Hi all,
To perform the API Controller operations, a particular user must have
required permissions and scopes as mentioned in [1]. Currently, we ask the
users to create custom roles by assigning scopes and permissions as they
wish, by referring [1], which is a little bit complicated. To perform a
particular operation in APICTL, a particular user must have been assigned a
role with required permissions and scopes, which gets far more complicated
when we are introducing new operations from the APICTL.
There is a need to simplify this current approach. As a solution mentioned
in the issue [2], we can introduce common scopes that can be used to
perform a set of tasks using the APICTL. For example, consider the below
example.
-
Currently, we need the scopes apim:api_import_export, apim:api_view to
perform API import/export related tasks (such as import-api, import-api
with --update, export-api, export-apis as mentioned in [1]) using the API
Controller.
-
We can introduce a common scope to do these tasks instead of having two
scopes as mentioned above.
Likewise, we can introduce common scopes to other sets of tasks as well
while attaining the granularity levels. Also, a new role as Internal/devops
can be introduced which has all the common scopes along with all the
necessary permissions (API Create, API Publish and API Subscribe as
mentioned in [1]).
When implementing the proposed solution, the following modifications should
be performed.
-
The scopes and operations mapping will be updated as follows. (The
required permissions will remain as it is in [1], because the new user role
will have all the required permissions)
Operation
Current Required Scopes
New Required Scopes (Common Scopes)
add-env
-
-
remove-env
-
-
list env
-
-
login
-
-
logout
-
-
list apis
apim:api_view
apim:api_import_export
delete api
apim:api_delete,
apim:api_view
apim:api_import_export
change-status api
apim:api_publish,
apim:api_view
apim:api_import_export
import-api
apim:api_import_export
apim:api_import_export
import-api with --update
apim:api_import_export,
apim:api_view
apim:api_import_export
export-api
apim:api_import_export
apim:api_import_export
export-apis
apim:api_import_export,
apim:api_view
apim:api_import_export
list api-products
apim:api_view
apim:api_product_import_export
delete api-product
apim:api_publish,
apim:api_view
apim:api_product_import_export
import api-product
apim:api_product_import_export
apim:api_product_import_export
import api-product --import-apis
apim:api_product_import_export,
apim:api_import_export
apim:api_product_import_export,
apim:api_import_export
import api-product --update-apis
apim:api_product_import_export,
apim:api_import_export
apim:api_product_import_export,
apim:api_import_export
import api-product --update-api-product
apim:api_product_import_export
apim:api_product_import_export
export api-product
apim:api_product_import_export,
apim:api_import_export
apim:api_product_import_export,
apim:api_import_export
list apps
apim:app_owner_change
apim:app_product_import_export
delete app
apim:subscribe,
apim:app_manage,,
apim:app_owner_change
apim:app_product_import_export
import-app
apim:app_import_export
apim:app_import_export
export-app
apim:app_import_export
apim:app_import_export
get-keys
apim:api_view,
apim:subscribe
apim:api_import_export,
apim:api_product_import_export,
apim:app_import_export
-
The summary of REST APIs that need to be modified can be listed as shown
in the below table.
REST API
REST API Resource
Existing Scopes in the resource
Updated Scopes
Admin v1
POST admin/v1/import/api
apim:admin,
apim:api_import_export
apim:admin,
apim:api_import_export
GET admin/v1/export/api
apim:admin,
apim:api_import_export
apim:admin,
apim:api_import_export
POST admin/v1/import/api-product
apim:admin,
apim:api_product_import_export
apim:admin,
apim:api_product_import_export
GET admin/v1/export/api-product
apim:admin,
apim:api_product_import_export
apim:admin,
apim:api_product_import_export
GET admin/v1/applications
apim:admin,
apim:app_owner_change
apim:admin,
apim:app_owner_change,
apim:app_import_export
POST admin/v1/import/applications
apim:app_import_export
apim:app_import_export
GET admin/v1/export/applications
apim:app_import_export
apim:app_import_export
Publisher v1
GET publisher/v1/apis
apim:api_view
apim:api_view,
apim:api_import_export
GET publisher/v1/search
apim:api_view
apim:api_view,
apim:api_import_export,
apim:api_product_import_export,
apim:app_import_export
POST publisher/v1/apis/change-lifecycle
apim:api_publish
apim:api_publish,
apim:api_import_export
DELETE publisher/v1/apis/{apiId}
apim:api_delete
apim:api_delete,
apim:api_import_export
DELETE publisher/v1/api-products/{apiProductId}
apim:api_publish
apim:api_publish,
apim:api_product_import_export
Store v1
GET store/v1/applications
apim:subscribe,
apim:app_manage
apim:subscribe,
apim:app_manage,
apim:api_import_export,
apim:api_product_import_export,
apim:app_import_export
GET store/v1/applications/{applicationId}
apim:subscribe,
apim:app_manage
apim:subscribe,
apim:app_manage,
apim:api_import_export,
apim:api_product_import_export
GET store/v1/subscriptions
apim:subscribe,
apim:sub_manage
apim:subscribe,
apim:sub_manage,
apim:api_import_export,
apim:api_product_import_export
POST store/v1/applications/{applicationId}/generate-keys
apim:subscribe,
apim:app_manage
apim:subscribe,
apim:app_manage,
apim:api_import_export,
apim:api_product_import_export
PUT store/v1/applications/{applicationId}
apim:subscribe,
apim:app_manage
apim:subscribe,
apim:app_manage,
apim:api_import_export,
apim:api_product_import_export
DELETE store/v1/applications/{applicationId}
apim:subscribe,
apim:app_manage
apim:subscribe,
apim:app_manage,
apim:app_import_export
Note: The gray colour cells are the cells that contain the scopes that do
not need to be changed.
-
The common set of scopes are apim:api_import_export,
apim:api_product_import_export and apim:app_import_export. The Scopes
array in the tenant-conf.json should be updated as below with respect to
the common scopes mentioned above by adding the newly defined role
Internal/devops.
},
"Name": "apim:app_import_export",
"Roles": "admin,Internal/devops"
},
{
"Name": "apim:api_import_export",
"Roles": "admin,Internal/devops"
},
{
"Name": "apim:api_product_import_export",
"Roles": "admin,Internal/devops"
},
Your feedback and opinions on this will be much appreciated. Furthermore,
it would be great if a new and more simplified approach can be identified
in addition to the above-stated approach.
[1]
https://apim.docs.wso2.com/en/next/learn/api-controller/advanced-topics/creating-custom-users-to-perform-api-controller-operations
[2] https://github.com/wso2/product-apim-tooling/issues/328
Thank you!
--
*Wasura Wattearachchi* | Software Engineer | WSO2 Inc.
(m) +94775396038 | (e) [email protected] | (b) Medium
<https://medium.com/@wasuradananjith>
[image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
