On Wed, Jan 13, 2016 at 12:32 PM, Amalka Subasinghe <[email protected]> wrote:
> Hi Nuwan, > > We need APIM support to show subscribed API, when there's 1 user assigned > to 2 user groups. > > *Our current AF APIM integration flow works as follows.* > > let's say we have a tenant foo.com and users - appowner1 and developer1 > App owner1 creates an AF application 'AFapp1' and assign devloper1 as a > developer of that application. > according to the current implementation only the appowner1 can subscribe > to the APIM API. > [When appowner1 login to the APIM, we create an application 'AFapp1' in > APIM side and selecting that application appowner1 can subscribe to an API] > Then appowner1 can see subscribed APIs in AF side, where developers can't > see that API. > > So we need to implement APIM group subscriptions in AF. > to implement it we have to set the organization claim (as eg: > 'foo.com_AFapp1') for appowner1 and developer1. > Then both users can see the subscribed API. > > *We have another use case;* > basically our user grouping happens per AF application and 1 user can be > in 2 groups > > Let's say appowner1 creates an another application AFapp2 > then appowner1 is belongs to 2 user groups. So we need to assign two > values for the organization claim. (foo.com_AFapp1, foo.com_AFapp2) > appowner1 want to see subscribed API in APIM side based on that 2 > organizations. > > As I know, APIM does not support this when there's a more than 1 group > assigned for the organization claim. > But this is a required use case for the AF/cloud, and we can't customize > the GroupingExtractor due to maintainability issues in cloud. > > Can this improvement provide by APIM? > It can be done. But we've already done product plans for releases covering the year. It might take time to get this into the product as a GA release. I guess the timely solution is to customize the GroupingExtractor. What maintainability concerns do you have? If a standard extension point in the product is a maintainability concern it makes no sense to have those extension points at all. So I would like to understand those concerns and improve if possible. > > Thanks > Amalka > > > > > > > On Tue, Jan 12, 2016 at 1:42 PM, Amalka Subasinghe <[email protected]> > wrote: > >> Hi, >> >> Currently only the app owner allows to subscribed to an API, generate >> keys and see subscribed APIs, where other users are not allowed as showed >> in the below table. >> >> >> Subscribe to API Generate Keys View subscribed APIs in AF side View Prod >> keys in AF side View Sandbox keys in AF side App owner Y Y Y Y Y >> Developer >> >> >> >> Y QA >> >> >> >> Y DevOps >> >> >> Y Y >> We want to improve the AF - APIM integration as follows. So we need >> implement $subject. >> 1. making both app owner and developer can subscribe to an API and >> generate keys >> 2. making all users to see subscribed API per application >> >> >> Subscribe to API Generate Keys View subscribed APIs in AF side View Prod >> keys in AF side View Sandbox keys in AF side App owner Y Y Y Y Y >> Developer Y Y Y >> Y QA >> >> Y >> Y DevOps >> >> Y Y Y >> *Things to do:* >> >> 1. All the users of a particular app we need to maintain as a group. >> >> In APIM side they uses http://wso2.org/claims/organization claim to >> group the users. We have to set this claim (eg: app key as the value of the >> claim) when appowner or developer try to click on 'Go to API Manager' >> button. >> Currently we use a role app_appName to group the users of a particular >> application in AF. If we use this we have to implement a custom grouping >> extractor to get the users of a particular group. >> >> >> *Issues: *a. Since we don't set the claim for QA and DevOps users, they >> can't view subscribed APIs in AF side, and If we add the claim they also >> will be able to subscribe to APIs and generate keys. So we need to find a >> way to view subscribed api for a particular application by QA and Devops >> users. >> b. With this implementation Developer can see prod keys also. >> >> >> 2. Make Go to API Manager and Sync Keys buttons enabled only to appowner >> and developer. >> For this we can use resource permissions we already have. >> >> >> 3. Need to improve/test all the rest calls we do with APIM to work with >> groups and fix if there's any issue. >> >> - Login - When user clicks on 'Go to API Manager' button of a >> particular app, it should login to APIM and show the subscribed APIs, >> listed under selected application. >> - Create application >> - Remove application >> - Get published APIs by application >> - List subscription >> - Get applications >> >> [1] https://wso2.org/jira/browse/APPFAC-3217 >> >> Thanks >> Amalka >> >> > > > -- > Amalka Subasinghe > Senior Software Engineer > WSO2 Inc. > Mobile: +94 77 9401267 > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
