feat: unprotected API for C8Run (#5145)

* feat: unprotected API for C8Run * update headers, auth steps --------- Co-authored-by: Cole Garbo <cole.garbo@camunda.com>
camunda · Mar 6, 2025 · 98da588 · 98da588
1 parent a296506
commit 98da588
Showing 1 changed file with 15 additions and 37 deletions.
diff --git a/docs/self-managed/setup/deploy/local/c8run.md b/docs/self-managed/setup/deploy/local/c8run.md
@@ -116,57 +116,35 @@ Once configured correctly, your Connectors are available for use in Modeler.
 
 ### Use Camunda APIs
 
-Camunda 8 Run authenticates with the [Tasklist](/apis-tools/tasklist-api-rest/tasklist-api-rest-overview.md), [Operate](/apis-tools/operate-api/overview.md), and [Zeebe](/apis-tools/zeebe-api/grpc.md) APIs, as well as the unified [Camunda 8 REST API](/apis-tools/camunda-api-rest/camunda-api-rest-overview.md), by including cookie headers in each request. This cookie can be obtained by using the API endpoint `/api/login`.
+All served Camunda APIs are by default **unprotected** in Camunda 8 Run, and can be accessed without any authentication credentials or token provided.
 
-To authenticate and begin making requests, take the following steps:
+The available APIs are [Tasklist V1](/apis-tools/tasklist-api-rest/tasklist-api-rest-overview.md), [Operate V1](/apis-tools/operate-api/overview.md), [Zeebe gRPC](/apis-tools/zeebe-api/grpc.md) and the unified [Camunda 8 REST API](/apis-tools/camunda-api-rest/camunda-api-rest-overview.md)
 
-<Tabs groupId="api" defaultValue="v1" queryString values={
-[
-{label: 'Tasklist, Operate, and Zeebe', value: 'v1' },
-{label: 'Camunda 8 REST API', value: 'v2' },
-]}>
+### Enable authentication and authorization
 
-<TabItem value='v1'>
+To work with authorizations, API authentication and authorization enforcement must be enabled. The following minimal `application.yaml` shows the required configuration for the APIs and authorizations:
 
-1. Log in as user 'demo' and store the cookie in the file `cookie.txt`:
-
-```shell
-curl --request POST 'http://localhost:8080/api/login?username=demo&password=demo' \
-  --cookie-jar cookie.txt
+```yaml
+camunda.security:
+  authentication.unprotected-api: false
+  authorizations.enabled: true
 ```
 
-2. Send the cookie (as a header) in each API request. In this case, request all process definitions:
+Place the above `application.yaml` into your root `/c8run` folder, provide it to Camunda 8 Run at startup using the `--config` [flag](#configuration-options):
 
-```shell
-curl --request POST 'http://localhost:8080/v1/process-definitions/search'  \
-  --cookie cookie.txt \
-  --header 'Content-Type: application/json' \
-  --data-raw '{}'
 ```
-
-</TabItem>
-<TabItem value='v2'>
-
-:::note
-Some endpoints in the [Camunda 8 REST API](/apis-tools/camunda-api-rest/camunda-api-rest-overview.md) are considered [alpha features](/components/early-access/alpha/alpha-features.md), and are still in development.
-:::
-
-1. Log in as user 'demo' and store the cookie in the file `cookie.txt`:
-
-```shell
-curl --request POST 'http://localhost:8080/api/login?username=demo&password=demo' \
-  --cookie-jar cookie.txt
+./start.sh --config application.yaml
 ```
 
-2. Send the cookie (as a header) in each API request. In this case, the topology of your Zeebe cluster:
+You are then required to provide basic authentication credentials on API requests, as in the following:
 
 ```shell
-curl --cookie  cookie.txt  localhost:8080/v2/topology
+curl --request POST 'http://localhost:8080/v1/process-definitions/search'  \
+  -u demo:demo \
+  --header 'Content-Type: application/json' \
+  --data-raw '{}'
 ```
 
-</TabItem>
-</Tabs>
-
 ## Shut down Camunda 8 Run
 
 To shut down Camunda 8 Run and end all running processes, run `./shutdown.sh` (or `.\c8run.exe stop` on Windows) from the C8Run directory.