encoded QR code for setting up two-factor authentication.

SSHCA [autogenerated,read_only]

Type: string

Holds the SSH certificate authority used by the account namespace.

SSHCARenew

Type: boolean

Set to true to renew the SSH certificate authority of the account namespace.

accessEnabled

Type: boolean

Defines if the account holder should have access to the system.

activationToken [autogenerated]

Type: string

Contains the activation token.

associatedBillingID

Type: string

Holds the ID of the associated billing customer.

associatedPlanKey [creation_only]

Type: string

Contains the plan key associated with this account.

company

Type: string

Company of the account user.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

email [required]

Type: string

Email of the account holder.

firstName

Type: string

First name of the account user.

lastName

Type: string

Last name of the account user.

localCA [autogenerated,read_only]

Type: string

The certificate authority used by this namespace.

localCARenew

Type: boolean

Set to true to renew the local certificate authority of the account namespace.

name [required,creation_only,format=^[^\*\=]*$]

Type: string

Name of the account.

newPassword

Type: string

New password for the account. If set the previous password must be given through the property password.

password

Type: string

Password for the account.

reCAPTCHAKey [creation_only]

Type: string

Contains the completely automated public Turing test (CAPTCHA) validation if reCAPTCHA is enabled.

status [autogenerated,read_only]

Type: enum(Active | Disabled | Invited | Pending)

Status of the account.

Default value:

"Pending"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Activate

Used to activate a pending account.

Example

{
  "token": "2BB3D52C-DE26-406A-8821-613F102282B0"
}

Relations

GET /activate

Activates a pending account.

Parameters:

  • noRedirect (boolean): If set, do not redirect the request to the web interface.
  • token (string): Activation token.

Mandatory Parameters

token

Attributes

token [creation_only]

Type: string

Contains the activation token.

PasswordReset

Used to reset a Microsegmentation account password.

Example

{
  "password": "NewPassword123@",
  "token": "436676D4-7ECA-4853-A572-0644EE9D89EF"
}

Relations

GET /passwordreset

Sends a link to the account email to reset the password.

Parameters:

  • email (string): Email associated to the account.

Mandatory Parameters

email

POST /passwordreset

Resets the password for an account using the provided link.

Attributes

password [required]

Type: string

Contains the new password.

token [required]

Type: string

Contains the reset password token.

core/authentication

Authn

Verifies if the given token is valid or not. If it is valid it will return the claims of the token.

Relations

GET /authn

Verify the validity of a token. This is deprecated. You should use Create.

Parameters:

  • token (string): token to validate.
POST /authn

Verify the validity of a token.

Attributes

claims [autogenerated,read_only]

Type: _claims

The claims in the token.

token

Type: string

The token to verify. This is only used if a POST request is used.

Issue

Issues a new Microsegmentation token according to given data.

Example

{
  "audience": "aud:*:*:/namespace",
  "metadata": {
    "vinceAccount": "acme",
    "vinceOTP": 665435,
    "vincePassword": "s3cr3t"
  },
  "realm": "Vince",
  "restrictedNamespace": "/namespace",
  "restrictedNetworks": [
    "10.0.0.0/8",
    "127.0.0.1/32"
  ],
  "restrictedPermissions": [
    "@auth:role=enforcer",
    "namespace,post"
  ],
  "validity": "24h"
}

Relations

POST /issue

Issues a new token.

Parameters:

  • asCookie (boolean): If set to true, the token will be delivered in a secure cookie, and not in the response body.
  • token (string): Token to verify.

Attributes

audience

Type: string

If given, the issued token will only be valid for the specified namespace. Refer to JSON Web Token (JWT)RFC 7519. for further information.

claims [autogenerated,read_only]

Type: _claims

The claims in the token. It is only set is the parameter asCookie is given.

data

This attribute is deprecated.

Type: string

Contains additional data. The value depends on the issuer type.

metadata

Type: map[string]interface{}

Contains various additional information. Meaning depends on the realm.

opaque

Type: map[string]string

Opaque data that will be included in the issued token.

quota

Type: integer

Restricts the number of times the issued token can be used.

realm [required]

Type: enum(AWSSecurityToken | Certificate | Google | LDAP | Vince | GCPIdentityToken | AzureIdentityToken | OIDC | SAML | AporetoIdentityToken | PCIdentityToken)

The authentication realm. This will define how to verify credentials from internal or external source of authentication.

restrictedNamespace

Type: string

Restricts the namespace where the token can be used.

For instance, if you have have access to /namespace and below, you can tell the policy engine that it should restrict further more to /namespace/child.

Restricting to a namespace you don’t have initially access according to the policy engine has no effect and may end up making the token unusable.

restrictedNetworks

Type: []string

Restricts the networks from where the token can be used. This will reduce the existing set of authorized networks that normally apply to the token according to the policy engine.

For instance, If you have authorized access from 0.0.0.0/0 (by default) or from 10.0.0.0/8, you can ask for a token that will only be valid if used from 10.1.0.0/16.

Restricting to a network that is not initially authorized by the policy engine has no effect and may end up making the token unusable.

restrictedPermissions

Type: []string

Restricts the permissions of token. This will reduce the existing permissions that normally apply to the token according to the policy engine.

For instance, if you have administrative role, you can ask for a token that will tell the policy engine to reduce the permission it would have granted to what is given defined in the token.

Restricting to some permissions you don’t initially have according to the policy engine has no effect and may end up making the token unusable.

token [autogenerated,read_only]

Type: string

The token to use for the registration.

validity

Type: string

Configures the maximum length of validity for a token, using Golang duration syntax. If it is bigger than the configured max validity, it will be capped. Default: 24h.

Default value:

"24h"

LDAPProvider

Allows you to declare a generic LDAP provider that can be used in exchange for a Midgard token.

Example

{
  "address": "ldap.company.com",
  "baseDN": "dc=universe,dc=io",
  "bindDN": "cn=readonly,dc=universe,dc=io",
  "bindPassword": "s3cr3t",
  "bindSearchFilter": "uid={USERNAME}",
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBPzCB5qADAgECAhEAwbx3c+QW24ePXyD94geytzAKBggqhkjOPQQDAjAPMQ0w
CwYDVQQDEwR0b3RvMB4XDTE5MDIyMjIzNDA1MFoXDTI4MTIzMTIzNDA1MFowDzEN
MAsGA1UEAxMEdG90bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJi6CwRDeKks
Xb3pDEslmFGR7k9Aeh5RK+XmdqKKPGb3NQWEFPGolnqOR34iVuf7KSxTuzaaVWfu
XEa94faUQEqjIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MAoG
CCqGSM49BAMCA0gAMEUCIQD+nL9RF9EvQXHyYuJ31Lz9yWd9hsK91stnpAs890gS
/AIgQIKjBBpiyQNZZWso5H04qke9QYMVPegiQQufFFBj32c=
-----END CERTIFICATE-----",
  "connSecurityProtocol": "InbandTLS",
  "default": false,
  "name": "the name",
  "protected": false,
  "subjectKey": "uid"
}

Relations

GET /ldapproviders

Retrieves the list of the namespace LDAP providers.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /ldapproviders

Creates a new LDAP provider.

DELETE /ldapproviders/:id

Deletes the provider with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /ldapproviders/:id

Retrieves the provider with the given ID.

PUT /ldapproviders/:id

Updates the provider with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

address [required]

Type: string

Contains the fully qualified domain name (FQDN) or IP address of the private LDAP server.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

baseDN [required]

Type: string

Contains the base distinguished name (DN) to use for LDAP queries. Example: dc=example,dc=com.

bindDN [required]

Type: string

Contains the DN to use to bind to the LDAP server. Example: cn=admin,dc=example,dc=com.

bindPassword [required]

Type: string

Contains the password to be used with the bindDN to authenticate to the LDAP server.

bindSearchFilter

Type: string

The filter to use to locate the relevant user accounts. For Windows-based systems, the value may be sAMAccountName={USERNAME}. For Linux and other systems, the value may be uid={USERNAME}.

Default value:

"uid={USERNAME}"
certificateAuthority

Type: string

Can be left empty if the LDAP server’s certificate is signed by a public, trusted certificate authority. Otherwise, include the public key of the certificate authority that signed the LDAP server’s certificate.

connSecurityProtocol

Type: enum(TLS | InbandTLS)

Specifies the connection type for the LDAP provider. TLS or InbandTLS (default).

Default value:

"InbandTLS"
createTime [autogenerated,read_only]

Type: time

Creation date of the object.

default

Type: boolean

If set, this will be the default LDAP provider. There can be only one default provider in your account. When logging in with LDAP, if no provider name is given, the default will be used.

description [max_length=1024]

Type: string

Description of the object.

ignoredKeys

Type: []string

A list of keys that must not be imported into a Microsegmentation authorization. If includedKeys is also set, and a key is in both lists, the key will be ignored.

includedKeys

Type: []string

A list of keys that must be imported into a Microsegmentation authorization. If ignoredKeys is also set, and a key is in both lists, the key will be ignored.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

subjectKey

Type: string

The key to be used to populate the subject of the Midgard token. If you want to use the user as a subject, for Windows-based systems you may use sAMAccountName. For Linux and other systems, you may wish to use uid (default). You can also use any alternate key.

Default value:

"uid"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Logout

Perform logout operations. This is only used to unset the secure cookie token for now.

Relations

GET /logout

Performs a logout operation.

OIDCProvider

Allows you to declare a generic OpenID Connect (OIDC) provider that can be used in exchange for a Midgard token.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2
NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O
evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6
peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8
-----END CERTIFICATE-----",
  "clientID": "6195189841830-0644ee9d89ef0644ee9d89examle.apps.googleusercontent.com",
  "clientSecret": "Ytgbfjtj4652jHDFGls99jF",
  "default": false,
  "endpoint": "https://accounts.google.com",
  "name": "the name",
  "protected": false,
  "scopes": [
    "email",
    "profile"
  ],
  "subjects": [
    "email",
    "profile"
  ]
}

Relations

GET /oidcproviders

Retrieves the list of OIDC providers.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /oidcproviders

Creates a new OIDC provider.

DELETE /oidcproviders/:id

Deletes the provider with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /oidcproviders/:id

Retrieves the provider with the given ID.

PUT /oidcproviders/:id

Updates the provider with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Set the CA to use to contact the OIDC server. This is useful when you are using a custom OIDC provider that doesn’t use a trusted CA. Most of the time, you can leave this property empty.

clientID [required]

Type: string

Unique client ID.

clientSecret [required]

Type: string

Client secret associated with the client ID.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

default

Type: boolean

If set, this will be the default OIDC provider. There can be only one default provider in your account. When logging in with OIDC, if no provider name is given, the default will be used.

endpoint [required]

Type: string

OIDC discovery endpoint.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parentID [autogenerated,read_only]

Type: string

Contains the parent Microsegmentation account ID.

parentName [autogenerated,read_only]

Type: string

Contains the name of the parent Microsegmentation account.

protected

Type: boolean

Defines if the object is protected.

scopes

Type: []string

List of scopes to allow.

subjects

Type: []string

List of claims that will provide the subject.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

PCCProvider

Allows you to declare a trusted Prisma Cloud Compute (PCC) authentication provider. Microsegmentation will accept JSON web tokens (JWT) from the specified PCC provider.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2
NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O
evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6
peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8
-----END CERTIFICATE-----",
  "default": false,
  "endpoint": "https://my.pcc.acme.com",
  "name": "the name",
  "protected": false
}

Relations

GET /pccproviders

Retrieves the list of the PCC providers.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /pccproviders

Creates a new PCC provider.

DELETE /pccproviders/:id

Deletes the provider with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /pccproviders/:id

Retrieves the provider with the given ID.

PUT /pccproviders/:id

Updates the provider with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Set the CA to use to contact the PCC Console in case it uses a non widely trusted certificate authority.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

default

Type: boolean

If set, this will be the default PCC provider. There can be only one default provider in your account. When logging in with PCC, if no provider name is given, the default will be used.

endpoint [required]

Type: string

The URL of the PCC service. It must use HTTPS.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

SAMLProvider

Allows you to declare a generic SAML provider that can be used in exchange for a Midgard token.

Example

{
  "IDPCertificate": "-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
  "IDPIssuer": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123",
  "IDPURL": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123",
  "default": false,
  "name": "the name",
  "protected": false,
  "subjects": [
    "email",
    "profile"
  ]
}

Relations

GET /samlproviders

Retrieves the list of the namespace SAML providers.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /samlproviders

Creates a new LDAP provider.

DELETE /samlproviders/:id

Deletes the provider with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /samlproviders/:id

Retrieves the provider with the given ID.

PUT /samlproviders/:id

Updates the provider with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

IDPCertificate

Type: string

Identity provider certificate in PEM format.

IDPIssuer

Type: string

Identity Provider Issuer (also called Entity ID).

IDPMetadata

Type: string

Pass some XML data containing the IDP metadata that can be used for automatic configuration. If you pass this attribute, every other one will be overwritten with the data contained in the metadata file.

IDPURL

Type: string

URL of the identity provider.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

default

Type: boolean

If set, this will be the default SAML provider. There can be only one default provider in your account. When logging in with SAML, if no provider name is given, the default will be used.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

subjects

Type: []string

List of claims that will provide the subject.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

core/billing

Invoice

Provides access to Microsegmentation customer invoices.

Example

{
  "billedToProvider": "Aporeto"
}

Relations

DELETE /invoices/:id

Deletes the invoice with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /invoices/:id

Retrieves the invoice with the given ID.

PUT /invoices/:id

Updates the invoice with the given ID.

Attributes

ID

Type: string

The ID of the invoice.

accountID

Type: string

The ID of the customer that this invoice belongs to.

billedToProvider

Type: enum(Aporeto | AWS)

The name of the provider that this invoice was billed to.

Default value:

"Aporeto"
createTime [autogenerated,read_only]

Type: time

Creation date of the object.

endDate

Type: time

The end date of the invoice.

startDate

Type: time

The start date of this invoice.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

InvoiceRecord

Provides detailed records of invoices for Microsegmentation customers.

Relations

DELETE /invoicerecords/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /invoicerecords/:id

Retrieves the object with the given ID.

PUT /invoicerecords/:id

Updates the object with the given ID.

Attributes

ID

Type: string

The ID of the invoice record.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

invoiceID

Type: string

The ID of the invoice associated with the invoice record.

invoiceRecords

Type: []string

Details about billing units.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Plan

Contains the various billing plans available.

Relations

GET /plans

Retrieves the list of plans.

GET /plans/:id

Retrieves the plan with the given ID.

Attributes

description [autogenerated,read_only]

Type: string

Contains the description of the plan.

key [autogenerated,read_only]

Type: string

Contains the key identifier of the plan.

name [autogenerated,read_only]

Type: string

Contains the name of the plan.

core/enforcer

CounterReport

Post a new counter tracing report.

Example

{
  "enforcerID": "xxxx-xxx-xxxx",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx",
  "processingUnitNamespace": "/my/namespace",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Relations

POST /counterreports

Create a counter report.

Attributes

AckInUnknownState

Type: integer

Counter for sending FIN ACK received in unknown connection state.

AckInvalidFormat

Type: integer

Counter for ACK packet dropped because of invalid format.

AckRejected

Type: integer

Counter for ACK packets rejected as per policy.

AckSigValidationFailed

Type: integer

Counter for ACK packet dropped because signature validation failed.

AckTCPNoTCPAuthOption

Type: integer

Counter for TCP authentication option not found.

ConnectionsProcessed

Type: integer

Counter for connections processed.

ContextIDNotFound

Type: integer

Counter for unable to find ContextID.

DroppedExternalService

Type: integer

Counter for no ACLs found for external services. Dropping application SYN packet.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

InvalidConnState

Type: integer

Counter for invalid connection state.

InvalidNetState

Type: integer

Counter for invalid net state.

InvalidProtocol

Type: integer

Counter for invalid protocol.

InvalidSynAck

Type: integer

Counter for processing unit is already dead - drop SYN ACK packet.

MarkNotFound

Type: integer

Counter for processing unit mark not found.

NetSynNotSeen

Type: integer

Counter for network SYN packet was not seen.

NoConnFound

Type: integer

Counter for no context or connection found.

NonPUTraffic

Type: integer

Counter for traffic that belongs to a non-processing unit process.

OutOfOrderSynAck

Type: integer

Counter for SYN ACK for flow with processed FIN ACK.

PortNotFound

Type: integer

Counter for port not found.

RejectPacket

Type: integer

Counter for reject the packet as per policy.

ServicePostprocessorFailed

Type: integer

Counter for post service processing failed for network packet.

ServicePreprocessorFailed

Type: integer

Counter for network packets that failed preprocessing.

SynAckBadClaims

Type: integer

Counter for SYN ACK packet dropped because of bad claims.

SynAckClaimsMisMatch

Type: integer

Counter for SYN ACK packet dropped because of encryption mismatch.

SynAckDroppedExternalService

Type: integer

Counter for SYN ACK from external service dropped.

SynAckInvalidFormat

Type: integer

Counter for SYN ACK packet dropped because of invalid format.

SynAckMissingClaims

Type: integer

Counter for SYN ACK packet dropped because of no claims.

SynAckMissingToken

Type: integer

Counter for SYN ACK packet dropped because of missing token.

SynAckNoTCPAuthOption

Type: integer

Counter for TCP authentication option not found.

SynAckRejected

Type: integer

Counter for dropping because of reject rule on transmitter.

SynDroppedInvalidFormat

Type: integer

Counter for SYN packet dropped because of invalid format.

SynDroppedInvalidToken

Type: integer

Counter for SYN packet dropped because of invalid token.

SynDroppedNoClaims

Type: integer

Counter for SYN packet dropped because of no claims.

SynDroppedTCPOption

Type: integer

Counter for TCP authentication option not found.

SynRejectPacket

Type: integer

Counter for SYN packet dropped due to policy.

SynUnexpectedPacket

Type: integer

Counter for received SYN packet from unknown processing unit.

TCPAuthNotFound

Type: integer

Counter for TCP authentication option not found.

UDPAckInvalidSignature

Type: integer

Counter for UDP ACK packet dropped due to an invalid signature.

UDPConnectionsProcessed

Type: integer

Counter for number of processed UDP connections.

UDPDropContextNotFound

Type: integer

Counter for dropped UDP data packets with no context.

UDPDropFin

Type: integer

Counter for dropped UDP FIN handshake packets.

UDPDropInNfQueue

Type: integer

Counter for dropped UDP in NfQueue.

