Working with global policies
Use global policies to configure policy assemblies that are called just before, or just after, each of your API assemblies is called, or when an error is thrown. You can upload global policies into each of the gateway services in your Catalogs, and then designate, for each gateway service, which global policy should be called before an API assembly is called, after an API assembly is called, or if an error occurs when an API assembly is called. The designated global policies are applied to all the APIs that are deployed to the associated gateway service.
Prerequisites
IBM® DataPower® Gateway version that is compatible with your deployed version of API Connect.
To complete the global
policy management tasks described in this topic, you must be the owner of the provider organization,
or be assigned a role that has the Settings:Manage
permission. The pre-supplied Administrator role has this permission by default; if
you are assigned a custom role it must have this permission.
For more information, see Creating custom
roles.
Overview
- If you are using the DataPower Gateway (v5 compatible), there can be only
one
proxy
policy across the combined pre-request, API, and post-response assembly flows. - Catalog properties, as described in Creating and configuring Catalogs, and API properties, as described in Setting API properties, are not supported with global policies. Therefore, if you use such properties in a global policy, they are not replaced with the values specified in the API or Catalog property definitions.
global-policy: 1.0.0
info:
name: global_policy_name
title: global_policy_title
version: global_policy_version
gateways:
- gateway_type
assembly:
- policy_assembly_to_be_called
where
gateway_type has the value datapower-gateway
if you want to use
the global policy in a DataPower Gateway (v5 compatible), and
datapower-api-gateway
if you want to use the global policy in a DataPower API Gateway. For more
information on the different types of gateway, see API Connect gateway
types.The assembly
section for a pre-request or post-response global policy can
contain any valid API assembly flow. For more information, see the execute section.
The assembly
section for an error global policy can
only contain a catch
extension in the assembly, an execute
section
is not valid. For details of the catch
extension, see catch.
Sample global policy .yaml file for pre-request or post-reponse
global-policy: 1.0.0
info:
name: sample-policy
title: Sample Policy
version: 2.0.0
gateways:
- datapower-api-gateway
assembly:
execute:
- invoke:
target-url: http://myhost.com/mytarget
version: 2.0.0
catch:
- errors:
- ConnectionError
execute:
- activity-log:
title: activity-log
content: activity
error-content: payload
version: 2.0.0
Sample error global policy .yaml file
catch
extension in the assembly.global-policy: 1.0.0
info:
name: sample-error-policy
title: Sample Error Policy
version: 2.0.0
gateways:
- datapower-api-gateway
assembly:
catch:
- errors:
- ConnectionError
execute:
- activity-log:
title: activity-log
content: activity
error-content: payload
version: 2.0.0
- errors:
- SOAPError
execute:
- xslt:
version: 2.0.0
title: xslt
input: true
source: |-
<!-- Placeholder -->
<xsl:stylesheet xmlns:xsl=''/>
Logging in to the Management server
apic login --server mgmt_endpoint_url --username user_id --password password --realm provider/identity_provider
--realm
parameter by entering the following command to see a list of all available
identity providers (you do not need to be logged in to use this
command):apic identity-providers:list --scope provider --server mgmt_endpoint_url --fields title,realm
For example,apic identity-providers:list --scope provider --server myserver.com --fields title,realm
total_results: 2
results:
- title: API Manager User Registry
realm: provider/default-idp-2
- title: Corporate LDAP user registry
realm: provider/corporate-ldap
The title
value should enable you to determine which identity provider to use;
you can then copy the corresponding --realm
parameter directly from the displayed
realm
value. For any identity providers that were created by your
administrator after API Connect was installed,
the names will have been determined at creation time. The default API Manager Local User Registry
for login as a member of a provider organization is default-idp-2
.For full details of the apic login
command, see Logging in to a management server.
Uploading a global policy to a gateway service
apic global-policies:create --catalog catalog_name --configured-gateway-service gateway_service_name --org organization_name --server mgmt_endpoint_url --scope scope [--space space] filename
where:- catalog_name is the value of the
name
property of the Catalog that contains the gateway service to which you want to upload the global policy. - gateway_service_name is the value of the
name
property of the gateway service. - organization_name is the value of the
name
property of the provider organization that contains the Catalog. - mgmt_endpoint_url is the platform API endpoint URL.
- scope has one of the following values:
catalog
if the Catalog does not have Spaces enabled.space
if the Catalog has Spaces enabled. If you specifyspace
for the--scope
parameter you must also supply the--space
parameter to specify the Space that contains the gateway service.
- (optional) space is the name of the Space that contains
the gateway service. The
--space
parameter is required if the Catalog has Spaces enabled, in which case you must also include--scope space
in the command. - filename is the name of the global policy .yaml file that you want to upload.
apic global-policies:list-all --catalog catalog_name --configured-gateway-service gateway_service_name --org organization_name --server mgmt_endpoint_url --scope scope [--space space]
For reference details of the apic global-policies
commands, see the toolkit CLI reference documentation.
Designating the pre-request global policy
apic
global-policy-prehooks:update
command. To remove the pre-request global policy designation,
use the apic global-policy-prehooks:delete
command.For reference details of the apic global-policy-prehooks
commands, see the toolkit CLI reference documentation.
By default, whenever an API is called, a series of policies, called the preflow policies, are invoked prior to the policy assembly configured in the API definition. However, by using a pre-request global policy you can, if required, fully customize the behavior of these policies, controlling if and when they are invoked, and with what customization. For more information, see Customizing the preflow policies.
Designating the post-response global policy
apic
global-policy-posthooks:update
command. To remove the post-response global policy
designation, use the apic global-policy-posthooks:delete
command.For reference details of the apic global-policy-posthooks
commands, see the
toolkit CLI reference documentation.
Designating the error global policy
The error global policy is applied to an error caught in the API pre-request, assembly, and post-response stages unless any of those stages has its own error rule defined for the same error, in which case that error rule takes priority.
To replace the designated error global policy with another policy, repeat steps 1 and 2, then use the apic
global-policy-errors:update
command. To remove the error global policy designation, use the
apic global-policy-errors:delete
command.
For reference details of the apic global-policy-errors
commands, see the toolkit CLI reference documentation.