Hi Meruja, I have a few concerns regarding validating the subscriber permissions of the input application owner using the default subscriber role(Internal subscriber). Since the REST API and portal access are based on the scope-role mapping which is maintained in tenant-conf.json, a subscriber user does not necessarily have the *Internal/subscriber* role. If a new role mapping to app management, subscriptions related scopes has been introduced with custom roles, then the validation should be done against those roles as well.
Hence, we should be validating whether any of the roles assigned to that particular user has bare scope based minimum access to API subscriptions, app management resources. So the validation should be based on the role-scope mapping. ie: If the user's role 'roleA' has role-scope mappings for 'apim:subscribe' and 'apim:app_manage' scopes, then that particular user is eligible as a new owner of a given application. WDYT? On Wed, May 6, 2020 at 1:29 AM Thilini Shanika <[email protected]> wrote: > > > On Tue, May 5, 2020 at 11:36 AM Vithursa Mahendrarajah <[email protected]> > wrote: > >> Hi Meruja, >> >> The Publisher REST APIs for role validation is used to check whether the >> given >> role exists and the logged-in user has the given role. Here the role is >> taken from the user input, AFAIU the requirement, in this case we need to >> check whether the new user has the subscriber role before changing the >> application owner. Please correct if it is wrong. >> >> Since we need to validate whether the user has only a particular role, we >> do not need to have roleId in the resource path. Shall we have a resource >> name like /user/validate-subscriber-role. WDYT? >> >> Yes, you are correct. The requirement we are going to address through the > first API is to check whether the input username of the app owner has a > particular role(subscriber in this case). Hence, appowner name should be an > input to the first API. So I would suggest modifying the API resource as > follows. > /roles/{roleName}?{UserID} > > > >> Thanks, >> Vithursa >> >> >> On Tue, May 5, 2020 at 9:47 AM Meruja Selvamanikkam <[email protected]> >> wrote: >> >>> Hi All, >>> >>> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs >>> and the intention is to check the existence of a particular role name ( >>> Internal/subscriber) when transferring ownership of an application to a >>> user. We have similar API in the publisher to check the availability of >>> the role[1]. >>> We have to decide the OAuth2 scope which functionalities are used by >>> Admin. >>> >>> The swagger definition for the new endpoint would be as follows: >>> >>> ###################################################### >>> # The Role Name Existence >>> ###################################################### >>> /roles/{roleName}: >>> #----------------------------------------------------- >>> # The role name existence check resource >>> #----------------------------------------------------- >>> head: >>> security: >>> - OAuth2Security: >>> - apim:<To_be_added> >>> summary: >>> Check given role name already exists >>> description: >>> Using this operation, to check whether given role already exists >>> parameters: >>> - $ref : '#/parameters/roleName' >>> responses: >>> 200: >>> description: >>> OK. >>> Requested role name is returned. >>> 404: >>> description: >>> Not Found. >>> Requested role name does not exist. >>> >>> ###################################################### >>> # The Role Name Existence for the logged-in user >>> ###################################################### >>> /me/roles/{roleName}: >>> #----------------------------------------------------- >>> # Validate role against a user >>> #----------------------------------------------------- >>> head: >>> security: >>> - OAuth2Security: >>> - apim:<To_be_added> >>> summary: >>> Validate whether the logged-in user has the given role >>> description: >>> Using this operation, logged-in user can check whether he has given >>> role. >>> parameters: >>> - $ref : '#/parameters/roleName' >>> responses: >>> 200: >>> description: >>> OK. >>> Logged-in user has the role. >>> 404: >>> description: >>> Not Found. >>> Logged-in user does not have the role. >>> >>> Appreciate any feedback on this and correct me if I am wrong. >>> >>> [1] - [APIM-3.0] Publisher rest API to check a role name existence >>> >>> Thanks & Regards, >>> *S.Meruja* |Software Engineer | WSO2 Inc. >>> (m) +94779650506 | Email: [email protected] >>> Linkedin: https://www.linkedin.com/in/meruja >>> <https://www.google.com/url?q=https://www.linkedin.com/in/meruja> >>> Medium: https://medium.com/@meruja >>> <http://wso2.com/signature> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> *Vithursa Mahendrarajah* | Senior Software Engineer | WSO2 Inc >> (m) +94 766 695 643 | (e) [email protected] >> >> * <http://wso2.com/signature>[image: https://wso2.com/signature] >> <https://wso2.com/signature>* >> > > > -- > Thilini Shanika > Technical Lead > WSO2, Inc.; http://wso2.com > 20, Palmgrove Avenue, Colombo 3 > Mobile: +94710892258 > > > -- Thilini Shanika Technical Lead WSO2, Inc.; http://wso2.com 20, Palmgrove Avenue, Colombo 3 Mobile: +94710892258
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