UDPDropNoConnection

Type: integer

Counter for dropped UDP data packets with no connection.

UDPDropPacket

Type: integer

Counter for dropped UDP data packets.

UDPDropQueueFull

Type: integer

Counter for dropped UDP queue full.

UDPDropSynAck

Type: integer

Counter for dropped UDP SYN ACK handshake packets.

UDPInvalidNetState

Type: integer

Counter for UDP packets received in invalid network state.

UDPPostProcessingFailed

Type: integer

Counter for UDP packets failing postprocessing.

UDPPreProcessingFailed

Type: integer

Counter for UDP packets failing preprocessing.

UDPRejected

Type: integer

Counter for UDP packets dropped due to policy.

UDPSynAckDropBadClaims

Type: integer

Counter for UDP SYN ACK packets dropped due to bad claims.

UDPSynAckMissingClaims

Type: integer

Counter for UDP SYN ACK packets dropped due to missing claims.

UDPSynAckPolicy

Type: integer

Counter for UDP SYN ACK packets dropped due to bad claims.

UDPSynDrop

Type: integer

Counter for dropped UDP SYN transmits.

UDPSynDropPolicy

Type: integer

Counter for dropped UDP SYN policy.

UDPSynInvalidToken

Type: integer

Counter for dropped UDP FIN handshake packets.

UDPSynMissingClaims

Type: integer

Counter for UDP SYN packet dropped due to missing claims.

UnknownError

Type: integer

Counter for unknown error.

connectionsAnalyzed

Type: integer

Non-zero counter indicates analyzed connections for unencrypted, encrypted, and packets from endpoint applications with the TCP Fast Open option set. These are not dropped counter.

connectionsDropped

Type: integer

Non-zero counter indicates dropped connections because of invalid state, non-processing unit traffic, or out of order packets.

connectionsExpired

Type: integer

Non-zero counter indicates expired connections because of response not being received within a certain amount of time after the request is made.

droppedPackets

Type: integer

Non-zero counter indicates dropped packets that did not hit any of our iptables rules and queue drops.

encryptionFailures

Type: integer

Non-zero counter indicates encryption processing failures of data packets.

enforcerID [required]

Type: string

Identifier of the enforcer sending the report.

enforcerNamespace [required]

Type: string

Namespace of the enforcer sending the report.

externalNetworkConnections

Type: integer

Non-zero counter indicates connections going to and from external networks. These may be drops or allowed counters.

policyDrops

Type: integer

Non-zero counter indicates packets dropped due to a reject policy.

processingUnitID

Type: string

PUID is the ID of the processing unit reporting the counter.

processingUnitNamespace

Type: string

Namespace of the processing unit reporting the counter.

timestamp

Type: time

Timestamp is the date of the report.

tokenDrops

Type: integer

Non-zero counter indicates packets rejected due to anything related to token creation/parsing failures.

Enforcer

Contains all parameters associated with a registered enforcer. The object is mainly maintained by the enforcers themselves. Users can read the object in order to understand the current status of the enforcers.

Example

{
  "FQDN": "server1.domain.com",
  "certificateRequest": "-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
  "collectInfo": false,
  "enforcementStatus": "Inactive",
  "lastCollectionID": "xxx-xxx-xxx-xxx -",
  "logLevel": "Info",
  "logLevelDuration": "10s",
  "machineID": "3F23E8DF-C56D-45CF-89B8-A867F3956409",
  "name": "the name",
  "operationalStatus": "Registered",
  "protected": false,
  "updateAvailable": false
}

Relations

GET /enforcers

Retrieves the list of enforcers.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /enforcers

Creates a new enforcer.

DELETE /enforcers/:id

Deletes the enforcer with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /enforcers/:id

Retrieves the enforcer with the given ID.

PUT /enforcers/:id

Updates the enforcer with the given ID.

GET /auditprofilemappingpolicies/:id/enforcers

Returns the list of enforcers that are affected by this mapping.

GET /enforcerprofilemappingpolicies/:id/enforcers

Returns the list of enforcers affected by an enforcer profile mapping.

GET /hostservicemappingpolicies/:id/enforcers

Returns the list of enforcers that are affected by this mapping.

GET /enforcers/:id/auditprofiles

Returns a list of the audit profiles that must be applied to this enforcer.

GET /enforcers/:id/debugbundles

Retrieves the list of debug bundles.

POST /enforcers/:id/debugbundles

Uploads a debug bundle.

GET /enforcers/:id/enforcerprofiles

Returns the enforcer profile that must be used by a enforcer.

POST /enforcers/:id/enforcerrefreshes

Sends a enforcer refresh command.

GET /enforcers/:id/hostservices

Returns a list of the host services policies that apply to this enforcer.

Parameters:

  • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
  • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
GET /enforcers/:id/poke

Sends a poke empty object. This is used to ensure a enforcer is up and running.

Parameters:

  • cpuload (float): Deprecated.
  • enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the enforcer along with the poke.
  • forceFullPoke (boolean): If set, it will trigger a full poke (slower).
  • memory (integer): Deprecated.
  • processes (integer): Deprecated.
  • sessionClose (boolean): If set, terminates a session for a enforcer.
  • sessionID (string): If set, sends the current session ID of a enforcer.
  • status (enum(Registered | Connected | Disconnected)): If set, changes the status of the enforcer along with the poke.
  • ts (time): time of report. If not set, local server time will be used.
  • version (string): If set, version of the current running enforcer.
  • zhash (integer): Can be set to help Microsegmentation Console target the correct shard where the enforcer is stored.
GET /enforcers/:id/trustedcas

Returns the list of certificate authorities that should be trusted by this enforcer.

Parameters:

  • type (enum(Any | X509 | SSH)): Type of certificate to get.

Attributes

FQDN [required,creation_only]

Type: string

Contains the fully qualified domain name (FQDN) of the server where the enforcer is running.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificate [autogenerated,read_only]

Type: string

The certificate of the enforcer.

certificateRequest

Type: string

If not empty during a create or update operation, the provided certificate signing request (CSR) will be validated and signed by the Microsegmentation Console, providing a renewed certificate.

collectInfo

Type: boolean

Indicates to the enforcer whether or not it needs to collect information.

collectedInfo

This attribute is deprecated.

Type: map[string]string

Represents the latest information collected by the enforcer.

controller [autogenerated,read_only]

Type: string

The Microsegmentation Console identifier managing this object. This property is mostly useful when federating multiple Microsegmentation Consoles.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

currentVersion

Type: string

The version number of the installed enforcer binary.

description [max_length=1024]

Type: string

Description of the object.

enforcementStatus

Type: enum(Inactive | Active | Failed)

Status of the enforcement for host services.

Default value:

"Inactive"
lastCollectionID

Type: string

Identifies the last collection.

lastCollectionTime

Type: time

Identifies when the information was collected.

lastSyncTime

Type: time

The time and date of the last heartbeat.

localCA [autogenerated]

Type: string

Contains the initial chain of trust for the enforcer. This value is only given when you retrieve a single enforcer.

logLevel

Type: enum(Info | Debug | Warn | Error | Trace)

Log level of the enforcer.

Default value:

"Info"
logLevelDuration

Type: string

Determines the duration of which the log level will be active, using Golang duration syntax.

Default value:

"10s"
machineID

Type: string

A unique identifier for every machine as detected by the enforcer. It is based on hardware information such as the SMBIOS UUID, MAC addresses of interfaces, or cloud provider IDs.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

operationalStatus

Type: enum(Registered | Connected | Disconnected | Initialized)

The status of the enforcer.

Default value:

"Registered"
protected

Type: boolean

Defines if the object is protected.

publicToken [autogenerated,read_only]

Type: string

The public token of the server that will be included in the datapath and is signed by the private certificate authority.

startTime

Type: time

The time and date on which this enforcer was started. The enforcer reports this and the value is preserved across disconnects.

subnets

Type: []string

Local subnets of this enforcer.

unreachable [autogenerated,read_only]

Type: boolean

The Microsegmentation Console sets this value to true if it hasn’t heard from the enforcer in the last five minutes.

updateAvailable

Type: boolean

If true, the enforcer version is outdated and should be updated.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

EnforcerLog

An enforcer log represents the log collected by an enforcer. Each enforcer log can have partial or complete data. The collectionID is used to aggregate the multipart data into one.

Example

{
  "collectionID": "xxx-xxx-xxx-xxx",
  "enforcerID": "xxx-xxx-xxx-xxx",
  "protected": false
}

Relations

GET /enforcerlog

Retrieves the list of enforcerlogs.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /enforcerlog

Creates a new enforcerlog.

GET /enforcerlog/:id

Retrieves the enforcerlog with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

collectionID [required]

Type: string

Contains the ID of the enforcer log. CollectionID is used to aggregate the multipart data.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

data

Type: string

Represents the data collected by the enforcer.

enforcerID [required]

Type: string

ID of the enforcer.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

page

Type: integer

Number assigned to each log in the increasing order.

protected

Type: boolean

Defines if the object is protected.

title

Type: string

Title of the log.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

EnforcerReport

Post a new enforcer statistics report.

Example

{
  "CPULoad": 10,
  "enforcerID": "xxx-xxx-xxx-xxx",
  "memory": 10000,
  "name": "aporeto-enforcerd-xxx",
  "namespace": "/my/ns",
  "processes": 10,
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Relations

POST /enforcerreports

Create an enforcer statistics report.

Attributes

CPULoad

Type: float

Total CPU utilization of the enforcer as a percentage of vCPUs.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

enforcerID

Type: string

ID of the enforcer.

memory

Type: integer

Total resident memory used by the enforcer in bytes.

name [required]

Type: string

Name of the enforcer.

namespace [required]

Type: string

Namespace of the enforcer.

processes

Type: integer

Number of active processes of the enforcer.

timestamp [required]

Type: time

Date of the report.

EnforcerTraceReport

Post a new enforcer trace that determines how packets are.

Example

{
  "enforcerID": "5c6cce207ddf1fc159a104bf",
  "enforcerNamespace": "/acme/prod",
  "namespace": "/acme/prod/database",
  "puID": "5c6ccd947ddf1fc159a104b7"
}

Relations

POST /enforcertracereports

Create an enforcer trace report.

Attributes

enforcerID [required]

Type: string

ID of the enforcer where the trace was collected.

enforcerNamespace [required]

Type: string

Namespace of the enforcer where the trace was collected.

namespace [required]

Type: string

Namespace of the processing unit where the trace was collected.

puID [required]

Type: string

ID of the processing unit where the trace was collected.

PacketReport

Post a new packet tracing report.

Example

{
  "destinationPort": 11000,
  "encrypt": false,
  "enforcerID": "xxxx-xxx-xxxx",
  "enforcerNamespace": "/my/namespace",
  "event": "Rcv",
  "mark": 123123,
  "namespace": "/my/namespace",
  "packetID": 12333,
  "protocol": 6,
  "puID": "xxx-xxx-xxx",
  "rawPacket": "abcd",
  "sourcePort": 80,
  "timestamp": "2018-06-14T23:10:46.420397985Z",
  "triremePacket": true
}

Relations

POST /packetreports

Create a packet trace report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

TCPFlags

Type: integer

Flags are the TCP flags of the packet.

claims

Type: []string

Claims is the list of claims detected for the packet.

destinationIP

Type: string

The destination IP address of the packet.

destinationPort [max_value=65536.000000]

Type: integer

The destination port of a TCP or UDP packet.

dropReason

Type: string

If event is set to Dropped, contains the reason that the packet was dropped. Otherwise empty.

encrypt

Type: boolean

Set to true if the packet was encrypted.

enforcerID [required]

Type: string

Identifier of the enforcer sending the report.

enforcerNamespace [required]

Type: string

Namespace of the enforcer sending the report.

event [required]

Type: enum(Received | Transmitted | Dropped)

The event that triggered the report.

mark

Type: integer

Mark is the mark value of the packet.

namespace [required]

Type: string

Namespace of the processing unit reporting the packet.

packetID

Type: integer

The ID of the IP header of the reported packet.

protocol [max_value=255.000000]

Type: integer

Protocol number.

puID

Type: string

The ID of the processing unit reporting the packet.

rawPacket

Type: string

The first 64 bytes of the packet.

Default value:

"abcd"
sourceIP

Type: string

The source IP address of the packet.

sourcePort [max_value=65536.000000]

Type: integer

The source port of the packet.

timestamp [required]

Type: time

The time-date stamp of the report.

triremePacket

Type: boolean

Set to true if the packet arrived with the Trireme options (default).

Default value:

true

PingPair

Represents a pair of ping probes.

Attributes

request

Type: pingprobe

Contains the request probe information.

response

Type: pingprobe

Contains the response probe information.

PingProbe

Represents the result of a unique ping probe. They are aggregated into a PingResult.

Example

{
  "applicationListening": false,
  "claimsType": [
    "Transmitted"
  ],
  "enforcerID": "xxx-xxx-xxx-xxx",
  "enforcerNamespace": "/my/ns",
  "excludedNetworks": false,
  "isServer": false,
  "payloadSizeType": [
    "Transmitted"
  ],
  "pingID": "xxx-xxx-xxx-xxx",
  "remoteEndpointType": [
    "External"
  ],
  "remoteNamespaceType": [
    "Plain"
  ],
  "targetTCPNetworks": false,
  "type": [
    "Request"
  ]
}

Relations

GET /pingprobes/:id

Retrieves a ping result.

POST /processingunits/:id/pingprobes

Create a ping probe.

Attributes

ACLPolicyAction

Type: string

Action of the ACL policy.

ACLPolicyID

Type: string

ID of the ACL policy.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

RTT

Type: string

Time taken for a single request-response to complete.

applicationListening

Type: boolean

If true, application responded to the request.

claims

Type: []string

Claims of the processing unit.

claimsType [required]

Type: enum(Transmitted | Received)

Type of claims reported.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

enforcerID [required]

Type: string

ID of the enforcer.

enforcerNamespace [required]

Type: string

Namespace of the enforcer.

enforcerVersion

Type: string

Semantic version of the enforcer.

error

Type: string

A non-empty error indicates a failure.

excludedNetworks

Type: boolean

If true, destination IP is in excludedNetworks.

fourTuple

Type: string

Four tuple in the format sip:dip:spt:dpt.

isServer

Type: boolean

If true, the report was generated by the server.

iterationIndex

Type: integer

Holds the iteration number this probe is attached to.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

payloadSize

Type: integer

Size of the payload attached to the packet.

payloadSizeType [required]

Type: enum(Transmitted | Received)

Type of the payload size.

peerCertExpiry

Type: string

Represents the expiry of the peer certificate.

peerCertIssuer

Type: string

Represents the issuer of the peer certificate.

peerCertSubject

Type: string

Represents the subject of the peer certificate.

pingID [required]

Type: string

PingID unique to a single ping control.

policyAction

Type: string

Action of the policy.

policyID

Type: string

ID of the policy.

policyNamespace

Type: string

ID of the policy.

processingUnitID

Type: string

ID of the reporting processing unit.

protocol

Type: integer

Protocol used for the communication.

remoteController

Type: string

Controller of the remote endpoint.

remoteEndpointType [required]

Type: enum(ProcessingUnit | External)

Represents the remote endpoint type.

remoteNamespace

Type: string

Namespace of the remote processing unit.

remoteNamespaceType [required]

Type: enum(Plain | Hash)

Type of the namespace reported.

remoteProcessingUnitID

Type: string

ID of the remote processing unit.

seqNum

Type: integer

Sequence number of the TCP packet. number.

serviceID

Type: string

ID of the service If the service type is a proxy.

serviceType [autogenerated,read_only]

Type: string

Type of the service.

targetTCPNetworks

Type: boolean

If true, destination IP is in targetTCPNetworks.

type [required]

Type: enum(Request | Response)

Type of the report.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

PingRequest

Initiates a ping request for enforcer debugging.

Example

{
  "iterations": 1,
  "refreshID": "xxxx-xxxx-xxxx"
}

Relations

POST /pingrequests

Initiate a new the ping request.

Attributes

iterations [min_value=1.000000,max_value=20.000000]

Type: integer

Number of probes that will be triggered.

Default value:

1
pingID [autogenerated,read_only]

Type: string

Unique ID generated for each ping request.

refreshID [required]

Type: string

Contains the refresh ID set by processing unit refresh event.

PingResult

Represents the results of a ping request.

Relations

GET /pingresults

Retrieves a ping result.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

errors [autogenerated,read_only]

Type: []string

May contain a list of errors that have happened during the collection.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

pingID [autogenerated,read_only]

Type: string

Contains the Ping ID.

pingPairs

Type: []pingpair

Contains the result of aggregated ping pairs.

refreshID [autogenerated,read_only]

Type: string

Contains the refresh ID set by processing unit refresh event.

remoteProbes

Type: []remotepingprobe

Contains information about missing probes in the result. This field will be populated in the ping probe is managed by a remote controller (federation) or is stored in a namespace you don’t have any permissions on.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

RemotePingProbe

Represents information about a remote ping probe that is governed by a different set of permissions.

Attributes

controllerID [autogenerated,read_only]

Type: string

The controller ID that manages the ping report.

namespace [autogenerated,read_only]

Type: string

The namespace where the ping report is stored. Only applicable when the remote controller is empty.

namespaceType [autogenerated,read_only]

Type: enum(Plain | Hash)

Type of the namespace reported. It can be hash or plain, depending on various factors.

probeID [autogenerated,read_only]

Type: string

The ID of the probe. Only applicable when the remote controller is empty.

TraceMode

Represents the tracing mode to apply to a processing unit.

Example

{
  "IPTables": false,
  "applicationConnections": false,
  "interval": "10s",
  "networkConnections": false
}

Attributes

IPTables

Type: boolean

Instructs the enforcers to provide an iptables trace for a processing unit.

applicationConnections

Type: boolean

Instructs the enforcer to send records for all application-initiated connections.

interval

Type: string

Determines the length of the time interval that the trace must be enabled, using Golang duration syntax.

Default value:

"10s"
networkConnections

Type: boolean

Instructs the enforcer to send records for all network-initiated connections.

TraceRecord

Represents a single trace record from the enforcer.

