Illumio Core REST API in 21.5
The Illumio Core REST API v2 has changed in 21.5.0 in the following ways.
New Public Stable APIs
Lots of APIs have changed exposure from Public Experimental to public Stable.
Public Experimental APIs changed to Public Stable APIs
audit_event_min_severity.schema.jsondestination_get.schema.jsonhealth_definitions.schema.jsonhealth_get.schema.jsonhealth_status_percent.schema.jsonorgs_access_restrictions_get.schema.jsonorgs_access_restrictions_post.schema.jsonorgs_access_restrictions_put.schema.jsonorg_scope.schema.jsonorgs_permission_get.schema.jsonorgs_permission.schema.jsonorgs_permissions_get.schema.jsonorgs_permissions_post.schema.jsonorgs_permissions_put.schema.jsonpairing_profiles_get.schema.jsonpairing_profiles_post.schema.jsonpairing_profiles_put.schema.jsonpermission_uri.schema.jsonresource_update_info.schema.jsonsettings_events_get.schema.jsonsettings_events_put.schema.jsonsettings_syslog_destinations_get.schema.jsonsettings_syslog_destinations_post.schema.jsonsettings_syslog_destinations_put.schema.jsonsettings_traffic_collector_get.schema.jsonsettings_traffic_collector_post.schema.jsonsettings_traffic_collector_put.schema.jsonsettings_trusted_proxy_ips_get.schema.jsonsettings_trusted_proxy_ips_put.schema.jsonsettings_workload.schema.jsonsettings_workloads_get.schema.jsonsettings_workloads_put.schema.jsonusers_post.schema.jsonworkloads_bulk_create_put.schema.jsonworkloads_bulk_delete_put.schema.jsonworkloads_bulk_update_put.schema.json
New Public Experimental APIs
APIs for Managing Core Services
Users have the ability to change port numbers on which a specific core service is running so that they can adjust them to their environment. They cannot change ports using the UI, only the APIs.
The user authorized to manage core services is the Organization Administrator.
Common schemas for managing core services
core_services_labels.schema.jsoncore_services_type_ports_def.schema.jsoncore_services_type_ports.schema.json
Core Services Methods
Functionality | HTTP | URI |
|---|---|---|
Fetch all detected core services for this org. Retrieve and examine core services identified by the PCE. |
|
|
Get a detected core service by UUID |
|
|
Get detected core service summary details. Retrieve a summary of the detected core services. |
|
|
Get a detected core service by UUID. Accept, reject or skip the core service recommendation. Take the appropriate action for the identified core services: accept the recommendation to apply the suggested labels to the workload. |
|
|
Fetches all core service types for this org. Get the list of core service types, including:
This information has previously been referred to as the core service 'bible'. |
|
|
Fetches core service type by UUID |
|
|
Edit suggested labels of a core service type for the organization. |
|
|
New Parameters for Core Services
Parameter | Description |
|---|---|
| Maximum number of results to be returned |
| Action that is taken on the detected core services such as accept/skip/reject. |
| Get all detected core services of a particular type, such as Splunk/NFS. The hrefwill be given in the query parameter. |
Sample URLs and Payloads
GET /api/v2/orgs/1/detected_core_services/ ddfe5204-ad29-4bcd-9821-fcb62353a985
{
"href" : "/orgs/1/detected_core_services/ddfe5204-ad29-4bcd-9821-fcb62353a985" ,
"ip_address" : "103.10.11.44" ,
"workload" : {
"hostname" : "SE555Q5" ,
"href" : "/orgs/2/workloads/e62d71b3-36c4-4c27-926b-411b93ba6d6f" ,
"labels" : []
},
"core_service_type" : {
"href" : "/orgs/1/core_service_type/3555d1e4-fcb2-49c2-9a4a-215c4d5e86dc"
},
"confidence" : 100 ,
"method_name" : "process_based" ,
"created_at" : "2020-08-04T05:02:46.648Z" ,
