Hi,
This is related to public JIRA :
https://wso2.org/jira/browse/APIMANAGER-5384
In API Publisher, there is a table to show “Top API Users”. It shows the
users who has used the API frequently.
In the below example, “stuer1” and “stuer2” are users in the super tenant
space while “hruser1” and “hruser2” are users in a separate tenant (i.e -
hr.com)
[image: Inline image 4]
When we click the name of the user, it shows the details of the user. (i.e
- profile details)
[image: Inline image 3]
In a multi-tenant environment, it only shows the profiles of the same
tenant. It does not show the profiles details of users from other tenants.
Reason for the issue is that the code is using super tenant credentials to
retrieve user profile of a tenant user [1].
*Question : In a multi-tenant environment is it OK to show the details of
the users (i.e - profile) in other tenants?*
As per the discussions we had with APIM and IS teams (got to know that the
code does not allow to view user details across tenants), there were few
opinions.
*Option 1* - If we allow this, it violates the tenant boundary. Hence we
should not show profile details. (or show profiles of users from same
tenant *only*)
*Option 2 *- Requirement is OK. We should support viewing user profiles
across tenants.
We have done the following to check if we can get the profile of a user
from another tenant, but it failed, so if we are going to support this
requirement, is there a way we can achieve this?
String tenantDomain =
MultitenantUtils.getTenantDomain(APIUtil.replaceEmailDomainBack(username));
int tenantId =
ServiceReferenceHolder.getInstance().getRealmService().getTenantManager()
.getTenantId(tenantDomain);
String tenantAdminUserName =
ServiceReferenceHolder.getInstance().getRealmService()
.getTenantUserRealm(tenantId).getRealmConfiguration().getAdminUserName();
String tenantAdminPassword =
ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getRealmConfiguration().getAdminPassword();
//Then used the credentials of the tenant admin like this.
CarbonUtils.setBasicAccessSecurityHeaders(tenantAdminUserName,
tenantAdminPassword, gatewayServiceClient);
UserProfileDTO[] profiles = stub.getUserProfiles(username);
for (UserProfileDTO dto : profiles) {
if (APIConstants.USER_DEFAULT_PROFILE.equals(dto.getProfileName())) {
return dto;
}
}
Please share your ideas on this.
Thanks.
[1]
https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java#L2210-2210
--
Chamin Dias
*Software Engineer*
Mobile : +94 (0) 716 097455 <%2B94%20%280%29%20773%20451194>
Email : [email protected]
Blog : https://chamindias.wordpress.com/
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