Example

{
  "TTL": 64,
  "chain": "PREROUTING",
  "destinationIP": "10.1.1.30",
  "destinationInterface": "en0",
  "destinationPort": 80,
  "length": 98,
  "packetID": 10,
  "protocol": 80,
  "ruleID": 10,
  "sourceIP": "10.1.1.30",
  "sourceInterface": "en0",
  "sourcePort": 80,
  "tableName": "raw",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Attributes

TTL [required,max_value=255.000000]

Type: integer

The time to live (TTL) value of the packet.

chain [required]

Type: string

Chain that the trace was collected from.

destinationIP [required]

Type: string

The destination IP.

destinationInterface

Type: string

The destination interface of the packet.

destinationPort [required,min_value=1.000000,max_value=65536.000000]

Type: integer

The destination UPD or TCP port of the packet.

length [required,max_value=65536.000000]

Type: integer

Length of the observed packet.

packetID [required]

Type: integer

The IP packet header ID.

protocol [required,max_value=65536.000000]

Type: integer

The protocol of the packet.

ruleID [required]

Type: integer

Priority index of the iptables entry that was hit.

sourceIP [required]

Type: string

Source IP of the packet.

sourceInterface

Type: string

Source interface of the packet.

sourcePort [required,min_value=1.000000,max_value=65536.000000]

Type: integer

Source TCP or UDP port of the packet.

tableName [required]

Type: string

The iptables name that the trace collected.

timestamp [required]

Type: time

The time-date stamp of the report.

core/monitoring

Activity

Contains logs of all the activity that happened in a namespace. All successful or failed actions will be available, errors, as well as the claims of the user who triggered the actions. This log is capped and only keeps the last 50,000 entries by default.

Relations

GET /activities

Retrieves the list of activity logs.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /activities/:id

Retrieves the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

claims [autogenerated,read_only]

Type: object

Claims of the user who performed the operation.

data [autogenerated,read_only]

This attribute is deprecated.

Type: object

This is deprecated in favor of diff.

date [autogenerated,read_only]

Type: time

Time-date stamp of the notification.

diff [autogenerated,read_only]

Type: string

Contains the diff of the change.

error [autogenerated,read_only]

Type: object

Contains the error.

message

Type: string

Message of the notification.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

operation [autogenerated,read_only]

Type: string

Describes what kind of operation the notification represents.

originalData [autogenerated,read_only]

This attribute is deprecated.

Type: object

This is deprecated in favor of diff.

source [autogenerated,read_only]

Type: string

Contains meta information about the source.

targetIdentity [autogenerated,read_only]

Type: string

The identity of the related object.

Alarm

Represents an event requiring attention.

Example

{
  "content": "This is an alarm",
  "emails": [
    "amir@aporeto.com",
    "john@aporeto.com"
  ],
  "kind": "aporeto.alarm.kind",
  "name": "the name",
  "protected": false,
  "status": "Open"
}

Relations

GET /alarms

Retrieves all the alarms.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /alarms

Creates a new alarm.

DELETE /alarms/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /alarms/:id

Retrieves the object with the given ID.

PUT /alarms/:id

Updates the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

content [required,creation_only]

Type: string

Content of the alarm.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

data

Type: []map[string]string

Data represent user data related to the alarms.

description [max_length=1024]

Type: string

Description of the object.

emails

Type: []string

A list of recipients that should be emailed when this alarm is created.

kind [required,creation_only]

Type: string

Identifies the kind of alarm. If two alarms are created with the same identifier, then only the occurrence will be incremented.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

occurrences [autogenerated,creation_only]

Type: []time.Time

Number of times this alarm has been seen.

protected

Type: boolean

Defines if the object is protected.

status

Type: enum(Acknowledged | Open | Resolved)

Status of the alarm.

Default value:

"Open"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

EventLog

Allows you to report various events on any object.

Example

{
  "category": "enforcerd:policy",
  "content": "Unable to activate docker container xyz because abc.",
  "level": "Info",
  "targetID": "xxx-xxx-xxx-xxx",
  "targetIdentity": "processingunit",
  "title": "Error while activating processing unit."
}

Relations

POST /eventlogs

Creates a new event log for a particular entity.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

category [required,creation_only]

Type: string

Category of the event log.

content [required,creation_only]

Type: string

Content of the event log.

date [autogenerated,creation_only]

This attribute is deprecated.

Type: time

Creation date of the event log.

level [creation_only]

Type: enum(Debug | Info | Warning | Error | Critical)

Sets the log level.

Default value:

"Info"
namespace [autogenerated,read_only,creation_only]

Type: string

Namespace tag attached to the event log.

opaque [creation_only]

Type: string

Opaque data that can be attached to the event log, for further machine processing.

targetID [required,creation_only]

Type: string

ID of the object this event log is attached to. The object must be in the same namespace than the event log.

targetIdentity [required,creation_only]

Type: string

Identity of the object this event log is attached to.

timestamp

Type: time

Creation date of the event log.

title [required,creation_only]

Type: string

Title of the event log.

HealthCheck

This API allows to retrieve a generic health state of the platform. A return code different from 200 OK means the platform is not operational. The health check contains the list of observed sub system.

Relations

GET /healthchecks

Retrieve the health of the platform.

Parameters:

  • quiet (boolean): If set to true, the health check endpoint will not return data but will return 200 OK if everything is fine or 218 if the controller is not operational. This is useful when you want to use the health check endpoint as a load balancer health check.

Attributes

alerts [autogenerated,read_only]

Type: []string

A human readable alert list describing the current state of the sub system if available.

name [autogenerated,read_only]

Type: string

The name of the observed sub system if applicable.

responseTime [autogenerated,read_only]

Type: string

The response time of the observed sub system if applicable.

status [autogenerated,read_only]

Type: enum(Degraded | Offline | Operational)

The current health of the observed sub system.

type [autogenerated,read_only]

Type: enum(Cache | Database | General | MessagingSystem | Service | TSDB)

The type of the observed sub system.

Message

Allows you to post public messages that will be visible through all children namespaces.

Example

{
  "level": "Info",
  "name": "the name",
  "propagate": false,
  "protected": false,
  "validity": "12h"
}

Relations

GET /messages

Retrieves the list of messages.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /messages

Creates a new message.

DELETE /messages/:id

Deletes the message with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /messages/:id

Retrieves the message with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /messages/:id

Updates the message with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

expirationTime [read_only]

Type: time

The time after which the message will be deleted.

level

Type: enum(Danger | Info | Warning)

Importance of the message.

Default value:

"Info"
name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

validity [required]

Type: string

Sets when the message will be automatically deleted using Golang duration syntax.

core/namespace

LocalCA

Can be used to retrieve or renew the local and SSH certificate authorities of the namespace.

Example

{
  "SSHCertificateRenew": false,
  "certificateRenew": false
}

Relations

GET /localcas

Returns the local and SSH certificate authorities of the namespace.

POST /localcas

Renews the local and/or SSH certificate authorities of the namespace.

Attributes

SSHCertificate [autogenerated,read_only]

Type: string

The SSH certificate authority used by the namespace.

SSHCertificateRenew

Type: boolean

Set to true to renew the SSH certificate authority of the namespace.

certificate [autogenerated,read_only]

Type: string

The certificate authority used by the namespace.

certificateRenew

Type: boolean

Set to true to renew the certificate authority of the namespace.

Namespace

A namespace represents the core organizational unit of the system. All objects always exist in a single namespace. A namespace can also have child namespaces. They can be used to split the system into organizations, business units, applications, services or any combination you like.

Example

{
  "JWTCertificateType": "None",
  "SSHCAEnabled": false,
  "customZoning": false,
  "localCAEnabled": false,
  "name": "mynamespace",
  "protected": false,
  "serviceCertificateValidity": "168h"
}

Relations

GET /namespaces

Retrieves the list of namespaces.

Parameters:

  • authorized (boolean): Returns all namespaces the token bearer has the right to read. If set, other parameters like recursive or q will have no effect.
  • q (string): Filtering query. Consequent q parameters will form an or.
POST /namespaces

Creates a new namespace.

DELETE /namespaces/:id

Deletes the namespace with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /namespaces/:id

Retrieves the namespace with the given ID.

PUT /namespaces/:id

Updates the namespace with the given ID.

GET /namespaces/:id/oauthinfo

Retrieves the OAUTH info for this namespace.

Parameters:

  • mode (enum(oidc)): When set to type OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.
GET /namespaces/:id/oauthkeys

Retrieves the OAUTH info for this namespace.

Parameters:

  • mode (enum(oidc)): When set to OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.
GET /namespaces/:id/trustedcas

Returns the list of trusted CAs for this namespace.

Parameters:

  • type (enum(Any | X509 | SSH | JWT)): Type of certificate to get.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

JWTCertificateType

Type: enum(RSA | EC | None)

JWTCertificateType defines the JWT signing certificate that must be created for this namespace. If the type is none no certificate will be created.

Default value:

"None"
JWTCertificates [autogenerated,read_only]

Type: map[string]string

JWTCertificates hold the certificates used to sign tokens for this namespace. This is map indexed by the ID of the certificate.

SSHCAEnabled

This attribute is deprecated.

Type: boolean

If true, an SSH certificate authority (CA) will be generated for the namespace. This CA can be deployed in SSH server to validate SSH certificates issued by the controller.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedSSHCAID [read_only]

Type: string

The remote ID of the SSH certificate authority to use.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customZoning [creation_only]

Type: boolean

Defines if the namespace should inherit its parent zone. If this property is set to false, the zoning property will be ignored and the namespace will have the same zone as its parent.

description [max_length=1024]

Type: string

Description of the object.

localCAEnabled

Type: boolean

Defines if the namespace should use a local certificate authority (CA). Switching it off and on again will regenerate a new CA.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,creation_only,format=^[a-zA-Z0-9-_/]+$]

Type: string

The name of the namespace.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

networkAccessPolicyTags

This attribute is deprecated.

Type: []string

List of tags that will be added to every or clause of all network access policies in the namespace and its children.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

organizationalMetadata

Type: []string

List of tags that describe this namespace. All organizational tags are automatically passed to policeable objects (e.g., processing units, external networks, enforcers) during their creation.

protected

Type: boolean

Defines if the object is protected.

serviceCertificateValidity

This attribute is deprecated.

Type: string

This flag is deprecated and has no incidence.

Default value:

"168h"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

zoning [creation_only]

Type: integer

Defines what zone the namespace should live in.

NamespaceMappingPolicy

A namespace mapping defines the namespace a processing unit should be placed when it is created, based on its tags. When an enforcer creates a new processing unit, the system will place it in its own namespace if no matching namespace mapping can be found. If one match is found, then the processing unit will be bumped down to the namespace declared in the namespace mapping. If it finds in that child namespace another matching namespace mapping, then the processing unit will be bumped down again, until it reaches a namespace with no matching namespace mappings. This is very useful to dispatch processes and containers into a particular namespace, based on a lot of factors. For example, you can put in place a quarantine namespace mapping that will grab all processing units with excessive vulnerabilities.

Example

{
  "disabled": false,
  "mappedNamespace": "/blue/namespace",
  "name": "the name",
  "protected": false,
  "subject": [
    [
      "color=blue"
    ]
  ]
}

Relations

GET /namespacemappingpolicies

Retrieves the list namespace mappings.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /namespacemappingpolicies

Creates a new namespace mapping.

DELETE /namespacemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /namespacemappingpolicies/:id

Retrieves the mapping with the given ID.

PUT /namespacemappingpolicies/:id

Updates the mapping with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

mappedNamespace [required,format=^[a-zA-Z0-9-_/]+$]

Type: string

The namespace to map the subject to.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression identifying the entity to be mapped.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

NamespaceRenderer

This object allows you to determine which namespace an object should reside in based on the tags provided.

Example

{
  "tags": [
    "a=a",
    "b=b"
  ]
}

Relations

POST /namespacerenderers

Renders the namespace where an object should reside.

Attributes

namespace [autogenerated,read_only]

Type: string

The namespace where the object should reside in.

tags [required]

Type: []string

List of tags of the object to render the namespace for.

OrganizationalMetadata

Can be used to retrieve the organizational metadata of the namespace.

Relations

GET /organizationalmetadata

Retrieves the list of organizational metadata for the namespace and its namespace hierarchy.

Attributes

metadata

Type: []string

List of organizational metadata for the namespace.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

core/policy

ClauseMatch

This API allows to pass a set of tags and find the objects that would match the clause in a policy resolution.

Example

{
  "clauses": [
    [
      "color=blue",
      "size=big"
    ],
    [
      "color=red"
    ]
  ],
  "targetIdentity": "processingunit"
}

Relations

POST /clausesmatches

Performs a clause matching.

Attributes

clauses [required]

Type: [][]string

The tag clause to resolve.

match [autogenerated,read_only]

Type: []map[string]interface{}

Contains the matched objects.

targetIdentity [required]

Type: string

The identity to render the clauses from.

EnforcerRefresh

Sent to enforcers when a poke has been triggered using the parameter ?notify=true. This is used to notify an enforcer of an external change on the processing unit that must be processed.

Example

{
  "debug": "Counters"
}

Relations

POST /enforcers/:id/enforcerrefreshes

Sends a enforcer refresh command.

Attributes

ID [identifier,read_only]

Type: string

Contains the ID of the target enforcer.

debug

Type: enum(Counters | Logs | Packets | PUState | Pcap | CoreDump)

Set the debug information collected by the enforcer.

Default value:

"Counters"
debugID

Type: string

Can be used to correlate with a DebugBundle.

debugPcapFilter

Type: string

Packet capture filter, syntax varying by platform.

debugProcessingUnitID

Type: string

Isolates debug information to a given processing unit, where possible.

namespace [autogenerated,read_only]

Type: string

Contains the original namespace of the enforcer.

Policy

Represents the policy primitive used by all Microsegmentation policies.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "type": "APIAuthorization"
}

Relations

GET /policies

Retrieves the list of policy primitives.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
DELETE /policies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /policies/:id

Retrieves the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: map[string]map[string]interface{}

Defines a set of actions that must be enforced when a dependency is met.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted at the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Represents set of entities that another entity depends on. As subjects, objects are identified as logical operations on tags when a policy is defined.

propagate

Type: boolean

Propagates the policy to all of its children.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

relation

Type: []string

Describes the required operation to be performed between subjects and objects.

subject

Type: [][]string

Represents sets of entities that will have a dependency other entities. Subjects are defined as logical operations on tags. Logical operations can include AND and OR.

type [creation_only]

Type: enum(APIAuthorization | AuditProfileMapping | EnforcerProfile | File | Hook | HostServiceMapping | Infrastructure | NamespaceMapping | Network | ProcessingUnit | Quota | Service | ServiceDependency | Syscall | TokenScope | SSHAuthorization | UserAccess)

Type of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

PolicyRefresh

Sent to a client as a push event when a policy refresh is needed on their side.

Attributes

sourceID

Type: string

Contains the original ID of the updated object.

sourceNamespace

Type: string

Contains the original namespace of the updated object.

type

Type: string

Contains the policy type that is affected.

PolicyRule

Allows services to retrieve a policy resolution (internal).

Example

{
  "name": "the name",
  "propagated": false
}

Relations

GET /policyrules/:id

Retrieves the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: map[string]map[string]interface{}

Defines set of actions that must be enforced when a dependency is met.

auditProfiles

Type: []auditprofile

Provides the audit profiles that must be applied.

enforcerProfiles

Type: []enforcerprofile

Provides information about the enforcer profile.

externalNetworks

Type: []externalnetwork

Provides the external network that the policy targets.

filePaths

Type: []filepath

Provides the file paths that the policy targets.

hostServices

Type: []hostservice

Provides the list of host services that must be instantiated.

isolationProfiles

Type: []isolationprofile

Provides the isolation profiles of the rule.

name [required,max_length=256]

Type: string

Name of the entity.

namespaces

Type: []namespace

The namespace that the policy targets.

policyNamespace

Type: string

The namespace of the policy that created this rule.

policyUpdateTime

Type: time

Last time the policy was updated.

propagated

Type: boolean

Indicates if the policy is propagated.

relation

Type: []string

Describes the required operation to be performed between subjects and objects.

services

Type: []service

Provides the services of this policy rule.

tagClauses

Type: [][]string

Policy target tags.

ProcessingUnitRefresh

Sent to client when a poke has been triggered using the parameter ?notify=true. This is used to notify a enforcer of an external change on the processing unit must be processed.

Example

{
  "debug": false,
  "pingEnabled": false,
  "pingIterations": 1,
  "pingMode": "Auto",
  "refreshPolicy": false,
  "traceApplicationConnections": false,
  "traceDuration": "10s",
  "traceIPTables": false,
  "traceNetworkConnections": false
}

Relations

POST /processingunits/:id/processingunitrefreshes

Sends a Processing Unit Refresh command.

Attributes

ID [identifier,read_only]

Type: string

Contains the ID of the target processing unit.

debug

Type: boolean

If set to true, start reporting debug information for the target processing unit.

namespace [autogenerated,read_only]

Type: string

Contains the original namespace of the processing unit.

pingAddress

Type: string

Destination address to run ping.

pingEnabled

Type: boolean

If set to true, start ping to the destination.

pingIterations [min_value=1.000000]

Type: integer

Number of iterations to run a ping probe.

Default value:

1
pingMode

Type: enum(Auto | L3 | L4 | L7)

Represents the mode of ping to be used.

Default value:

"Auto"
pingPort

Type: integer

Destination port to run ping.

refreshID [read_only]

Type: string

ID unique per purefresh event.

refreshPolicy

Type: boolean

If set to true, the target processing unit will refresh its policy immediately.

traceApplicationConnections

Type: boolean

Instructs the enforcer to send records for all application-initiated connections for the target processing unit.

traceDuration

Type: string

Determines the length of the time interval that the trace must be enabled, using Golang duration syntax.

Default value:

"10s"
traceIPTables

Type: boolean

Instructs the enforcers to provide an iptables trace for the target processing unit.

traceNetworkConnections

Type: boolean

Instructs the enforcer to send records for all network-initiated connections for the target processing unit.

RenderedPolicy

Retrieve the aggregated policies applied to a particular processing unit.

Example

{
  "processingUnit": "{
  \"name\": \"pu\",
  \"type\": \"Docker\",
  \"normalizedTags\": [
    \"a=a\",
    \"b=b\"
  ]
}"
}

Relations

POST /renderedpolicies

Render a policy for a processing unit.

Parameters:

  • csr (string): CSR to sign.
GET /processingunits/:id/renderedpolicies

Retrieves the policies for the processing unit.

Parameters:

  • csr (string): CSR to sign.

