If we are to check the existence of a specific role, then using a role name is not a good idea. Using role ID will be a better option. And roles usually have "/" and we will need to check the impact of role name resolving when / present in name. Have we checked that part. Reason is / have specific meaning in urls.
Thanks sanjeewa. On Mon, May 11, 2020 at 3:54 PM Thilini Shanika <[email protected]> wrote: > Hi Meruja, > > I have a few concerns regarding validating the subscriber permissions of > the input application owner using the default subscriber role(Internal > subscriber). Since the REST API and portal access are based on the > scope-role mapping which is maintained in tenant-conf.json, a subscriber > user does not necessarily have the *Internal/subscriber* role. If a new > role mapping to app management, subscriptions related scopes has been > introduced with custom roles, then the validation should be done against > those roles as well. > > Hence, we should be validating whether any of the roles assigned to that > particular user has bare scope based minimum access to API subscriptions, > app management resources. So the validation should be based on the > role-scope mapping. > > ie: If the user's role 'roleA' has role-scope mappings for 'apim:subscribe' > and 'apim:app_manage' scopes, then that particular user is eligible as a > new owner of a given application. > WDYT? > > > > On Wed, May 6, 2020 at 1:29 AM Thilini Shanika <[email protected]> wrote: > >> >> >> On Tue, May 5, 2020 at 11:36 AM Vithursa Mahendrarajah <[email protected]> >> wrote: >> >>> Hi Meruja, >>> >>> The Publisher REST APIs for role validation is used to check whether >>> the given role exists and the logged-in user has the given role. Here >>> the role is taken from the user input, AFAIU the requirement, in this case >>> we need to check whether the new user has the subscriber role before >>> changing the application owner. Please correct if it is wrong. >>> >>> Since we need to validate whether the user has only a particular role, >>> we do not need to have roleId in the resource path. Shall we have a >>> resource name like /user/validate-subscriber-role. WDYT? >>> >>> Yes, you are correct. The requirement we are going to address through >> the first API is to check whether the input username of the app owner has a >> particular role(subscriber in this case). Hence, appowner name should be an >> input to the first API. So I would suggest modifying the API resource as >> follows. >> /roles/{roleName}?{UserID} >> >> >> >>> Thanks, >>> Vithursa >>> >>> >>> On Tue, May 5, 2020 at 9:47 AM Meruja Selvamanikkam <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest >>>> APIs and the intention is to check the existence of a particular role name >>>> ( Internal/subscriber) when transferring ownership of an application to a >>>> user. We have similar API in the publisher to check the availability >>>> of the role[1]. >>>> We have to decide the OAuth2 scope which functionalities are used by >>>> Admin. >>>> >>>> The swagger definition for the new endpoint would be as follows: >>>> >>>> ###################################################### >>>> # The Role Name Existence >>>> ###################################################### >>>> /roles/{roleName}: >>>> #----------------------------------------------------- >>>> # The role name existence check resource >>>> #----------------------------------------------------- >>>> head: >>>> security: >>>> - OAuth2Security: >>>> - apim:<To_be_added> >>>> summary: >>>> Check given role name already exists >>>> description: >>>> Using this operation, to check whether given role already exists >>>> parameters: >>>> - $ref : '#/parameters/roleName' >>>> responses: >>>> 200: >>>> description: >>>> OK. >>>> Requested role name is returned. >>>> 404: >>>> description: >>>> Not Found. >>>> Requested role name does not exist. >>>> >>>> ###################################################### >>>> # The Role Name Existence for the logged-in user >>>> ###################################################### >>>> /me/roles/{roleName}: >>>> #----------------------------------------------------- >>>> # Validate role against a user >>>> #----------------------------------------------------- >>>> head: >>>> security: >>>> - OAuth2Security: >>>> - apim:<To_be_added> >>>> summary: >>>> Validate whether the logged-in user has the given role >>>> description: >>>> Using this operation, logged-in user can check whether he has >>>> given role. >>>> parameters: >>>> - $ref : '#/parameters/roleName' >>>> responses: >>>> 200: >>>> description: >>>> OK. >>>> Logged-in user has the role. >>>> 404: >>>> description: >>>> Not Found. >>>> Logged-in user does not have the role. >>>> >>>> Appreciate any feedback on this and correct me if I am wrong. >>>> >>>> [1] - [APIM-3.0] Publisher rest API to check a role name existence >>>> >>>> Thanks & Regards, >>>> *S.Meruja* |Software Engineer | WSO2 Inc. >>>> (m) +94779650506 | Email: [email protected] >>>> Linkedin: https://www.linkedin.com/in/meruja >>>> <https://www.google.com/url?q=https://www.linkedin.com/in/meruja> >>>> Medium: https://medium.com/@meruja >>>> <http://wso2.com/signature> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> *Vithursa Mahendrarajah* | Senior Software Engineer | WSO2 Inc >>> (m) +94 766 695 643 | (e) [email protected] >>> >>> * <http://wso2.com/signature>[image: https://wso2.com/signature] >>> <https://wso2.com/signature>* >>> >> >> >> -- >> Thilini Shanika >> Technical Lead >> WSO2, Inc.; http://wso2.com >> 20, Palmgrove Avenue, Colombo 3 >> Mobile: +94710892258 >> >> >> > > -- > Thilini Shanika > Technical Lead > WSO2, Inc.; http://wso2.com > 20, Palmgrove Avenue, Colombo 3 > Mobile: +94710892258 > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Sanjeewa Malalgoda* Software Architect | Associate Director, Engineering - WSO2 Inc. (m) +94 712933253 | (e) [email protected] | (b) Blogger <http://sanjeewamalalgoda.blogspot.com>, Medium <https://medium.com/@sanjeewa190> GET INTEGRATION AGILE <https://wso2.com/signature> Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