"updated_at" : "2020-08-04T05:02:46.648Z" ,
"last_detected_at" : "2020-09-05T05:02:46.648Z"
} PUT /api/v2/orgs/1/detected_core_services/3ddd5204-ad29-4bcd-9821-fcb62353a98f
Example 1 :
{ "action" : "accept" }
Example 2 :
{ "action" : "accept" , "workload" :{ "href" :
"/orgs/2/workloads/e62d71b3-36c4-4c27-926b-411b93ba6d6f" }} #
for the case when an IP is converted to UMWL and
accepted as core service
Example 3 :
{ "action" : "reject" }
Example 4 :
{ "action" : "reject" , "feedback" : "Not a core service." }
Example 5 :
{ "action" : "skip" , "feedback" : "Check with Ops if this
is a core service." }
Example 6 :
{ "labels_applied" : true }GET /api/v2/orgs/ :xorg_id /core_service_types/44dd5204-ad29-4bcd-9821-fcb62353a98f
{
"href" : "/orgs/2/core_service_type/44dd5204-ad29-4bcd-9821-fcb62353a98f" ,
"core_service" : "splunk" ,
"required_ports" :[{ "port" : 9997 , "to_port" : 10000 }],
"optional_ports" :[{ "port" : 112 }, { "port" : 455 }],
"labels" : [
{
"value" : "app-splunk" ,
"key" : "app"
"href" : "/orgs/1/labels/2"
},
{
"value" : "role-splunk" ,
"key" : "role" ,
"href" : "/orgs/1/labels/12"
} ],
"created_at" : "2020-08-04T05:02:46.648Z" ,
"updated_at" : "2020-08-05T05:02:46.648Z"
}PUT /api/v2/orgs/ :xorg_id /core_service_types/44dd5204-ad29-4bcd-9821-fcb62353a98f
{
"labels" : [
{
"href" : "/orgs/1/labels/3"
},
{
"href" : "/orgs/1/labels/10"
}]
}Optional Features
This API was introduced to help avoid issues with misconfigured DNS, which can cause problems with VEN connectivity. Likewise, misconfiguring DHCP can cause problems with IP addresses.
When you invoke /optional_features API to enable editable_dns_client_rule or editable_dhcp_client_rule , a key is required. Such a key involves a portion that is tightly controlled so that it cannot be randomly generated.
Once the key is generated, it cannot be used in more than one place, which means that an API call provided to customer #1 cannot be replayed at customer #2 who must request their own key.
An example of the generated key:
secret = '...' # value embedded in code
data = Base64.strict_encode64({
'pce_fqdn' => Illumio::RuntimeEnvironment.pce_fqdn,
'org_id' => xorg_id,
'optional_feature' => 'editable_dns_client_rule' ,
'not_valid_after' => Time.now.utc.iso8601
})
key = data + OpenSSL::HMAC.hexdigest( 'SHA256' , secret, data)A new schema as well as two endpoints were added:
optional_feature.schema.jsonoptional_features_getGet the optional features collection
optional_features_putSet the optional features for an organization
PUT /orgs/ 1 /optional_features
[
{ "name" : "editable_dns_client_rule, " enabled ": true,
" key": ( key as generated above )}
]orgs_roles_get
The APIs GET roles and GET role_name have been promoted from Internal to Public Experimental.
They allow the users to list user roles and role names:
/orgs/:xorg_id/roles, GETGet the roles in the org
/orgs/:xorg_id/roles/:role_name, GETGet information for this role name
Support Bundle Requests
Several APIs have been introduced to provide a mechanism to generate a support bundle on each node, including a time range and possibly additional options.
The APIs have the following functions:
/orgs/:xorg_id/support_bundle_requests, GETReturn the collection of PCE support bundle requests
/orgs/:xorg_id/support_bundle_requests, POSTCreate a PCE support bundle request
/orgs/:xorg_id/support_bundle_requests/:uuid, DELETEDelete a PCE support bundle request
/orgs/:xorg_id/support_bundle_requests/:uuid, GETReturn a specific PCE support bundle request
Common Schema rule_network_type
This new common schema defines the network types to which a rule should apply.
This schema exposure is both Public Stable and Public Experimental.