Attributes

certificate [read_only]

Type: string

The certificate associated with this processing unit. It will identify the processing unit to any internal or external services.

datapathType [autogenerated,read_only]

Type: enum(Default | Aporeto | EnvoyAuthorizer)

The datapath type that this processing unit must implement according to the rendered policy: - Default: This policy is not making a decision for the datapath. - Aporeto: The enforcer is managing and handling the datapath. - EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not owning the datapath in this case. It is merely providing an authorizer API.

dependendServices

Type: []service

The list of services that this processing unit depends on.

egressPolicies [autogenerated,read_only]

Type: _rendered_policy

Lists all the egress policies attached to processing unit.

exposedServices

Type: []service

The list of services that this processing unit is implementing.

hashedTags [autogenerated,read_only]

Type: map[string]string

Contains the list of tags that matched the policies and their hashes.

ingressPolicies [autogenerated,read_only]

Type: _rendered_policy

Lists all the ingress policies attached to the processing unit.

matchingTags [autogenerated,read_only]

Type: []string

Contains the list of tags that matched the policies.

processingUnit [required,creation_only]

Type: processingunit

Can be set during a POST operation to render a policy on a processing unit that has not been created yet.

processingUnitID [autogenerated,read_only]

Type: string

Identifier of the processing unit.

scopes

Type: []string

The set of scopes granted to this processing unit that has to be present in HTTP requests.

core/processingunit

DataPathCertificate

Used by enforcer instances to retrieve various certificates used for the datapath.

Example

{
  "CSR": "-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
  "objectID": "5c83035648675400019ab901",
  "sessionID": "5c83035648675400019ab901",
  "type": "Service"
}

Relations

POST /datapathcertificates

Creates a new certificate for datapath.

Attributes

CSR [required]

Type: string

Contains a certificate signing request (CSR) from the enforcer. Depending on the certificate there will be various requirements for the Microsegmentation Console to accept the CSR.

certificate [autogenerated,read_only]

Type: string

The certificate.

objectID [required]

Type: string

ID of the object you want to issue a certificate for.

sessionID

Type: string

Provides the session ID of the enforcer when retrieving a datapath certificate.

signer [autogenerated,read_only]

Type: string

Contains the CA that signed the delivered certificate.

token [autogenerated,read_only]

Type: string

Contains a cryptographic token.

type

Type: enum(Enforcer | Service | ServicePing)

Type of certificate.

Image

A container image can be affected by vulnerabilities.

Example

{
  "hash": "sha256:4635a5562b040fd83ec821bb885405587a52cfef898ffb7402649005dfda75ff",
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /images

Retrieves the list of container images.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /images

Creates a new container image.

GET /images/:id

Retrieves a container image with a given ID.

PUT /images/:id

Updates the container image with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

hash

Type: string

Hash of the image.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

severity

Type: _vulnerability_level

Overall severity of the container image.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

vulnerabilities

Type: []string

List of vulnerabilities affecting this image.

ImageVulnerability

Private API returning the tags related to eventual vulnerabilities for a one or more given images.

Relations

GET /imagevulnerabilities

Retrieves the list of vulnerabilities for a bunch of container images.

Parameters:

  • image (string): Image to analyze.

Mandatory Parameters

image

POST /imagevulnerabilities

Creates a new vulnerability.

Attributes

image [autogenerated,read_only]

Type: string

Image name.

severity [autogenerated,read_only]

Type: _vulnerability_level

Overall severity of the vulnerabilities affecting the image.

vulnerabilities [autogenerated,read_only]

Type: []string

List of vulnerabilities associated to the images.

ProcessingUnit

A processing unit represents anything that can compute. It can be a Docker container or a simple Unix process. Processing units are created, updated, and deleted by the system as they come and go. You can only modify their tags. Processing units use network policies to define which other processing units or external networks they can communicate with and file access policies to define what file paths they can use.

Example

{
  "collectInfo": false,
  "datapathType": "Aporeto",
  "enforcementStatus": "Inactive",
  "name": "the name",
  "operationalStatus": "Initialized",
  "protected": false,
  "type": "Docker"
}

Relations

GET /processingunits

Retrieves the list of processing units.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
POST /processingunits

Creates a new processing unit.

DELETE /processingunits/:id

Deletes the processing unit with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /processingunits/:id

Retrieves the processing unit with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
PUT /processingunits/:id

Updates the processing unit with the given ID.

GET /fileaccesspolicies/:id/processingunits

Returns the list of processing units that match the policy.

GET /infrastructurepolicies/:id/processingunits

Returns the list of processing units affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/processingunits

Returns the list of processing units affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /processingunitpolicies/:id/processingunits

Returns the list of processing units referenced by the mapping.

GET /servicedependencies/:id/processingunits

Returns the list of processing units that depend on an service.

GET /services/:id/processingunits

Retrieves the processing units that implement this service.

GET /vulnerabilities/:id/processingunits

Retrieves the processing units affected by the vulnerability.

POST /processingunits/:id/pingprobes

Create a ping probe.

GET /processingunits/:id/poke

Sends a poke empty object. This will send a snapshot of the processing unit to the time series database.

Parameters:

  • enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the processing unit alongside with the poke.
  • forceFullPoke (boolean): If set, it will trigger a full poke (slower).
  • notify (boolean): Can be sent to trigger a ProcessingUnitRefresh event that will be handled by the enforcer. If this is set, all other additional parameters will be ignored.
  • status (enum(Initialized | Paused | Running | Stopped)): If set, changes the status of the processing unit alongside with the poke.
  • ts (time): time of report. If not set, local server time will be used.
  • zhash (integer): Can be set to help backend target the correct shard where the processing unit is stored.
POST /processingunits/:id/processingunitrefreshes

Sends a Processing Unit Refresh command.

GET /processingunits/:id/renderedpolicies

Retrieves the policies for the processing unit.

Parameters:

  • csr (string): CSR to sign.
GET /processingunits/:id/services

Retrieves the services used by a processing unit.

GET /processingunits/:id/vulnerabilities

Retrieves the vulnerabilities affecting the processing unit.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

collectInfo

Type: boolean

A value of true indicates to the enforcer that it needs to collect information for this processing unit.

collectedInfo

Type: map[string]string

Represents the latest information collected by the enforcer for this processing unit.

controller [autogenerated,read_only]

Type: string

The Microsegmentation Console identifier managing this object. This property is mostly useful when federating multiple Microsegmentation Consoles.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

datapathType

Type: enum(Aporeto | EnvoyAuthorizer)

The datapath type that processing units are implementing: - Aporeto: The enforcer is managing and handling the datapath. - EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not owning the datapath in this case. It is merely providing an authorizer API.

Default value:

"Aporeto"
description [max_length=1024]

Type: string

Description of the object.

enforcementStatus

Type: enum(Active | Failed | Inactive)

Contains the state of the enforcer for the processing unit. Inactive (default): the enforcer is not enforcing any host service. Active: the enforcer is enforcing a host service. Failed.

Default value:

"Inactive"
enforcerID

Type: string

The ID of the enforcer associated with the processing unit.

enforcerNamespace

Type: string

The namespace of the enforcer associated with the processing unit.

image

This attribute is deprecated.

Type: string

This field is deprecated and it is there for backward compatibility. Use images instead.

images [creation_only]

Type: []string

List of images or executable paths used by the processing unit.

lastCollectionTime

Type: time

The date and time when the information was collected.

lastSyncTime [autogenerated]

Type: time

The date and time of the last policy resolution.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeContextID

Type: string

The Docker UUID or service PID.

networkServices

Type: []processingunitservice

The list of services that this processing unit has declared that it will be listening to, either in its activation command or by exposing the ports in a container manifest.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

operationalStatus

Type: enum(Initialized | Paused | Running | Stopped | Terminated)

Operational status of the processing unit: Initialized (default), Paused, Running, Stopped, or Terminated.

Default value:

"Initialized"
protected

Type: boolean

Defines if the object is protected.

tracing

Type: tracemode

Indicates if this processing unit must be placed in tracing mode.

type [creation_only]

Type: enum(APIGateway | Docker | Host | HostService | LinuxService | RKT | User | SSHSession)

Type of processing unit: APIGateway, Docker, Host, HostService, LinuxService, RKT, User, or SSHSession.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

vulnerabilityLevel [autogenerated,read_only]

Type: string

List of vulnerabilities affecting this processing unit.

Vulnerability

Represents a common vulnerability and exposure (CVE).

Example

{
  "CVSS2Score": 3.2,
  "link": "https://cve.com/CVE-1234",
  "name": "the name",
  "propagate": false,
  "protected": false,
  "severity": 3
}

Relations

GET /vulnerabilities

Retrieves the list of vulnerabilities.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /vulnerabilities

Creates a new vulnerability.

GET /vulnerabilities/:id

Retrieves the object with the given ID.

GET /processingunits/:id/vulnerabilities

Retrieves the vulnerabilities affecting the processing unit.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
GET /vulnerabilities/:id/processingunits

Retrieves the processing units affected by the vulnerability.

Attributes

CVSS2Score [creation_only]

Type: float

Common Vulnerability Scoring System (CVSS) version 2 score.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

description [max_length=1024]

Type: string

Description of the object.

Type: string

The URL that refers to the vulnerability.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

severity [required,creation_only]

Type: _vulnerability_level

Refers to the security vulnerability level.

core/tag

Tag

A tag is a key-value pair in string form that can applied to all objects in the system. They are used for policy resolution. Tags starting with $ are derived from the property of an object. For example an object with an ID set to xxx and a name set to the name will be tagged by default with $name=the name and $id=xxx. Tags starting with an @ have been generated by an external system.

Example

{
  "value": "key=value"
}

Relations

GET /tags

Retrieves the list of existing tags in the system.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

count [autogenerated,read_only]

Type: integer

Represents the number of times the tag is used.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

value [required,creation_only]

Type: string

Represents the value of the tag.

TagValue

Represents all values associated to a tag key.

Relations

GET /tagvalues

Retrieves the list of existing values for the given tag keys.

Parameters:

  • key (string): Keys of the tag you want to get the values of.

Mandatory Parameters

key

Attributes

key [autogenerated,read_only]

Type: string

The requested key.

values [autogenerated,read_only]

Type: []string

List of all values.

core/tenant

Tenant

Can be used to create a tenant’s namespace and API authorization policy to grant access.

Example

{
  "externalID": "customer-123",
  "name": "acme"
}

Relations

POST /tenants

Creates the tenant’s namespace and API authorization policy.

DELETE /tenants/:id

Delete the tenant with the given namespace ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

externalID [required]

Type: string

The external ID of the tenant.

name [required,format=^[a-zA-Z0-9-_/]+$,max_length=231]

Type: string

The name of the tenant.

core/workflow

Recipe

Defines a list of steps that make up a workflow.

Example

{
  "deploymentMode": "Unrestricted",
  "label": "magicpanda",
  "name": "the name",
  "propagate": false,
  "protected": false,
  "targetIdentities": [
    "processingunit",
    "enforcer"
  ]
}

Relations

GET /recipes

Retrieves the list of recipes.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /recipes

Creates a new recipe.

DELETE /recipes/:id

Deletes the recipe with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /recipes/:id

Retrieves the recipe with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /recipes/:id

Updates the recipe with the given ID.

GET /recipes/:id/importreferences

Returns the list of import references that depend on a recipe.

POST /recipes/:id/importreferences

Create an import request for the given recipe.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

deploymentMode

Type: enum(Unrestricted | Unique | NamespaceUnique)

Defines the deployment mode of the recipe. If Unrestricted, the recipe can be deployed multiple times in the current namespace and below. If Unique, only one deployment is allowed in the current namespace and its child namespaces. If NamespaceUnique, only one deployment is allowed in the current namespace.

Default value:

"Unrestricted"
description [max_length=1024]

Type: string

Description of the object.

icon

Type: string

Contains a base64-encoded image for the recipe.

key [read_only]

Type: string

The unique key of the recipe.

label [required,creation_only]

Type: string

Defines the recipe.

Default value:

"magicpanda"
longDescription

Type: string

Provides a long description of the recipe.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

options

Type: recipeoptions

Options of the recipe.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

steps

Type: []uistep

Contains all the steps with parameters to follow for the recipe.

successfullMessage

Type: string

A string message presented upon success (optional).

targetIdentities [required]

Type: []string

Contains the list of identities the recipes will try to create.

template

Type: string

Template of the recipe to import.

templateHash [read_only]

Type: string

A hash of the template.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

RecipeOptions

Represents recipe options.

Example

{
  "appCrendentialFormat": "JSON"
}

Attributes

appCrendentialFormat

Type: enum(JSON | YAML)

Indicates the format of the app credential.

Default value:

"JSON"

RenderTemplate

Cooks a template based on some parameters.

Relations

POST /rendertemplates

Renders a new template.

Attributes

output

Type: string

Holds the rendered template.

parameters

Type: map[string]interface{}

Contains the computed parameters.

template

Type: string

Template of the recipe.

UIParameter

Represents a parameter that will be shown in the web interface.

Example

{
  "advanced": false,
  "key": "unique_key",
  "optional": false,
  "type": "String",
  "width": "100%"
}

Attributes

advanced

Type: boolean

A value of true designates the parameter as advanced.

allowedChoices

Type: map[string]string

Lists all the choices in case of an enum.

allowedValues

Type: []object

List of values that can be used.

defaultValue

Type: object

Default value of the parameter.

description

Type: string

Description of the parameter.

key [required]

Type: string

Key identifying the parameter.

longDescription

Type: string

Long explanation of the parameter.

name

Type: string

Name of the parameter.

optional

Type: boolean

A value of true designates the parameter as optional.

subtype

Type: string

The subtype of a list parameter.

type [required]

Type: enum(Boolean | Checkbox | CVSSThreshold | DangerMessage | Duration | Enum | Endpoint | FileDrop | Float | FloatSlice | InfoMessage | Integer | IntegerSlice | JSON | List | Message | Namespace | Password | String | StringSlice | Switch | TagsExpression | Title | WarningMessage)

The datatype of the parameter.

validationFunction

Type: string

A function that validates the parameter.

value

This attribute is deprecated.

Type: object

Value of the parameter.

visibilityCondition

Type: uiparametersexpression

A logical expression consisting of one or more UIParameterVisibility conditions linked together using AND or OR operators. If the expression evaluates to true the parameter is displayed to the user.

width

Type: string

Width of the parameter.

Default value:

"100%"

UIParameterVisibility

Represents a visibility condition for a UIParameter.

Example

{
  "key": "enableThing",
  "operator": "Equal",
  "value": true
}

Attributes

key [required]

Type: string

Key holding the value to compare.

operator

Type: enum(Equal | NotEqual | GreaterThan | LesserThan | Defined | Undefined | Match | NotMatch)

Operator to apply.

value [required]

Type: object

Values that must match the key.

UIStep

Represents a step that will be shown in the web interface.

Example

{
  "advanced": false,
  "name": "General configuration"
}

Attributes

advanced

Type: boolean

Defines if the step is an advanced one.

description

Type: string

Description of the step.

name [required]

Type: string

Name of the step.

parameters

Type: []uiparameter

List of parameters for this step.

ValidateUIParameter

Validates a list of UIParameter parameters.

Relations

POST /validateuiparameters

Validates some UI parameters.

Attributes

errors

Type: map[string]string

Contains the list of errors.

parameters

Type: []uiparameter

List of parameters to validate.

values

Type: map[string]interface{}

Contains the computed values.

debug

DebugBundle

Represents a file that can be uploaded.

Relations

GET /enforcers/:id/debugbundles

Retrieves the list of debug bundles.

POST /enforcers/:id/debugbundles

Uploads a debug bundle.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

debugID

Type: string

Can be used to correlate with an EnforcerRefresh.

enforcerID [read_only]

Type: string

The ID of the enforcer.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

ext/documentation

Sandbox

This APIs allows to create a temporary namespace to experiment with Microsegmentation. This API is not authenticated, and contains small quotas. After one hour, everything will be deleted.

Relations

POST /sandboxes

Creates a temporary api sandbox.

Attributes

URL [autogenerated,read_only]

Type: string

Contains a link to directly connect the UI to your API sandbox.

credentials [autogenerated,read_only]

Type: credential

The app credential data.

lifetime [autogenerated,read_only]

Type: string

Contains the lifetime of the sandbox namespace.

namespace [autogenerated,read_only]

Type: string

Contains the name of the sandbox namespace that has been created.

integration/apiproxy

APIProxy

Represents information needed to register and interact with an application’s remote endpoint.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "clientCertificate": "-----BEGIN CERTIFICATE-----
MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2
NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O
evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6
peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8
-----END CERTIFICATE-----",
  "clientCertificateKey": "-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGOXJI/123456789oamOu4tQAIKFdbyvkIJg9GME0mHzoAoGCCqGSM49
AwEHoUQDQgAE6bM8mP123456789AfmBWtnucfByQXk568lDcKNIQx6yNn+7txbwg
F9eXFkofGX3UgRtsHe123456789xQ1naSw==
-----END EC PRIVATE KEY-----",
  "disabled": false,
  "endpoint": "https://api.remoteserver.com/remoteroute",
  "name": "the name",
  "operation": "GET",
  "protected": false
}

Relations

GET /apiproxies

Retrieves the list of API proxies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /apiproxies

Creates a new API proxy.

DELETE /apiproxies/:id

Deletes the API proxy with the given ID.

GET /apiproxies/:id

Retrieves the API proxy with the given ID.

PUT /apiproxies/:id

Updates the API proxy with the given ID.

GET /apiproxies/:id/calls

Allows a system to send a remote request to the API proxy based on the operation attribute.

POST /apiproxies/:id/calls

Allows a system to send a remote request to the API proxy based on the operation attribute.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Contains the PEM block of the certificate authority used by the remote endpoint.

clientCertificate

Type: string

Contains the client certificate that will be used to connect to the remote endpoint. If provided, the private key associated with this certificate must also be configured.

clientCertificateKey

Type: string

Contains the key associated with the clientCertificate. It must be provided only when clientCertificate has been configured.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

endpoint [required]

Type: string

Contains the full address of the remote api endpoint.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

operation

Type: enum(GET | PATCH | POST | PUT | DELETE)

Defines the operation that is currently handled by the service.

Default value:

"GET"
protected

Type: boolean

Defines if the object is protected.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Call

Can be used to send a remote request to an API proxy.

Relations

GET /apiproxies/:id/calls

Allows a system to send a remote request to the API proxy based on the operation attribute.

POST /apiproxies/:id/calls

Allows a system to send a remote request to the API proxy based on the operation attribute.

Attributes

payload

Type: string

Contains the remote POST payload.

integration/app

App

Represents an application that can be installed.

