Enhancing Security with Gatekeeper
When you deploy an application, the tracked resources exposed by the application might become accessible for a short amount of time due to a lapse in security. Because the policies for those resources are not yet applied, the API might receive unwanted traffic. GateKeeper prevents this situation by blocking the tracked resource until all policies are retrieved and applied without errors.
Starting with CloudHub 4.2.2, Mule runtime engine (Mule) keep APIs blocked until the contracts of the API are successfully downloaded from the Management plane in case the policy requires contracts and if Gatekeeper is enabled. Gatekeeper waits until contracts are available to unblock the API.
In earlier versions of Mule, APIs were unblocked after the runtime successfully applied all the policies. For example, if the API had the Client ID Enforcement policy applied, a request with valid credentials was rejected.
This CloudHub update behaves the same way with strict and flexible Gatekeeper modes. Contracts are considered available if they are downloaded from the Contracts Service before or after Mule is restarted.
Out of the box policies that might require contracts include:
How Gatekeeper Works
The Gatekeeper mechanism is engaged only when you restart the runtime or redeploy a tracked resource that is linked with an API instance when automatically discovered. When Gatekeeper is engaged, each tracked resource is blocked, resulting in a 503 - Service Unavailable HTTP status code, until all API instance policies are applied in API Manager without errors.
Resources not linked to an API instance when automatically discovered are ignored by Gatekeeper. Additionally, you cannot apply any policies to these resources, and no analytics information is generated. If you lose connectivity after the Mule instance is restarted or the tracked Mule application is redeployed, you use cached policies, configuration, and contracts, even if Gatekeeper is not enabled.
When Gatekeeper is engaged, if a tracked resource has a malformed or incorrectly defined policy applied, the tracked resource is blocked, resulting in a 503 - Service Unavailable HTTP status code`. The resource reamains blocked until the offending policy is removed from API Manager. Mule runtime caches all policies and active contracts locally.
Security Levels
To enable or disable Gatekeeper functionality, you can configure the following property with a specific security level:
anypoint.platform.gatekeeper
For example, to configure the flexible security level, you must specify the following property:
anypoint.platform.gatekeeper=flexible
-
Valid Values for Mule 4 Security Levels
-
strict -
flexible -
disabled
-
For Mule runtime versions 4.8.0 or later. Gatekeeper blocks requests when editing the policy configurations. The Gatekeeper does not block requests when editing policy order. To disable Gatekeeper during editing, set the anypoint.platform.gatekeeper property to false:
anypoint.platform.gatekeeper.block_edit=false
Security Level Definitions
You can apply false, disabled, true, strict, or flexible security levels to Gatekeeper, as explained in the following table:
Security level |
Description |
|
Gatekeeper does not apply any security. With this setting, the API might receive unwanted traffic during the period while the policies are being applied. |
|
Gatekeeper security is set to its maximum level. When the Mule instance is restarted, the API is blocked with a |
|
Gatekeeper security is set to intermediate level. When the Mule instance is restarted, the API is blocked with a |