{
$schema": "http://json-schema.org/draft-04/schema#",
"description": "Network types that this rule should apply to.",
"type": "string",
"enum": ["brn", "non_brn", "all"],
"default": "brn"
}This common schema is referenced from multiple APIs, such as:
sec_policy_rule_sets_putsec_policy_rule_sets_sec_rules_getsec_policy_rule_sets_sec_rules_postsec_policy_rule_sets_sec_rules_put
Traffic Flows
The new APIs are:
traffic_flows_all_actors_param.schema.jsotraffic_flows_label_group_param.schema.json
Changed APIs
agents_get
This API was DEPRECATED and replaced (use /orgs/:xorg_id/vens/:ven_uuid instead).
Security Policy Changes
sec_policy_delete_put
C
"properties": {
"change_subset": {
"$ref": "sec_policy_change_subset.schema.json"
}sec_policy_dependencies_post
All properties have been deleted and substituted with two properties:
"required": [
"operation",
"change_subset"
],
"properties": {
"operation": {
"description": "Commit or revert",
"type": "string",
"enum": [
"commit",
"revert"
]
},
"change_subset": {
"$ref": "sec_policy_change_subset.schema.json"
}
}sec_policy_get
Property "version" changed type from string to integer
Property workload_affected changed type from integer to (integer, null)
Property commit_message changed type from string to (string, null)
sec_policy_label_groups_get.schema
Additional required properties are:
blocked_connection_reject_scopes"description": "Label Group is referenced by Blocked Connection Reject Scopes",
"type": "boolean"
loopback_interfaces_in_policy_scopes"description": "Label Group is referenced by Loopback Interfaces in Policy Scopes",
"type": "boolean"
ip_forwarding_enabled_scopes"description": "Label Group is referenced by IP Forwarding Enabled Scopes",
"type": "boolean"
Property deleted:
blocked_connection_reject_scope"description": "Label Group is referenced by Blocked Connection Reject Scope",
"type": "boolean"
sec_policy_pending_get.schema
This schema is changed as follows:
The required object "affected_workloads" was deleted
The property firewall_settings (Firewall settings updated by the current policy draft) is now changed and only contains a reference:
},
"firewall_settings": {
"$ref": "../common/sec_policy_pending_objects.schema.json"sec_policy_post.schema
In 21.4.0, this schema contained a hash of pending hrefs organized by model:
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"properties": {
"update_description": {
"description": "Optional description for the
requested change or update.",
"type": "string"
},
"change_subset": {
"description": "Hash of pending hrefs,
organized by model",
............
...........All these properties (label_groups, services, rule_sets, ip_lists, virtual_services and so on are now replaced with a reference to a schema sec_policy_change_subset.schema.json.
Traffic Flows Changes
traffic_flows_destination_exclude_array.schema
This schema contains a list of excluded sources or targets. One more item was added:
"$ref": "traffic_flows_label_group_param.schema.json"
traffic_flows_destination_include_array_list.schema
This schema contains a list of included sources or targets. Two more items have been added:
"$ref": "traffic_flows_label_group_param.schema.json"
"$ref": "traffic_flows_all_actors_param.schema.json"
traffic_flows_exclude_array,schema
This schema contains a list of excluded sources or targets. One more item was added:
"$ref": "traffic_flows_label_group_param.schema.json"
traffic_flows_include_array_list,schema
This schema contains a list of included sources or targets. Two more items have been added:
"$ref": "traffic_flows_label_group_param.schema.json"
"$ref": "traffic_flows_all_actors_param.schema.json"
traffic_flows_virtual_service,schema
This schema supplies virtual service details of the traffic-flow endpoint.
One more additional optional property was added:
},
"workload_enforcement_mode": {
"$ref": "../common/workload_enforcement_mode.schema.json"
}traffic_flows_traffic_analysis_queries_post_response.schema
This schema provides a list of traffic flows matching the query.
The object "network" was added at the end with additional properties name and href.
},
"network": {
"type": "object",
"description": "PCE network on which this flow was observed.",
"additionalProperties": false,
"properties": {
"name": {
"description": "The network name.",
"type": "string"
},
"href": {
"type": "string",
"description": "network href"
}
}