Example

{
  "beta": false,
  "name": "the name"
}

Relations

GET /apps

Retrieves the list of apps.

Parameters:

  • name (string): internal parameter.
  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

beta [read_only]

Type: boolean

Set to true to indicate that the app is in a beta version.

categoryID [read_only]

Type: string

Category ID of the app.

description [max_length=1024]

Type: string

Description of the object.

icon [read_only]

Type: string

Contains a base64-encoded image for the app.

latestVersion

Type: string

Represents the latest version available of the app.

longDescription

Type: string

Contains a more detailed description of the app.

name [required,max_length=256]

Type: string

Name of the entity.

steps

Type: []uistep

List of steps that contain parameters.

title

Type: string

Represents the title of the app.

Category

Allows you to categorize services.

Example

{
  "name": "the name"
}

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

description [max_length=1024]

Type: string

Description of the object.

name [required,max_length=256]

Type: string

Name of the entity.

InstalledApp

Represents an installed application.

Example

{
  "additionalConfiguration": false,
  "checkPublicEndpoint": false,
  "name": "the name",
  "protected": false,
  "status": "Unknown"
}

Relations

GET /installedapps

Retrieves the list of installed apps.

Parameters:

  • tag (string): List of tags to filter on. This parameter is deprecated.
  • q (string): Filtering query. Consequent q parameters will form an or.
POST /installedapps

Installs a new app.

DELETE /installedapps/:id

Deletes the application with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /installedapps/:id

Retrieves the application with the given ID.

PUT /installedapps/:id

Updates the application with the given ID.

GET /installedapps/:id/logs

Returns the logs for an application.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

additionalConfiguration

Type: boolean

Additional configuration of the app is needed by the app itself.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

categoryID [read_only]

Type: string

The category ID of the application.

checkPublicEndpoint

Type: boolean

If true, will look for the public endpoints and store them as annotations in the installed app.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

currentVersion

Type: string

Version of the installed application.

externalWindowButton

Type: map[string]string

Adds a button in the UI.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: map[string]interface{}

Contains the computed parameters to start the application.

protected

Type: boolean

Defines if the object is protected.

status [read_only]

Type: enum(Unknown | Deploying | Initializing | Running | Undeploying | Error)

Status of the application.

Default value:

"Unknown"
statusMessage [read_only]

Type: string

Reason for the status of the application.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Log

Retrieves the logs of a deployed application.

Relations

GET /installedapps/:id/logs

Returns the logs for an application.

Attributes

data [autogenerated,read_only]

Type: map[string]string

Contains all log data.

integration/automation

Automation

Allows you to define some JavaScript code and specify the conditions under which it should be executed.

Example

{
  "condition": "function when(m, params) { return { continue: true }}",
  "disabled": false,
  "immediateExecution": false,
  "name": "the name",
  "protected": false,
  "tokenRenew": false,
  "trigger": "Time"
}

Relations

GET /automations

Retrieves the list of automations.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /automations

Creates a new Automation.

DELETE /automations/:id

Deletes the automation with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /automations/:id

Retrieves the automation with the given ID.

PUT /automations/:id

Updates the automation with the given ID.

GET /automations/:id/triggers

Allows a system to trigger the automation if its trigger property is set to RemoteCall.

POST /automations/:id/triggers

Allows a system to trigger the automation if its trigger property is set to RemoteCall.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

actions

Type: []string

Contains the code that will be executed if the condition is met.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

condition

Type: string

Condition contains the code that will be executed to decide if any action(s) should be executed. Providing a condition for an automation with a “Webhook” trigger type will have no impact as the condition will not be evaluated. If no condition is defined, then the automation action(s) will be executed; this behaves akin to a condition that always succeeds.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

entitlements

Type: _automation_entitlements

Declares which operations are allowed on which identities.

errors [autogenerated,read_only]

Type: []string

Contains the error of the last run.

events

Type: _automation_events

Contains the identity and operation an event must have to trigger the automation.

immediateExecution

Type: boolean

If set and the trigger is of type Time, the automation will be run at create or update before being scheduled.

lastExecTime [autogenerated,read_only]

Type: time

The last successful execution tine.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: map[string]interface{}

Contains the computed parameters.

protected

Type: boolean

Defines if the object is protected.

schedule

Type: string

Specifies when to run the automation. Must be in valid CRON format. This only applies if the trigger is set to Time.

signature

Type: string

Signature to validate the authenticity of the object.

stdout [autogenerated,read_only]

Type: string

Contains the standard output of the last run.

token [autogenerated]

Type: string

Holds the unique access token used as a password to trigger the authentication. It will be visible only after creation.

tokenRenew

Type: boolean

If set to true a new token will be issued and the previous one invalidated.

trigger

Type: enum(Event | RemoteCall | Webhook | Time)

Controls when the automation should be triggered.

Default value:

"Time"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

AutomationTemplate

Templates that can be used in automations.

Example

{
  "kind": "Condition",
  "name": "the name"
}

Relations

GET /automationtemplates

Retrieves the list of automation templates.

GET /automationtemplates/:id

Retrieves the template with the given ID.

Attributes

description [max_length=1024]

Type: string

Description of the object.

entitlements

Type: _automation_entitlements

Contains the entitlements needed for executing the function.

function

Type: string

Function contains the code.

key

Type: string

Contains the unique identifier key for the template.

kind

Type: enum(Action | Condition)

Represents the kind of template.

Default value:

"Condition"
name [required,max_length=256]

Type: string

Name of the entity.

parameters

Type: map[string]interface{}

Contains the computed parameters.

steps

Type: []uistep

Contains all the steps with parameters.

Trigger

Can be used to remotely trigger an automation.

Relations

GET /automations/:id/triggers

Allows a system to trigger the automation if its trigger property is set to RemoteCall.

POST /automations/:id/triggers

Allows a system to trigger the automation if its trigger property is set to RemoteCall.

internal/token

OAUTHInfo

OAUTHInfo provides the information for an OAUTH server to retrieve the secrets that can validate a JWT token issued by us.

Relations

GET /oauthinfo/:id

Retrieves the OAUTH info.

GET /namespaces/:id/oauthinfo

Retrieves the OAUTH info for this namespace.

Parameters:

  • mode (enum(oidc)): When set to type OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.

Attributes

IDTokenSigningAlgValuesSupported [autogenerated,read_only]

Type: []string

IDTokenSigningAlgValuesSupported is corresponding attribute of the OIDC spec.

JWKSURI [autogenerated,read_only]

Type: string

JWKSURI is the URI that can be used to retrieve the public keys that will verify a JWT.

auhorizationEndpoint [autogenerated,read_only]

Type: string

AuhorizationEndpoint is the authorization endpoint.

claimsSupported [autogenerated,read_only]

Type: []string

ClaimsSupported is corresponding attribute of the OIDC spec.

issuer [autogenerated,read_only]

Type: string

Issuer is the the URL pointing to the issuer of the token.

responseTypesSupported [autogenerated,read_only]

Type: []string

ResponseTypesSupported is corresponding attribute of the OIDC spec.

scopesSupported [autogenerated,read_only]

Type: []string

ScopesSupported is corresponding attribute of the OIDC spec.

subjectTypesSupported [autogenerated,read_only]

Type: []string

SubjectTypesSupported is corresponding attribute of the OIDC spec.

tokenEndpointAuthMethodsSupported [autogenerated,read_only]

Type: []string

TokenEndpointAuthMethodsSupported is corresponding attribute of the OIDC spec.

OAUTHKey

OAUTHInfo provides the information for an OAUTH server to retrieve the secrets that can validate a JWT token issued by us.

Relations

GET /oauthkeys/:id

Retrieves the OAUTH info.

GET /namespaces/:id/oauthkeys

Retrieves the OAUTH info for this namespace.

Parameters:

  • mode (enum(oidc)): When set to OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.

Attributes

keyString [autogenerated,read_only]

Type: string

KeyString is the JWKS key response for an OAUTH verifier. It provides the OAUTH compatible signing keys.

internal/x509

PKIXName

Represents a public key infrastructure X.509 (PKIX) certificate.

Attributes

commonName

Type: string

Represents the Common Name field.

country

Type: []string

Represents the Country field.

locality

Type: []string

Represents the Locality field.

organization

Type: []string

Represents the Organization field.

organizationalUnit

Type: []string

Represents the Organizational Unit field.

postalCode

Type: []string

Represents the Postal Code field.

province

Type: []string

Represents the Province field.

streetAddress

Type: []string

Represents the Street Address field.

policy/access

AccessReport

Represents any access made by the user.

Example

{
  "action": "Accept",
  "enforcerID": "xxx-xxx-xxx",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitName": "pu1",
  "processingUnitNamespace": "/my/ns",
  "type": "SSHLogin"
}

Relations

POST /accessreports

Create an access report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject)

Action applied to the access.

claimHash

Type: string

Hash of the claims used to communicate.

enforcerID [required]

Type: string

Identifier of the enforcer.

enforcerNamespace [required]

Type: string

Namespace of the enforcer.

processingUnitID

Type: string

ID of the processing unit of the report.

processingUnitName

Type: string

Name of the processing unit of the report.

processingUnitNamespace

Type: string

Namespace of the processing unit of the report.

reason

Type: string

This field is only set if action is set to Reject. It specifies the reason for the rejection.

timestamp

Type: time

Date of the report.

type [required]

Type: enum(SSHLogin | SSHLogout | SudoEnter | SudoExit)

Type of the report.

UserAccessPolicy

The enforcer policy that controls user access.

Example

{
  "disabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /useraccesspolicies

Retrieves the list of user access policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /useraccesspolicies

Creates a new enforcer policy.

DELETE /useraccesspolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /useraccesspolicies/:id

Retrieves the policy with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /useraccesspolicies/:id

Updates the policy with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

allowedSudoUsers

Type: []string

Indicates the list of user who can use sudo commands.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Contains the tag expression matching the enforcers the subject is allowed to connect to.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Contains the tag expression the tags need to match for the policy to apply.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/audit

AuditProfile

A set of audit rules that determine the types of events that must be captured in the kernel.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /auditprofiles

Retrieves the list of audit profiles.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /auditprofiles

Creates a new audit profile.

DELETE /auditprofiles/:id

Deletes the profile with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /auditprofiles/:id

Retrieves the object with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /auditprofiles/:id

Updates the profile with the given ID.

GET /auditprofilemappingpolicies/:id/auditprofiles

Returns the list of audit profiles that are referred to by this mapping.

GET /enforcers/:id/auditprofiles

Returns a list of the audit profiles that must be applied to this enforcer.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

rules

Type: _audit_profile_rule_list

List of audit rules associated with this profile.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

AuditProfileMappingPolicy

Use an audit profile mapping to define the set of enforcers that must implement a specific audit profile.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /auditprofilemappingpolicies

Retrieves the list of audit profile mapping policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /auditprofilemappingpolicies

Creates a new audit profile mapping policy.

DELETE /auditprofilemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /auditprofilemappingpolicies/:id

Retrieves the mapping with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /auditprofilemappingpolicies/:id

Updates the mapping with the given ID.

GET /auditprofilemappingpolicies/:id/auditprofiles

Returns the list of audit profiles that are referred to by this mapping.

GET /auditprofilemappingpolicies/:id/enforcers

Returns the list of enforcers that are affected by this mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

The tag or tag expression that identifies the audit profile to be mapped.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

The tag or tag expression that identifies the enforcer(s) to implement the audit profile.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

AuditReport

Post a new audit report.

Example

{
  "AUID": "xxx-xxx",
  "CWD": "/etc",
  "EXE": "/bin/ls",
  "a0": "xxx-xxx",
  "a1": "xxx-xxx",
  "a2": "xxx-xxx",
  "a3": "xxx-xxx",
  "arch": "x86_64",
  "auditProfileID": "xxx-xxx-xxx-xxx",
  "auditProfileNamespace": "/my/ns",
  "command": "ls",
  "enforcerID": "xxx-xxx-xxx-xxx",
  "enforcerNamespace": "/my/ns",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitNamespace": "/my/ns",
  "recordType": "Syscall",
  "success": false,
  "syscall": "execve",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Relations

POST /auditreports

Create a audit statistics report.

Attributes

AUID

Type: string

The login ID of the user who started the audited process.

CWD

Type: string

Command working directory.

EGID

Type: integer

Effective group ID of the user who started the audited process.

EUID

Type: integer

Effective user ID of the user who started the audited process.

EXE

Type: string

Path to the executable.

FSGID

Type: integer

File system group ID of the user who started the audited process.

FSUID

Type: integer

File system user ID of the user who started the audited process.

FilePath

Type: string

Full path of the file that was passed to the system call.

GID

Type: integer

Group ID of the user who started the analyzed process.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

PER

Type: integer

File or directory permissions.

PID

Type: integer

Process ID of the executable.

PPID

Type: integer

Process ID of the parent executable.

SGID

Type: integer

Set group ID of the user who started the audited process.

SUID

Type: integer

Set user ID of the user who started the audited process.

UID

Type: integer

User ID.

a0

Type: string

First argument of the executed system call.

a1

Type: string

Second argument of the executed system call.

a2

Type: string

Third argument of the executed system call.

a3

Type: string

Fourth argument of the executed system call.

arch

Type: string

Architecture of the system of the monitored process.

arguments

Type: []string

Arguments passed to the command.

auditProfileID [required]

Type: string

ID of the audit profile that triggered the report.

auditProfileNamespace [required]

Type: string

Namespace of the audit profile that triggered the report.

command

Type: string

Command issued.

enforcerID [required]

Type: string

ID of the enforcer reporting.

enforcerNamespace [required]

Type: string

Namespace of the enforcer reporting.

exit

Type: integer

Exit code of the executed system call.

processingUnitID [required]

Type: string

ID of the processing unit originating the report.

processingUnitNamespace [required]

Type: string

Namespace of the processing unit originating the report.

recordType [required]

Type: string

Type of audit record.

sequence

Type: integer

Needs documentation.

success

Type: boolean

Tells if the operation has been a success or a failure.

syscall

Type: string

System call executed.

timestamp [required]

Type: time

Date of the report.

policy/authorization

APIAuthorizationPolicy

An API authorization defines the operations a user can perform in a namespace: GET, POST, PUT, DELETE, PATCH, and/or HEAD. It is also possible to restrict the user to a subset of the APIs in the namespace by setting authorizedIdentities. An API authorization always propagates down to all the children of the current namespace.

Example

{
  "authorizedIdentities": [
    "@auth:role=namespace.administrator"
  ],
  "authorizedNamespace": "/namespace",
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagationHidden": false,
  "protected": false
}

Relations

GET /apiauthorizationpolicies

Retrieves the list of API authorizations.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /apiauthorizationpolicies

Creates a new API authorization.

DELETE /apiauthorizationpolicies/:id

Deletes the authorization with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /apiauthorizationpolicies/:id

Retrieves the authorization with the given ID.

PUT /apiauthorizationpolicies/:id

Updates the authorization with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizedIdentities [required]

Type: []string

A list of roles assigned to the user.

authorizedNamespace [required]

Type: string

Defines the namespace the user is authorized to access.

authorizedSubnets

Type: []string

If set, the API authorization will only be valid if the request comes from one the declared subnets.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set, the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression that identifies the authorized user(s).

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

APICheck

Allows you to verify if a client identified by his token is allowed to do some operations on some APIs.

Example

{
  "namespace": "/namespace",
  "operation": "Create",
  "targetIdentities": [
    "processingunit",
    "enforcer"
  ]
}

Relations

POST /apichecks

Verifies the authorizations on various identities for a given token.

Attributes

authorized [autogenerated,read_only]

Type: map[string]bool

Contains the results of the check.

namespace [required]

Type: string

The namespace to use to check the API authorization.

operation [required]

Type: enum(Create | Delete | Info | Patch | Retrieve | RetrieveMany | Update)

The operation you want to check.

targetIdentities [required]

Type: []string

Contains the list of identities you want to check the authorization of.

AppCredential

Create an app credential.

Example

{
  "CSR": "-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
  "disabled": false,
  "name": "the name",
  "protected": false,
  "roles": [
    "@auth:role=enforcer",
    "@auth:role=kubesquall"
  ]
}

Relations

GET /appcredentials

Retrieves the list of app credentials.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /appcredentials

Creates a new app credential.

DELETE /appcredentials/:id

Deletes the app credential with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /appcredentials/:id

Retrieves the app credential with the given ID.

PUT /appcredentials/:id

Updates the app credential with the given ID.

Attributes

CSR

Type: string

Contains a PEM-encoded certificate signing request (CSR). It can only be set during a renew.

  • The CN MUST be app:credential:<appcred-id>:<appcred-name>
  • The O MUST be the namespace of the app credential

If you send anything else, the signing request will be rejected.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizedSubnets

Type: []string

If set, the app credential will only be valid if the request comes from one the declared subnets.

certificate [read_only]

Type: string

The string representation of the certificate used by the app credential.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

credentials [autogenerated,read_only]

Type: credential

The app credential data.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

email

Type: string

The email address that will receive a copy of the app credential.

maxIssuedTokenValidity

Type: string

If set, this will limit the maximum validity of the token issued from this app credential. This information will be embedded into the delivered certificate and cannot be changed once set. In order to change it, you need to renew the certificate.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parentIDs [autogenerated,read_only]

Type: []string

Contains the ID of the parent app credential if this is a derived app credential.

protected

Type: boolean

Defines if the object is protected.

roles [required]

Type: []string

List of roles to give the app credential.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Credential

Represents an app credential.

Attributes

APIURL

Type: string

The URL of the Microsegmentation Console API.

ID

Type: string

The ID of the app credential.

certificate

Type: string

The base64-encoded certificate.

certificateAuthority

Type: string

The base64-encoded certificate authority.

certificateKey

Type: string

The base64-encoded certificate key.

name

Type: string

The name of the app credential.

namespace

Type: string

The namespace of the app credential.

Role

Returns the available roles that can be used with API authorizations.

Relations

GET /roles

Retrieves the list of existing roles.

Attributes

authorizations [autogenerated,read_only]

Type: map[string][]string

Authorizations of the role.

description [autogenerated,read_only]

Type: string

Description of the role.

key [autogenerated,read_only]

Type: string

Key of the role.

name [autogenerated,read_only]

Type: string

Name of the role.

private [autogenerated,read_only]

Type: boolean

Set to true to make the role private and hidden from the UI.

policy/dns

DNSLookupReport

A DNS lookup report is used to report a DNS lookup that is happening on behalf of a processing unit. If the DNS server is on the standard UDP port 53 then the enforcer can proxy the DNS traffic and make a report. The report indicate whether or not the lookup was successful.

