Managing access to the Admin API

The Event Endpoint Management Admin API provides a set of APIs you can use to access the features of Event Endpoint Management programmatically without depending on the browser-based UI.

To make API requests to Event Endpoint Management, you require an access token.

The following features are available by using the Admin API:

• Clusters (Create, Read, Update, Delete)
• Event sources (Create, Read, Update, Delete)
• Topic entries (Publish, Unpublish, Archive)
• Subscriptions (Create, Read, Update, Delete)
• Gateways (Read gateway list)

Prerequisites

If you installed Event Endpoint Management on the OpenShift Container Platform, the Event Endpoint Management Admin API is enabled by default and is accessible from outside the cluster.

If you installed Event Endpoint Management on a Kubernetes platform other than OpenShift, ensure you configure the admin service endpoint for the Admin API by setting the correct values in the spec.manager.endpoints[] section of the EventEndpointManagement custom resource that defines your Event Endpoint Management instance.

By default, the type of exposure for the admin endpoint is external, which makes the Admin API available from outside the cluster. If you want to limit access to the API only from within the cluster’s internal network, set type as internal.

Note: To manage access to Event Endpoint Management, authorization is provided through role mappings. When using OpenID Connect (OIDC) authorization and a custom claim from your OIDC provider, retrieving authorization depends on whether your provider supports offline access or not.

• If your OIDC provider supports the offline access scope, you can retrieve authorizations for a user when the user is not logged into the UI. To use this feature, ensure offline_access is added to the additional scopes configuration.

• If your OIDC provider does not support the offline_access scope, or you do not want to use it, ensure you add the user to the role mappings file. For information about adding the offline_access scope, see setting up authorization with a custom role identifier.

  Important: When using offline_access, your provider might control how long the offline session can last before expiring. If the session lifetime is shorter than the lifetime of Event Endpoint Management tokens (90 days), then the user might receive unauthorized error responses when trying to make API calls with their token. To use the API again, the user must log in to the Event Endpoint Management UI again to retrieve a new offline access token.

API access tokens

To make API requests to Event Endpoint Management, you require an access token. You can create and manage tokens in the Profile page. The Profile page displays the current Event Endpoint Management organization that you are a member of, and the list of any previously created tokens.

You can also use access tokens to set up integration with Event Streams, so you can share your topics with Event Endpoint Management from the Event Streams UI.

Every user in Event Endpoint Management is a member of the organization called eem. This organization value is required for making API requests.

Note: The access token is only displayed in the Event Endpoint Management UI when it is generated, and it cannot be retrieved later in the UI or through any API. If you forget the token, you need to delete it from the list of tokens and create a new one.

Creating a token

To create an access token, complete the following steps:

1. Log in to your Event Endpoint Management UI from a supported web browser (see how to determine the login URL for your Event Endpoint Management instance).
2. Click the user icon in the header, and then click Profile to open the Profile page.
3. Within the Profile page, click Create token to open the dialog.
4. Read the message and note that API access tokens expire.
5. Provide a token description that can be used to identify your token and then click Create.

6. A new token is generated.

   • To view the token, click Show token within the Token field.
   • To copy the token, click Copy token.

   Note: The API access token is displayed one time, it cannot be retrieved later. Ensure you copy and save the token. If you forget the token, you need to delete it from the list of tokens and create a new token to access the API.

7. Click Close to close the dialog.

The created token is added to the Tokens table.

Removing a token

Token entries are displayed in the Tokens table on the Profile page until they are deleted. You can delete expired tokens or tokens that are no longer required.

Note: API requests that use an expired token are rejected by Event Endpoint Management.

To delete a token, complete the following steps:

1. Log in to your Event Endpoint Management UI from a supported web browser (see how to determine the login URL for your Event Endpoint Management instance).
2. Click the user icon in the header, and then click Profile to open the Profile page.
3. Click Delete in the row of the token you want to remove.
4. Read the Delete token warning, and provide confirmation by entering the token description in the field exactly as it is displayed in the message.
5. Click Delete. Important: Deleting a token is permanent and cannot be reversed.