Example

{
  "action": "Accept",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx",
  "processingUnitNamespace": "/my/namespace",
  "resolvedName": "www.google.com",
  "sourceIP": "10.0.0.1",
  "value": 1
}

Relations

POST /dnslookupreports

Create a DNS Lookup report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject)

Action of the DNS request.

enforcerID

Type: string

ID of the enforcer.

enforcerNamespace [required]

Type: string

Namespace of the enforcer.

processingUnitID [required]

Type: string

ID of the PU.

processingUnitNamespace [required]

Type: string

Namespace of the PU.

reason

Type: string

This field is only set when the lookup fails. It specifies the reason for the failure.

resolvedName [required]

Type: string

name used for DNS resolution.

sourceIP [required]

Type: string

Type of the source.

timestamp

Type: time

Time and date of the log.

value [required]

Type: integer

Number of times the client saw this activity.

policy/enforcerconfig

EnforcerProfile

Allows you to create reusable configuration profiles for your enforcers. Enforcer profiles contain various startup information that can (for some) be updated live. Enforcer profiles are assigned to enforcers using a enforcer profile mapping.

Example

{
  "kubernetesMetadataExtractor": "PodAtomic",
  "kubernetesSupportEnabled": false,
  "metadataExtractor": "Docker",
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /enforcerprofiles

Retrieves the list of enforcer profiles.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /enforcerprofiles

Creates a new enforcer profile.

DELETE /enforcerprofiles/:id

Deletes the enforcer profile with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /enforcerprofiles/:id

Retrieves the enforcer profile with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /enforcerprofiles/:id

Updates the enforcer profile with the given ID.

GET /enforcerprofilemappingpolicies/:id/enforcerprofiles

Returns the list of enforcer profiles that an enforcer profile mapping matches.

GET /enforcers/:id/enforcerprofiles

Returns the enforcer profile that must be used by a enforcer.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

excludedInterfaces

Type: []string

Ignore traffic with a source or destination matching the specified interfaces.

excludedNetworks

Type: []string

Ignore any networks specified here and do not even report any flows. This can be useful for excluding localhost loopback traffic, ignoring traffic to the Kubernetes API, and using Microsegmentation for SSH only.

ignoreExpression

Type: [][]string

A tag expression that identifies processing units to ignore. This can be useful to exclude kube-system pods, AWS EC2 agent pods, and third-party agents.

kubernetesMetadataExtractor

This attribute is deprecated.

Type: enum(KubeSquall | PodAtomic | PodContainers)

This field is kept for backward compatibility for enforcers <= 3.5.

Default value:

"PodAtomic"
kubernetesSupportEnabled

This attribute is deprecated.

Type: boolean

This field is kept for backward compatibility for enforcers <= 3.5.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

metadataExtractor

This attribute is deprecated.

Type: enum(Docker | ECS | Kubernetes)

This field is kept for backward compatibility for enforcers <= 3.5.

Default value:

"Docker"
name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

targetNetworks

Type: []string

If empty, the enforcer auto-discovers the TCP networks. Auto-discovery works best in Kubernetes and OpenShift deployments. You may need to manually specify the TCP networks if middle boxes exist that do not comply with TCP Fast Open RFC 7413.

targetUDPNetworks

Type: []string

If empty, the enforcer enforces all UDP networks. This works best when all UDP networks have enforcers. If some UDP networks do not have enforcers, you may need to manually specify the UDP networks that should be enforced.

trustedCAs

Type: []string

List of trusted certificate authorities. If empty, the main chain of trust will be used.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

EnforcerProfileMappingPolicy

Allows you to map an enforcer profile to one or more enforcers. The mapping can also be propagated down to the child namespace.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "object": [
    [
      "a=a",
      "b=b"
    ],
    [
      "c=c"
    ]
  ],
  "propagate": false,
  "protected": false,
  "subject": [
    [
      "a=a",
      "b=b"
    ],
    [
      "c=c"
    ]
  ]
}

Relations

GET /enforcerprofilemappingpolicies

Retrieves the list of enforcer profile mappings.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /enforcerprofilemappingpolicies

Creates a new enforcer profile mappings.

DELETE /enforcerprofilemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /enforcerprofilemappingpolicies/:id

Retrieves the mapping with the given ID.

PUT /enforcerprofilemappingpolicies/:id

Updates the mapping with the given ID.

GET /enforcerprofilemappingpolicies/:id/enforcerprofiles

Returns the list of enforcer profiles that an enforcer profile mapping matches.

GET /enforcerprofilemappingpolicies/:id/enforcers

Returns the list of enforcers affected by an enforcer profile mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

The tag or tag expression that identifies the enforcer profile to be mapped.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

The tag or tag expression that identifies the enforcers that should implement the mapped profile.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

TrustedCA

Represents a trusted certificate authority (CA).

Relations

GET /trustedcas

Retrieves the trusted CAs of a namespace.

Parameters:

  • type (enum(Any | X509 | SSH | JWT)): The type of certificates that it should return.
GET /enforcers/:id/trustedcas

Returns the list of certificate authorities that should be trusted by this enforcer.

Parameters:

  • type (enum(Any | X509 | SSH)): Type of certificate to get.
GET /namespaces/:id/trustedcas

Returns the list of trusted CAs for this namespace.

Parameters:

  • type (enum(Any | X509 | SSH | JWT)): Type of certificate to get.

Attributes

certificate [autogenerated,read_only]

Type: string

The private certificate of the corresponding type associated with this namespace.

controller [autogenerated,read_only]

Type: string

The controller that this certificate or CA was issued from.

namespace [autogenerated,read_only]

Type: string

The namespace that this certificate or CA was defined at.

namespaceID [autogenerated,read_only]

Type: string

The ID of namespace that this certificate or CA was defined at.

serialnumber [autogenerated,read_only]

Type: string

SerialNumber is the serial number of the certificate.

type [autogenerated,read_only]

Type: enum(X509 | SSH | JWT)

Type of the certificate.

TrustedNamespace

This object allows you to declare trust between namespaces that are cryptographically isolated. The namespaces can be local or served by different Microsegmentation Console controllers.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "name": "the name",
  "protected": false
}

Relations

GET /trustednamespaces

Retrieves the list of trusted namespaces.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /trustednamespaces

Creates a new trusted namespace.

DELETE /trustednamespaces/:id

Delete the trusted namespace with the given ID.

GET /trustednamespaces/:id

Retrieve the trusted namespace with the given ID.

PUT /trustednamespaces/:id

Update the trusted namespace with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Contains the PEM block of the certificate authority trusted namespace.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate [autogenerated,read_only]

Type: boolean

Propagates the object to all of its children.

Default value:

true
protected

Type: boolean

Defines if the object is protected.

remoteController [autogenerated,read_only]

Type: string

The controller declared in the certificate authority.

remoteNamespace [autogenerated,read_only]

Type: string

The namespace declared in the certificate authority.

serialNumber [autogenerated,read_only]

Type: string

The serial number of the CA.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/files

FileAccessPolicy

A file access policy allows processing units to access various folder and files. It will use the tags of a file path to know what is the path of the file or folder to allow access to. You can allow the processing unit to have any combination of read, write, or execute.

When a processing unit is a Docker container, then it will police the volumes. Mount and execute won’t have any effect.

File paths are not supported yet for standard Linux processes.

Example

{
  "allowsExecute": false,
  "allowsRead": false,
  "allowsWrite": false,
  "disabled": false,
  "encryptionEnabled": false,
  "fallback": false,
  "logsEnabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /fileaccesspolicies

Retrieves the list of file access policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /fileaccesspolicies

Creates a new file access policies.

DELETE /fileaccesspolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /fileaccesspolicies/:id

Retrieves the policy with the given ID.

PUT /fileaccesspolicies/:id

Updates the policy with the given ID.

GET /fileaccesspolicies/:id/filepaths

Returns the list of file paths that match the policy.

GET /fileaccesspolicies/:id/processingunits

Returns the list of processing units that match the policy.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

allowsExecute

Type: boolean

Allows files to be executed.

allowsRead

Type: boolean

Allows files to be read.

allowsWrite

Type: boolean

Allows files to be written.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

encryptionEnabled

Type: boolean

Set to true to enable automatic encryption.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

logsEnabled

Type: boolean

A value of true enables logging.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

The object of the policy.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

The subject of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

FileAccessReport

Post a new file access report.

Example

{
  "action": "Accepted",
  "host": "localhost",
  "mode": "rxw",
  "path": "/etc/passwd",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitNamespace": "/my/ns",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Relations

POST /fileaccessreports

Create a file access statistics report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject | Limit)

Action taken.

host [required]

Type: string

Host storing the file.

Default value:

"localhost"
mode [required]

Type: string

Mode of file access.

Default value:

"rxw"
path [required]

Type: string

Path of the file.

Default value:

"/etc/passwd"
processingUnitID [required]

Type: string

ID of the processing unit.

processingUnitNamespace [required]

Type: string

Namespace of the processing unit.

timestamp [required]

Type: time

Date of the report.

FilePath

A file path represents a random path to a file or a folder. They can be used in file access policies to allow processing units to access them, using various modes (read, write, execute). You will need to use the file paths tags to set some policies. A good example would be volume=web or file=/etc/passwd.

Example

{
  "filepath": "/etc/passwd",
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /filepaths

Retrieves the list of file paths.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /filepaths

Create a new file path.

DELETE /filepaths/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /filepaths/:id

Retrieves the object with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /filepaths/:id

Updates the object with the given ID.

GET /fileaccesspolicies/:id/filepaths

Returns the list of file paths that match the policy.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

filepath [required]

Type: string

FilePath refer to the file mount path.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

server [creation_only]

Type: string

server is the server name/ID/IP associated with the file path.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/hooks

HookPolicy

Allows you to define hooks to the write operations in squall. Hooks are sent to an external Rufus server that will do the processing and eventually return a modified version of the object before we save it.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "clientCertificate": "-----BEGIN CERTIFICATE-----
MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2
NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O
evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6
peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8
-----END CERTIFICATE-----",
  "clientCertificateKey": "-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGOXJI/123456789oamOu4tQAIKFdbyvkIJg9GME0mHzoAoGCCqGSM49
AwEHoUQDQgAE6bM8mP123456789AfmBWtnucfByQXk568lDcKNIQx6yNn+7txbwg
F9eXFkofGX3UgRtsHe123456789xQ1naSw==
-----END EC PRIVATE KEY-----",
  "continueOnError": false,
  "disabled": false,
  "endpoint": "https://hooks.hookserver.com/remoteprocessors",
  "endpointType": "URL",
  "fallback": false,
  "mode": "Pre",
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "selectors": [
    [
      "automation:name=myautomation"
    ]
  ],
  "subject": [
    [
      "$identity=processingunit"
    ]
  ]
}

Relations

GET /hookpolicies

Retrieves the list of hooks.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /hookpolicies

Creates a new hook.

DELETE /hookpolicies/:id

Deletes the hook with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /hookpolicies/:id

Retrieves the hook with the given ID.

PUT /hookpolicies/:id

Updates the hook with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Contains the PEM block of the certificate authority used by the remote endpoint.

clientCertificate

Type: string

Contains the client certificate that will be used to connect to the remote endpoint. If provided, the private key associated with this certificate must also be configured.

clientCertificateKey

Type: string

Contains the key associated with the clientCertificate. It must be provided only when clientCertificate has been configured.

continueOnError

Type: boolean

If set to true and mode is in Pre, the request will be honored even if calling the hook fails.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

endpoint

Type: string

Contains the full address of the remote processor endpoint.

endpointType

Type: enum(URL | Automation)

Defines the type of endpoint for the hook.

Default value:

"URL"
expirationTime

Type: time

If set the hook will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

mode

Type: enum(Both | Post | Pre)

Defines the type of hook.

Default value:

"Pre"
name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

selectors

Type: [][]string

A tag or tag expression that identifies the automation that must be run in case no endpoint is provided.

subject

Type: [][]string

Contains the tag expression that an object must match in order to trigger the hook.

triggerOperations

Type: []string

Select on which operation(s) you want to the hook to trigger. An empty list. Only means all operations. You can only set any combination of create, update or delete. Any other value will trigger a validation error.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

RemoteProcessor

Hook to integrate a Microsegmentation service.

Example

{
  "claims": [
    "@auth:realm=certificate",
    "@auth:commonname=john"
  ],
  "input": "{
  \"name\": \"hello\",
  \"description\": \"hello\",
}",
  "mode": "Pre",
  "namespace": "/my/namespace",
  "operation": "create",
  "targetIdentity": "processingunit"
}

Relations

POST /remoteprocessors

This should be be here.

Attributes

claims [required]

Type: []string

Represents the claims of the currently managed object.

input [required]

Type: json.RawMessage

Represents data received from the service.

mode

Type: enum(Post | Pre)

Defines the hook’s type.

namespace [required]

Type: string

Represents the current namespace.

operation [required]

Type: elemental.Operation

Defines the operation that is currently handled by the service.

output [autogenerated,read_only]

Type: _elemental_identifiable

Returns OutputData filled with the processor information.

requestID

Type: string

Gives the ID of the request coming from the main server.

targetIdentity [required]

Type: string

Represents the identity name of the managed object.

policy/hosts

HostService

Represents services that a host must expose and protect.

Example

{
  "hostModeEnabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /hostservices

Retrieves the list of host services.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /hostservices

Creates a new host service.

DELETE /hostservices/:id

Deletes the host service with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /hostservices/:id

Retrieves the host service with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /hostservices/:id

Updates the host service with the given ID.

GET /enforcers/:id/hostservices

Returns a list of the host services policies that apply to this enforcer.

Parameters:

  • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
  • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
GET /hostservicemappingpolicies/:id/hostservices

Returns the list of host services that are referenced by this mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

hostModeEnabled

Type: boolean

Forces the corresponding enforcers to enable host protection. When true, all incoming and outgoing flows will be monitored. Flows will be allowed if and only if a network policy has been created to allow the flow. The option applies to all enforcers to which the host service is mapped.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

services

Type: []string

Lists all protocols and ports a service is running. A service entry can be defined by a protocol and port (tcp/80), or range of protocol/port pairs (udp/80:100). If no protocol is provided, it is assumed to be TCP. Only tcp and udp protocols are allowed.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

HostServiceMappingPolicy

Host service mapping allows you to map host services to the enforcers that should implement them. You must map host services to one or more enforcers for the host services to have any effect.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /hostservicemappingpolicies

Retrieves the list of host service mappings.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /hostservicemappingpolicies

Creates a new host service mapping.

DELETE /hostservicemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /hostservicemappingpolicies/:id

Retrieves the mapping with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /hostservicemappingpolicies/:id

Updates the mapping with the given ID.

GET /hostservicemappingpolicies/:id/enforcers

Returns the list of enforcers that are affected by this mapping.

GET /hostservicemappingpolicies/:id/hostservices

Returns the list of host services that are referenced by this mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

A tag or tag expression identifying the host service(s) to be mapped.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression identifying the enforcer(s) that should implement the specified host service(s).

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/networking

Claims

Represents the claims in the token used to access a service.

Example

{
  "content": {
    "exp": 1553899021,
    "iat": 1553888221,
    "iss": "https://accounts.acme.com",
    "sub": "alice@acme.com"
  },
  "hash": "1134423925458173049"
}

Relations

GET /claims

Retrieves the list of claims.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /claims

Creates a new claims record.

GET /claims/:id

Retrieves the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

content [creation_only]

Type: map[string]string

Contains the raw JSON web token (JWT) claims.

hash [required]

Type: string

XXH64 hash of the claims content. It will be used as ID. To compute a correct hash, you must first clob content as an string array in the form key=value, sort it then apply the XXH64 function.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

ExternalNetwork

An external network represents a random network or IP address that is not managed by Microsegmentation. External networks can be used in network policies to allow traffic from or to the declared network or IP, using the provided protocol and port (or range of ports). If you want to describe the internet (i.e., anywhere), use 0.0.0.0/0 as the address and 1-65000 for the ports. You must assign the external network one or more tags. These allow you to reference the external network from your network policies.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false,
  "servicePorts": [
    "tcp/80",
    "udp/80:100"
  ],
  "type": "Subnet"
}

Relations

GET /externalnetworks

Retrieves the list of external networks.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /externalnetworks

Creates a new external network.

DELETE /externalnetworks/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /externalnetworks/:id

Retrieves the object with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /externalnetworks/:id

Updates the object with the given ID.

GET /infrastructurepolicies/:id/externalnetworks

Returns the list of external networks affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/externalnetworks

Returns the list of external networks affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

entries

Type: []string

List of CIDRs or domain name.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

servicePorts [required]

Type: []string

List of protocol/ports (tcp/80) or (udp/80:100).

type

Type: enum(ENI | RDSCluster | RDSInstance | SecurityGroup | Subnet)

The type of external network (default Subnet).

Default value:

"Subnet"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

FlowReport

Post a new flow log.

Example

{
  "action": "Accept",
  "destinationController": "api.east.acme.com",
  "destinationID": "xxx-xxx-xxx",
  "destinationNamespace": "/my/namespace",
  "destinationPlatform": "api.east.acme.com",
  "destinationType": "ProcessingUnit",
  "encrypted": false,
  "namespace": "/my/namespace",
  "observed": false,
  "observedAction": "NotApplicable",
  "observedEncrypted": false,
  "observedPolicyID": "xxx-xxx-xxx",
  "observedPolicyNamespace": "/my/namespace",
  "policyID": "xxx-xxx-xxx",
  "policyNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "NotApplicable",
  "sourceController": "api.west.acme.com",
  "sourceID": "xxx-xxx-xxx",
  "sourceNamespace": "/my/namespace",
  "sourcePlatform": "api.west.acme.com",
  "sourceType": "ProcessingUnit",
  "value": 1
}

Relations

POST /flowreports

Create a flow statistics report.

Parameters:

  • ingestionMode (string): If set, can override the ingestion mode for report storage.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject)

Action applied to the flow.

destinationController

Type: string

Identifier of the destination controller.

destinationID [required]

Type: string

ID of the destination.

destinationIP

Type: string

Destination IP address.

destinationNamespace

This attribute is deprecated.

Type: string

Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.

destinationPlatform

Type: string

Identifier of the destination platform.

destinationPort

Type: integer

Port of the destination.

destinationType [required]

Type: enum(ProcessingUnit | ExternalNetwork | Claims)

Destination type.

dropReason

Type: string

This field is only set if action is set to Reject. It specifies the reason for the rejection.

encrypted

Type: boolean

If true, the flow was encrypted.

namespace [required]

This attribute is deprecated.

Type: string

This is here for backward compatibility.

observed

Type: boolean

If true, design mode is on.

observedAction

Type: enum(Accept | Reject | NotApplicable)

Action observed on the flow.

Default value:

"NotApplicable"
observedDropReason

Type: string

Specifies the reason for a rejection. Only set if observedAction is set to Reject.

observedEncrypted

Type: boolean

Value of the encryption of the network policy that observed the flow.

observedPolicyID

Type: string

ID of the network policy that observed the flow.

observedPolicyNamespace

Type: string

Namespace of the network policy that observed the flow.

policyID [required]

Type: string

ID of the network policy that accepted the flow.

policyNamespace [required]

Type: string

Namespace of the network policy that accepted the flow.

protocol [required]

Type: integer

Protocol number.

remoteNamespace

Type: string

Namespace of the object at the other end of the flow.

serviceClaimHash

Type: string

Hash of the claims used to communicate.

serviceID

Type: string

ID of the service.

serviceNamespace

Type: string

Namespace of Service accessed.

serviceType

Type: enum(L3 | HTTP | TCP | NotApplicable)

ID of the service.

Default value:

"NotApplicable"
serviceURL

Type: string

Service URL accessed.

sourceController

Type: string

Identifier of the source controller.

sourceID [required]

Type: string

ID of the source.

sourceIP

Type: string

Type of the source.

sourceNamespace

This attribute is deprecated.

Type: string

Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.

sourcePlatform

Type: string

Identifier of the source platform.

sourceType [required]

Type: enum(ProcessingUnit | ExternalNetwork | Claims)

Type of the source.

timestamp

Type: time

Time and date of the log.

value [required]

Type: integer

Number of flows in the log.

InfrastructurePolicy

Infrastructure policies represent the network access rules of the underlying infrastructure. They can assist you in analyzing how AWS security groups, firewalls, and other access control list (ACL) mechanisms may affect Microsegmentation network policies. Microsegmentation’s AWS integration app automatically populates AWS security groups.

Example

{
  "action": "Allow",
  "applyPolicyMode": "OutgoingTraffic",
  "disabled": false,
  "name": "the name",
  "protected": false
}

Relations

GET /infrastructurepolicies

Retrieves the list of infrastructure policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /infrastructurepolicies

Creates a new infrastructure policy.

DELETE /infrastructurepolicies/:id

Deletes the infrastructure policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /infrastructurepolicies/:id

Retrieves the infrastructure policy with the given ID.

PUT /infrastructurepolicies/:id

Updates the infrastructure policy with the given ID.

GET /infrastructurepolicies/:id/externalnetworks

Returns the list of external networks affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /infrastructurepolicies/:id/processingunits

Returns the list of processing units affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /infrastructurepolicies/:id/services

Returns the list of services affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: enum(Allow | Reject)

Defines the action to apply to a flow.

Default value:

"Allow"
activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

applyPolicyMode

Type: enum(OutgoingTraffic | IncomingTraffic)

Determines if the policy applies to the outgoing traffic of the subject or the incoming traffic of the subject. OutgoingTraffic (default) or IncomingTraffic.

Default value:

"OutgoingTraffic"
associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Object of the policy.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Subject of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

NetworkAccessPolicy

Allows you to define network policies to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

Example

{
  "action": "Allow",
  "applyPolicyMode": "Bidirectional",
  "disabled": false,
  "encryptionEnabled": false,
  "fallback": false,
  "logsEnabled": false,
  "name": "the name",
  "negateObject": false,
  "negateSubject": false,
  "observationEnabled": false,
  "observedTrafficAction": "Continue",
  "propagate": false,
  "protected": false
}

Relations

GET /networkaccesspolicies

Retrieves the list of network policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /networkaccesspolicies

Creates a new network policy.

DELETE /networkaccesspolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /networkaccesspolicies/:id

Retrieves the policy with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /networkaccesspolicies/:id

Updates the policy with the given ID.

GET /networkaccesspolicies/:id/externalnetworks

Returns the list of external networks affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/processingunits

Returns the list of processing units affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/services

Returns the list of services affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: enum(Allow | Reject | Continue)

Defines the action to apply to a flow.

  • Allow: allows the defined traffic.
  • Reject: rejects the defined traffic; useful in conjunction with an allow all policy.
  • Continue: neither allows or rejects the traffic; useful for applying another property to the traffic.

Default value:

"Allow"
activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

applyPolicyMode

Type: enum(OutgoingTraffic | IncomingTraffic | Bidirectional)

Sets three different types of policies. IncomingTraffic: applies the policy to all processing units that match the object and allows them to accept connections from processing units or external networks that match the subject. OutgoingTraffic: applies the policy to all processing units that match the subject and allows them to initiate connections with processing units or external networks that match the object. Bidirectional (default): applies the policy to all processing units that match the object and allows them to accept connections from processing units that match the subject. Also applies the policy to all processing units that match the subject and allows them to initiate connections with processing units that match the object.

Default value:

"Bidirectional"
associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

encryptionEnabled

This attribute is deprecated.

Type: boolean

Defines if the flow has to be encrypted. This property is deprecated and have no incidence.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

logsEnabled

Type: boolean

If true, the relevant flows are logged and available from Microsegmentation Console. Under some advanced scenarios you may wish to set this to false, such as to save space or improve performance.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

negateObject

Type: boolean

Setting this to true will invert the object to find what is not matching.

negateSubject

Type: boolean

Setting this to true will invert the subject to find what is not matching.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

A tag or tag expression identifying the object of the policy.

observationEnabled

Type: boolean

If set to true, the flow will be in observation mode.

observedTrafficAction

Type: enum(Apply | Continue)

If observationEnabled is set to true, this defines the final action taken on the packets: Apply or Continue (default).

Default value:

"Continue"
ports

Type: []string

Represents the ports and protocols this policy applies to.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression identifying the subject of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/processingunits

IsolationProfile

Defines system call rules, system call actions, and other capabilities on a processing unit.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /isolationprofiles

Retrieves the list of isolation profiles.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /isolationprofiles

Creates a new isolation profile.

DELETE /isolationprofiles/:id

Deletes the profile with the given ID.

GET /isolationprofiles/:id

Retrieves the profile with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /isolationprofiles/:id

Updates the profile with the given ID.

GET /processingunitpolicies/:id/isolationprofiles

Returns the list of isolation profiles associated with the mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

capabilitiesActions

Type: _cap_map

The capabilities that should be added to or removed from the processing unit.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

defaultSyscallAction

Type: _syscall_action

The default action applied to all system calls of this profile. Default is Allow.

description [max_length=1024]

Type: string

Description of the object.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

syscallRules

Type: _syscall_rules

A list of system call rules that identify actions for particular system calls.

targetArchitectures

Type: _arch_list

The processor architectures that the profile supports. Default all.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ProcessingUnitPolicy

Processing unit policies allow you to define special behavior for processing units. For example you can associate an isolation profile with a set of processing units or select a specific datapath.

Example

{
  "action": "Default",
  "datapathType": "Default",
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /processingunitpolicies

Retrieves the list of processing unit policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /processingunitpolicies

Creates a new processing unit policy.

DELETE /processingunitpolicies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /processingunitpolicies/:id

Retrieves the object with the given ID.

PUT /processingunitpolicies/:id

Updates the object with the given ID.

GET /processingunitpolicies/:id/isolationprofiles

Returns the list of isolation profiles associated with the mapping.

GET /processingunitpolicies/:id/processingunits

Returns the list of processing units referenced by the mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: enum(Default | Delete | Enforce | LogCompliance | Reject | Snapshot | Stop)

Action determines the action to take while enforcing the isolation profile. NOTE: Choose Default if your processing unit is not supposed to make a decision on isolation profiles at all.

Default value:

"Default"
activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

datapathType

Type: enum(Default | Aporeto | EnvoyAuthorizer)

The datapath type that processing units selected by subject should implement: - Default: This policy is not making a decision for the datapath. - Aporeto: The enforcer is managing and handling the datapath. - EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs for every processing unit that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not going to own the datapath in this example. It is merely providing an authorizer API.

Default value:

"Default"
description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

isolationProfileSelector

Type: [][]string

The isolation profiles to be mapped. Only applies to Enforce and LogCompliance actions.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Contains the tag expression the tags need to match for the policy to apply.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ProcessingUnitService

Represents a service attached to a processing unit.

Attributes

ports [read_only]

This attribute is deprecated.

Type: string

Contains the list of allowed ports and ranges.

protocol

Type: integer

Protocol used by the service.

targetPorts

Type: []string

List of single ports or range (xx:yy).

policy/quota

QuotaCheck

Allows you to verify the quota for a given identity in a given namespace with the given tags.

Example

{
  "targetIdentity": "processingunit",
  "targetNamespace": "/my/namespace"
}

Relations

POST /quotacheck

Verifies if the quota is exceeded for a particular object.

Parameters:

  • remaining (boolean): Makes the system count how many object are left available in the quota.

Attributes

quota [autogenerated,read_only]

Type: integer

Contains the maximum number of matching entities that can be created.

remaining [autogenerated,read_only]

Type: integer

If the parameter remaining=true is passed, this value will be populated with the number of remaining objects in the quota.

Default value:

-1
targetIdentity [required]

Type: string

The identity name of the object you want to check the quota on.

targetNamespace

Type: string

The namespace from which you want to check the quota on.

QuotaPolicy

Allows you to set quotas on the number of objects that can be created in a namespace.

Example

{
  "disabled": false,
  "fallback": false,
  "identities": [
    "processingunit",
    "enforcer"
  ],
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "targetNamespace": "/my/namespace"
}

Relations

GET /quotapolicies

Retrieves the list of quotas.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /quotapolicies

Creates a new quota.

DELETE /quotapolicies/:id

Deletes the quota with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /quotapolicies/:id

Retrieves the quota with the given ID.

PUT /quotapolicies/:id

Updates the quota with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the quota will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

identities [required]

Type: []string

Contains the list of identity names where the quota will be applied.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

quota

Type: integer

Specifies the maximum number of objects matching the policy subject that can be created.

targetNamespace [required]

Type: string

Contains the base namespace from where the count will be done.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/services

ClaimMapping

Allows you to map a claim in a token to an HTTP header. This can be useful when offloading authentication and authorization to Microsegmentation. Some applications may expect to receive information in the HTTP header.

Example

{
  "claimName": "email",
  "targetHTTPHeader": "X-Username"
}

Attributes

claimName [required,format=^[a-zA-Z0-9-_/*#&@\+\$~:]+$]

Type: string

The name of the claim to map to the HTTP header. header.

targetHTTPHeader [required,format=^[a-zA-Z0-9-_/*#&@\+\$~:]+$]

Type: string

The HTTP header that will be the destination of the mapped claim.

Endpoint

Represents an HTTP endpoint.

Example

{
  "public": false
}

Attributes

URI

Type: string

URI of the exposed API.

allowedScopes

Type: [][]string

The scopes authorized to access the API.

methods

Type: []string

Methods exposed to access the API.

public

Type: boolean

If true, the API is public.

scopes [read_only]

This attribute is deprecated.

Type: []string

Use allowedScopes.

HTTPResourceSpec

Describes an HTTP resource exposed by one or more services.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /httpresourcespecs

Retrieves the list of HTTP resource specifications.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
  • archived (boolean): Also retrieve the objects that have been archived.
POST /httpresourcespecs

Creates a new HTTP resource specification.

DELETE /httpresourcespecs/:id

Deletes the HTTP resource with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /httpresourcespecs/:id

Retrieves the HTTP resource with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
PUT /httpresourcespecs/:id

Updates the HTTP resource with the given ID.

GET /services/:id/httpresourcespecs

Retrieves the HTTP Resource exposed by this service.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

endpoints

Type: []endpoint

A list of API endpoints that are exposed for the service.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Service

Defines a generic service object at layer 4 or layer 7 that encapsulates the description of a microservice. A service exposes APIs and can be implemented through third-party entities (such as a cloud provider) or through processing units.

Example

{
  "OIDCProviderURL": "https://accounts.google.com",
  "OIDCScopes": [
    "email",
    "profile"
  ],
  "TLSType": "Aporeto",
  "authorizationType": "None",
  "disabled": false,
  "exposedAPIs": [
    [
      "package=p1"
    ]
  ],
  "exposedPort": 443,
  "exposedServiceIsTLS": false,
  "external": false,
  "name": "the name",
  "port": 443,
  "propagate": false,
  "protected": false,
  "publicApplicationPort": 443,
  "selectors": [
    [
      "$identity=processingunit"
    ]
  ],
  "type": "HTTP"
}

Relations

GET /services

Retrieves the list of services.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /services

Creates a new service.

DELETE /services/:id

Deletes the service with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /services/:id

Retrieves the service with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /services/:id

Updates the service with the given ID.

GET /infrastructurepolicies/:id/services

Returns the list of services affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/services

Returns the list of services affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /processingunits/:id/services

Retrieves the services used by a processing unit.

GET /servicedependencies/:id/services

Returns the list of external services that are targets of service dependency.

GET /services/:id/httpresourcespecs

Retrieves the HTTP Resource exposed by this service.

GET /services/:id/processingunits

Retrieves the processing units that implement this service.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

IPs

Type: []string

The list of IP addresses where the service can be accessed. This is an optional attribute and is only required if no host names are provided. The system will automatically resolve IP addresses from host names otherwise.

JWTSigningCertificate

Type: string

PEM-encoded certificate that will be used to validate the user’s JSON web token (JWT) in HTTP requests. This is an optional field, needed only if the authorizationType is set to JWT.

MTLSCertificateAuthority

Type: string

PEM-encoded certificate authority to use to verify client certificates. This only applies if authorizationType is set to MTLS. If it is not set, Microsegmentation Console’s public signing certificate authority will be used.

OIDCCallbackURL

Type: string

This is an advanced setting. Optional OIDC callback URL. If you don’t set it, the enforcer will autodiscover it. It will be https://<hosts[0]|IPs[0]>/aporeto/oidc/callback.

OIDCClientID

Type: string

OIDC Client ID. Only has effect if the authorizationType is set to OIDC.

OIDCClientSecret

Type: string

OIDC Client Secret. Only has effect if the authorizationType is set to OIDC.

OIDCProviderURL

Type: string

OIDC discovery endpoint. Only has effect if the authorizationType is set to OIDC.

OIDCScopes

Type: []string

Configures the scopes you want to request from the OIDC provider. Only has effect if authorizationType is set to OIDC.

TLSCertificate

Type: string

PEM-encoded certificate to expose to the clients for TLS. Only has effect and required if TLSType is set to External.

TLSCertificateKey

Type: string

PEM-encoded certificate key associated with TLSCertificate. Only has effect and required if TLSType is set to External.

TLSType

Type: enum(Aporeto | LetsEncrypt | External | None)

Set how to provide a server certificate to the service.

  • Aporeto: Generate a certificate signed by the Microsegmentation Console public CA.
  • LetsEncrypt: Issue a certificate from Let’s Encrypt.
  • External: Let you define your own certificate and key to use.
  • None: TLS is disabled (not recommended).

Default value:

"Aporeto"
annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizationType

Type: enum(None | JWT | OIDC | MTLS)

Defines the user authorization type that should be used.

  • None (default): No authorization.
  • JWT: Configures a simple JWT verification from the HTTP Authorization header.
  • OIDC: Configures OIDC authorization. You must then set OIDCClientID,OIDCClientSecret, OIDCProviderURL.
  • MTLS: Configures client certificate authorization. Then you can optionally use MTLSCertificateAuthority, otherwise Microsegmentation Console’s public signing certificate will be used.

Default value:

"None"
claimsToHTTPHeaderMappings

Type: []claimmapping

Defines a list of mappings between claims and HTTP headers. When these mappings are defined, the enforcer will copy the values of the claims to the corresponding HTTP headers.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

endpoints [read_only]

Type: []endpoint

Resolves the API endpoints that the service is exposing. Only valid during policy rendering.

exposedAPIs

Type: [][]string

Contains a tag expression that will determine which APIs a service is exposing. The APIs can be defined as the RESTAPISpec or similar specifications for other layer 7 protocols.

exposedPort [required,max_value=65535.000000]

Type: integer

The port that the service can be accessed on. Note that this is different from the port attribute that describes the port that the service is actually listening on. For example if a load balancer is used, the exposedPort is the port that the load balancer is listening for the service, whereas the port that the implementation is listening on can be different.

exposedServiceIsTLS

Type: boolean

Indicates that the exposed service is TLS. This means that the enforcer has to initiate a TLS session in order to forward traffic to the service.

Default value:

false
external

Type: boolean

Indicates if this is an external service.

Default value:

false
hosts

Type: []string

The host names that the service can be accessed on.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

port [max_value=65535.000000]

Type: integer

The port that the implementation of the service is listening to. It can be different than exposedPort. This is needed for port mapping use cases where there are private and public ports.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

publicApplicationPort [max_value=65535.000000]

Type: integer

A new virtual port that the service can be accessed on using HTTPS. Since the enforcer transparently inserts TLS in the application path, you might want to declare a new port where the enforcer listens for TLS. However, the application does not need to be modified and the enforcer will map the traffic to the correct application port. This is useful when an application is being accessed from a public network.

redirectURLOnAuthorizationFailure

Type: string

If this is set, the user will be redirected to that URL in case of any authorization failure, allowing you to provide a nice message to the user. The query parameter ?failure_message=<message> will be added to that URL explaining the possible reason for the failure.

selectors

Type: [][]string

A tag or tag expression that identifies the processing unit that implements this particular service.

trustedCertificateAuthorities

Type: string

PEM-encoded certificate authorities to trust when additional hops are needed. It must be set if the service must reach a service marked as external or must go through an additional TLS termination point like a layer 7 load balancer.

type

Type: enum(HTTP | TCP | KubernetesSecrets | VaultSecrets)

Type of service.

Default value:

"HTTP"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ServiceDependency

Allows you to define a service dependency where a set of processing units as defined by their tags require access to specific services.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /servicedependencies

Retrieves the list of service dependencies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /servicedependencies

Creates a new service dependency.

DELETE /servicedependencies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /servicedependencies/:id

Retrieves the object with the given ID.

PUT /servicedependencies/:id

Updates the object with the given ID.

GET /servicedependencies/:id/processingunits

Returns the list of processing units that depend on an service.

GET /servicedependencies/:id/services

Returns the list of external services that are targets of service dependency.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Object of the service dependency.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Subject of the service dependency.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

TokenScopePolicy

Defines a set of policies that allow customization of the authorization tokens issued by the Microsegmentation Console. This allows Microsegmentation tokens to be used by external applications.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /tokenscopepolicies

Retrieves the list of token scope policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /tokenscopepolicies

Creates a new token scope policy.

DELETE /tokenscopepolicies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /tokenscopepolicies/:id

Retrieves the object with the given ID.

PUT /tokenscopepolicies/:id

Updates the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

allowedAudiences

Type: []string

A list of audience values that are allowed when issuing a service token. An empty list will allow any audience values.

annotations

Type: map[string][]string

Stores additional information about an entity.

assignedAudience

Type: string

The audience that should be assigned to a request if the caller is not requesting any specific audience.

assignedScopes

Type: []string

The list of scopes that the policy will assign.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

inheritedClaimKeys

Type: []string

A list of claim keys that should be inherited from the claims of the caller to the assigned token. In this case, some of the caller claims will be propagated to resolved token.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Defines the selection criteria that this policy must match on identity and scope request information.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/ssh

SSHAuthorizationPolicy

An SSH authorization allows you to define the permissions for the owner of a OpenSSH certificate issued by a Microsegmentation certificate authority. You can define if a user with some claims can connect to an sshd server managed by an instance of enforcerd according to its tags, what permissions he has and for how long delivered certificates are valid.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false,
  "requireSystemAccountMatching": false,
  "validity": "1h"
}

Relations

GET /sshauthorizationpolicies

Retrieves the list of SSH authorizations.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /sshauthorizationpolicies

Creates a new SSH authorizations.

DELETE /sshauthorizationpolicies/:id

Deletes the SSH authorization with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /sshauthorizationpolicies/:id

Retrieves the SSH authorization with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /sshauthorizationpolicies/:id

Updates the SSH authorization with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizedSubnets

Type: []string

If set, the SSH authorization will only be valid if the request comes from one the declared subnets.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the SSH authorization will be automatically deleted after the given time.

extensions

Type: []string

The list of permissions to apply to the OpenSSH certificate. You can check the list of standard extensions at https://github.com/openssh/openssh-portable/blob/38e83e4f219c752ebb1560633b73f06f0392018b/PROTOCOL.certkeys#L281.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

forceCommand

Type: string

Specify a single command that the user can issue on the remote host. This can be useful for issuing single-purpose certificates; ensuring that users stay in their home directories (internal-sftp); and restricting users to a bash shell (/bin/bash), preventing them from running arbitrary and unlogged commands such as scp, rsync, -essh, and sftp. Refer to the FreeBSD documentation for more information.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Contains the tag expression identifying the enforcers on the hosts the subject is allowed to access.

principals

Type: []string

On systems without an enforcer, you must provide the name of the Linux user. Otherwise, Microsegmentation will automatically populate this field and adding a value here is optional and not used during the authorization. However, the value becomes a tag associated with the SSH processing unit, which could be useful.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

requireSystemAccountMatching

Type: boolean

If selected, the system account will be used to log into the resource.

subject

Type: [][]string

Contains the tag expression that identifies the user or group of users that should be allowed to access the remote hosts. If the user authenticates against an OIDC provider, these tags correspond to claims in the ID token.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

validity

Type: string

Set the validity of the delivered SSH certificate.

Default value:

"1h"

SSHIdentity

Returns an SSH certificate containing the bearer claims. This SSH certificate can be used to connect to a node where the enforcer is protecting SSH sessions.

Example

{
  "publicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCytT my key"
}

Relations

POST /sshidentities

Creates a new SSH certificate.

Attributes

certificate [autogenerated,read_only]

Type: string

Contains the signed SSH certificate in OpenSSH format.

publicKey [required]

Type: string

Contains the public key to sign in OpenSSH format. You can generate an SSH public key with the standard ssh-keygen tool.

systemAccount

Type: string

Define the targeted system account name.

policy/token

ServiceToken

This API issues a new service token using the namespace certificate that can be used by third-party applications.

Example

{
  "objectID": "5c83035648675400019ab901",
  "sessionID": "5c83035648675400019ab901",
  "type": "Service",
  "validity": "15m"
}

Relations

POST /servicetoken

Creates an OAUTH compatible service token.

Attributes

audience

Type: string

If given, the issued token will only be valid for the audience provided. If empty, the audience will be resolved from the policies. If no audience can be resolved, the request will be rejected with an error.

objectID

Type: string

ID of the object you want to issue a token for.

sessionID

Type: string

Provides the session ID of the enforcer when retrieving a datapath certificate.

token [autogenerated,read_only]

Type: string

Token is the signed JWT service token.

type

Type: enum(ProcessingUnit | Service)

Type of token request.

Default value:

"Service"
validity

Type: string

Validity configures the max validity time for a token. If it is bigger than the configured max validity, it will be capped.

Default value:

"15m"

visualization/depmaps

DependencyMap

Returns a data structure representing the graph of all processing units and their connections in a particular namespace, in a given time window. To pass the time window you can use the query parameters startAbsolute, endAbsolute, startRelative, endRelative.

For example:

/dependencymaps?startAbsolute=1489132800000&endAbsolute=1489219200000.

Relations

GET /dependencymaps

Retrieves the dependency map of a namespace.

Parameters:

  • tag (string): Only show objects with the given tags in the dependency map.
  • view (string): Set the view query for grouping the dependency map.
  • viewSuggestions (boolean): Also return the view suggestions.
  • endAbsolute (time): Set the absolute end of the time window.
  • endRelative (duration): Set the relative end of the time window.
  • startAbsolute (time): Set the absolute start of the time window.
  • startRelative (duration): Set the relative start of the time window.
  • flowOffset (duration): Deprecated. This does not do anything anymore.
  • q (string): Filtering query. Consequent q parameters will form an or.

Mandatory Parameters

(endRelative) or (startRelative) or (startRelative and endRelative) or (startRelative and endAbsolute) or (startAbsolute and endRelative) or (startAbsolute and endAbsolute)

Attributes

edges [read_only]

Type: map[string]graphedge

The edges of the map.

groups [read_only]

Type: map[string]graphgroup

Provides information about the group values.

nodes [read_only]

Type: map[string]graphnode

Refers to the nodes of the map.

viewSuggestions [read_only]

Type: []string

Provides suggested views based on relevant tags.

GraphEdge

Represents an edge from the dependency map.

Example

{
  "acceptedFlows": false,
  "destinationType": "ProcessingUnit",
  "encrypted": false,
  "observedAcceptedFlows": false,
  "observedEncrypted": false,
  "observedRejectedFlows": false,
  "rejectedFlows": false,
  "sourceType": "ProcessingUnit"
}

Relations

GET /graphedges

Retrieves the graph edges.

Parameters:

  • endAbsolute (time): Set the absolute end of the time window.
  • endRelative (duration): Set the relative end of the time window.
  • startAbsolute (time): Set the absolute start of the time window.
  • startRelative (duration): Set the relative start of the time window.
  • q (string): Filtering query. Consequent q parameters will form an or.

Mandatory Parameters

(endRelative) or (startRelative) or (startRelative and endRelative) or (startRelative and endAbsolute) or (startAbsolute and endRelative) or (startAbsolute and endAbsolute)

Attributes

acceptedFlows

Type: boolean

Number of accepted flows in the edge.

destinationController

Type: string

Name of the remote destination controller if different than the current one.

destinationID

Type: string

ID of the destination GraphNode of the edge.

destinationType

Type: enum(ProcessingUnit | ExternalNetwork | Namespace | Node | RemoteController)

Type of the destination GraphNode of the edge.

encrypted

Type: boolean

The number of encrypted flows in the edge.

firstSeen

Type: time

Contains the date when the edge was first seen.

flowID

Type: string

Identifier of the edge.

lastSeen

Type: time

Contains the date when the edge was last seen.

namespace

Type: string

Namespace of the object that reported the flow.

observedAcceptedFlows

Type: boolean

Number of accepted observed flows.

observedEncrypted

Type: boolean

Number of encrypted observed flows.

observedRejectedFlows

Type: boolean

Number of rejected observed flows.

rejectedFlows

Type: boolean

Number of rejected flows in the edge.

remoteNamespace

Type: string

Namespace of the object that was targeted by the flow.

sourceController

Type: string

Name of the remote source controller if different than the current one.

sourceID

Type: string

ID of the source GraphNode of the edge.

sourceType

Type: enum(ProcessingUnit | ExternalNetwork | Namespace | Node | RemoteController)

Type of the source GraphNode of the edge.

GraphGroup

Represents an group of nodes from the dependency map.

Attributes

ID

Type: string

Identifier of the group.

color

Type: string

Color to use for the group.

match

Type: [][]string

List of tags that were used to create this group.

name

Type: string

Name of the group.

parentID

Type: string

ID of the parent group, if any.

GraphNode

Represents an node from the dependency map.

Example

{
  "type": "Docker",
  "unreachable": false
}

Relations

GET /graphnodes

Retrieves the pu nodes.

Parameters:

  • endAbsolute (time): Set the absolute end of the time window.
  • endRelative (duration): Set the relative end of the time window.
  • startAbsolute (time): Set the absolute start of the time window.
  • startRelative (duration): Set the relative start of the time window.
  • archived (boolean): Also retrieve the objects that have been archived.
  • q (string): Filtering query. Consequent q parameters will form an or.

Mandatory Parameters

(endRelative) or (startRelative) or (startRelative and endRelative) or (startRelative and endAbsolute) or (startAbsolute and endRelative) or (startAbsolute and endAbsolute)

Attributes

ID

Type: string

Identifier of object represented by the node.

enforcementStatus

Type: string

Enforcement status of processing unit represented by the node.

firstSeen

Type: time

Contains the date when the edge was first seen.

groupID

Type: string

ID of the group the node is eventually part of.

images

Type: []string

List of images.

lastSeen

Type: time

Contains the date when the edge was last seen.

name

Type: string

Name of object represented by the node.

namespace

Type: string

Namespace of object represented by the node.

status

Type: string

Status of object represented by the node.

tags

Type: []string

Tags of object represented by the node.

type

Type: enum(Docker | ExternalNetwork | Volume | Claim | Node | Namespace | RemoteController)

Type of object represented by the node.

unreachable

Type: boolean

If true the node is marked as unreachable.

vulnerabilityLevel

Type: string

Tags of object represented by the node.

IPInfo

Provides information about IP address resolution.

Relations

GET /ipinfos

Returns information about an IP address given as parameters.

Parameters:

  • ip (string): List of IPs to resolve.

Mandatory Parameters

ip

Attributes

IP [autogenerated,read_only]

Type: string

The IP address.

error [autogenerated,read_only]

Type: string

Error that occurred during resolution.

records [autogenerated,read_only]

Type: map[string]string

List of DNS records associated with the IP address.

PolicyGraph

Returns a data structure representing the policy graph of all selected processing units and their possible connectivity based on the current policies associated with the namespace. Users can define a selector of processing units in which they are interested or define the identity tags of a virtual processing unit that is not yet activated.

Example

{
  "policyType": "Authorization",
  "selectors": [
    [
      "$identity=processingunit"
    ]
  ]
}

Relations

POST /policygraphs

Retrieve a policy graph.

Parameters:

  • view (string): Set the view query for grouping the dependency map.

Attributes

PUIdentity

Type: []string

The set of tags that a future-activated processing unit will have for which the user wants to evaluate policies and understand its connectivity options.

dependencyMap

Type: dependencymap

Contains the output of the policy evaluation. It is the same type of dependency map as created by other APIs.

policyType

Type: enum(Authorization | Infrastructure | Combined)

Identifies the type of policy that should be analyzed: Authorization (default), Infrastructure, or Combined.

Default value:

"Authorization"
selectors

Type: [][]string

Contains the tag expression that a processing unit must match in order to evaluate policy for it.

SuggestedPolicy

Allows you to obtain network policy suggestions.

Relations

GET /suggestedpolicies

Retrieves a list of network policy suggestions.

Parameters:

  • filterAction (enum(include | exclude)): Action to take with the filter tags.
  • filterTags (string): Tags to filter in the policy suggestions.
  • endAbsolute (time): Set the absolute end of the time window.
  • endRelative (duration): Set the relative end of the time window.
  • startAbsolute (time): Set the absolute start of the time window.
  • startRelative (duration): Set the relative start of the time window.
  • flowOffset (duration): Deprecated. This does not do anything anymore.

Mandatory Parameters

(endRelative) or (startRelative) or (startRelative and endRelative) or (startRelative and endAbsolute) or (startAbsolute and endRelative) or (startAbsolute and endAbsolute)

Attributes

networkAccessPolicies

Type: []networkaccesspolicy

List of suggested network policies.

visualization/metrics

Metrics

Prometheus compatible endpoint to evaluate an expression query over a range of time. This can be used to retrieve back Aporeto specific metrics for a given namespace. All queries are protected within the namespace of the caller.

Example

{
  "end": "2015-07-01T20:11:00.781Z",
  "query": "flows{namespace=~\"/mycompany.*\"}",
  "start": "2015-07-01T20:11:00.781Z",
  "step": "15s"
}

Relations

GET /metrics

Evaluates an expression query over a range of time returning a “matrix” result type.

Parameters:

  • end (string): End timestamp .
  • query (string): Prometheus expression query string.
  • start (string): Start timestamp .
  • step (string): Query resolution step width in duration format or float number of seconds.

Mandatory Parameters

query

POST /metrics

Evaluates an expression query over a range of time returning a “matrix” result. This has the same behavior as the GET request, however it is useful when specifying a large query that may breach server-side URL character limits. In such a case, you can URL-encode the parameters that would be used for a GET request directly in the request body by using the POST method and Content-Type: application/x-www-form-urlencoded header.

Attributes

end

Type: string

End timestamp .

query [required]

Type: string

Contains the remote POST payload.

start

Type: string

Start timestamp .

step

Type: string

Query resolution step width in duration format or float number of seconds.

visualization/reportsquery

ReportsQuery

Supports querying Aporeto reports. All queries are protected within the namespace of the user.

Example

{
  "descending": false,
  "limit": -1,
  "offset": -1,
  "report": "Flows"
}

Relations

POST /reportsqueries

Sends a query on report data.

Parameters:

  • endAbsolute (time): Set the absolute end of the time window.
  • endRelative (duration): Set the relative end of the time window.
  • startAbsolute (time): Set the absolute start of the time window.
  • startRelative (duration): Set the relative start of the time window.

Mandatory Parameters

(endRelative) or (startRelative) or (startRelative and endRelative) or (startRelative and endAbsolute) or (startAbsolute and endRelative) or (startAbsolute and endAbsolute)

Attributes

descending

Type: boolean

If set, the results will be ordered by time from the most recent to the oldest.

fields

Type: []string

List of fields to extract. If you don’t pass anything, all available fields will be selected.

filter

Type: string

Apply a filter to the query.

groups

Type: []string

Group results by the provided values. Note that not all fields can be used to group the results.

limit

Type: integer

Limits the number of results. -1 means no limit.

Default value:

-1
offset

Type: integer

Offsets the results. -1 means no offset.

Default value:

-1
report

Type: enum(Flows | Audit | Enforcers | Files | EventLogs | Packets | Counters | Accesses | DNSLookups)

Name of the report type to query.

Default value:

"Flows"
results [autogenerated,read_only]

Type: []reportsqueryresults

Contains the result of the query.

ReportsQueryResults

Represent the results of a reports query.

Attributes

fields

Type: []string

List of projected fields.

groups

Type: map[string]interface{}

List of projected fields.

values

Type: [][]interface{}

List of values associated with the projected fields.

visualization/statsquery

StatsInfo

Lists the fields and tags available in a statistics measurement.

Example

{
  "measurement": "Flows"
}

Relations

POST /statsinfo

Retrieves information about the content of the stats measurement.

Attributes

fields [autogenerated,read_only]

Type: map[string]string

Contains the list of fields. You cannot group by these fields.

measurement

Type: enum(Flows | Audit | Enforcers | Files | EventLogs | Counters | Accesses | Packets | DNSLookups | PingReports)

Name of the measurement.

Default value:

"Flows"
tags [autogenerated,read_only]

Type: []string

Contains the list of tags. You can group by these tags.

StatsQuery

Retrieves time-series data stored by the Microsegmentation Console. Allows different types of queries that are all protected within the namespace of the user.

Example

{
  "descending": false,
  "limit": -1,
  "measurement": "Flows",
  "offset": -1
}

Relations

POST /statsqueries

Sends a query on statistical data.

Parameters:

  • endAbsolute (time): Set the absolute end of the time window.
  • endRelative (duration): Set the relative end of the time window.
  • startAbsolute (time): Set the absolute start of the time window.
  • startRelative (duration): Set the relative start of the time window.
  • q (string): Filtering query. Consequent q parameters will form an or.

Mandatory Parameters

(endRelative) or (startRelative) or (startRelative and endRelative) or (startRelative and endAbsolute) or (startAbsolute and endRelative) or (startAbsolute and endAbsolute)

Attributes

descending

Type: boolean

If set, the results will be order by time from the most recent to the oldest.

fields

Type: []string

List of fields to extract. If you don’t pass anything, all available fields will be returned. It is also possible to use a function like sum(value).

filter

Type: string

Apply a filter to the query.

groups

Type: []string

Group results by the provided values. Note that not all fields can be used to group the results.

limit

Type: integer

Limits the number of results. -1 means no limit.

Default value:

-1
measurement

Type: enum(Flows | Audit | Enforcers | Files | EventLogs | Packets | EnforcerTraces | Counters | Accesses | DNSLookups | PingReports)

Name of the measurement.

Default value:

"Flows"
offset

Type: integer

Offsets the results. -1 means no offset.

Default value:

-1
results [autogenerated,read_only]

Type: []timeseriesqueryresults

Contains the result of the query.

TimeSeriesQueryResults

Represent the results of a stats query.

Attributes

rows

Type: []timeseriesrow

List of rows.

TimeSeriesRow

Represents a time-series row.

Attributes

columns

Type: []string

Columns of the row.

name

Type: string

Name of the row.

tags

Type: map[string]string

List of tags.

values

Type: [][]interface{}

List of tags.