API product RBAC #71
Comments
ObjectiveThe objective is to allow API Providers to control who can discover or use APIs through the developer portal. Not all APIs should be visible or usable by all developers that can access a developer portal. BackgroundThere has been a need for API producers to be able to change the access control of documents and usage of an API for a long time. Right now we do not have a good solution in Drupal 8 portals.
When creating an API proxy, an API Key or OAuth policy can be added to the proxy, which forces authentication before the API can be used. The way a developer gets access is by creating an App in the developer portal. This app contains credentials to use the app. Sidenote: An API Product creates an indirect relationship to API Proxies for flexibility on what is exposed to a developer. An API Product may contain only part of an API Proxy, or may contain multiple API Proxies. One point of confusion is that in Apigee Edge, you can create an API Proxy using an OpenAPI spec. However from the developer’s perspective, only API Products are shown. RequirementsRestrict access on reading docs or creating appsAs an API Provider, I only want certain developers or teams of developers to read documentation or use a given API product so that I can hide that API Product from most developers. Examples:
Restrict access to creating appsAs an API Provider, I want any developer or teams of developers to be able to read documentation about a given API product, but want to only allow certain developers to be able to use that API product so that we can add manual or automatic steps before approving access. Examples:
Set access defaults for new API ProductsAs an API provider, I want to set the access control of a new API Product to be hidden for all users except certain people on my team so that developers do not use the product until I have tested it. DesignSince Drupal already has a robust access control system, the plan is to use already existing modules to control access, such as the Permissions by Term module. The current implementation uses a custom entity for API Docs. This solution however does not work well with taxonomy based access control solutions since they usually work with Node entity types. To make things easier, we can make a new 2.x version of API Catalog that uses Node entities instead of a custom entity. We will also need to make changes to the Apigee SmartDocs Plugin for Maven since the endpoint to call for the API will chan API Catalog Changes
Apigee SmartDocs Plugin for Maven
Future RoadmapThe Apigee Edge and Apigee M10n modules have a permission system that works with API Products. Investigate how we use one way to lay out access control for API Products on API Catalog, Apigee Edge, and Apigee M10n modules. |
|
We want to maintain a 8.x-1.0 version with the old approach and 8.x-2.0 with the new content node approach |
|
We don't want to maintain the old version, but do want to give time for anyone that added features on top of the 1.0 version to move to 2.0 version. There would not be any breaking changes if you did not add any custom code, but in case someone does we need to bump major version to follow semantic versioning. |
|
@cnovak Any timeframe on when this will be available? |
|
We are very close to releasing a PR for this, you can subscribe to notifications to check when the PR is pushed up. |
|
@m-khan23 , Have you tried restricting access to your API Docs by changing "View published API docs" permission to a targeted role. So Anonymous users don't get access to it? |
|
@giteshk we aren't looking for a blanket policy. Here is the context: Even if there is a wonky technical work around, we are okay with that for now because as it stands today - we don't have a clean way to go live with API D on 5/4. |
|
@m-khan23 Here is a way you can achieve this. Hope that helps! |
|
@kiranjyoth hey, thanks for the tips. While all other pages respect settings we have applied via the 'Permissions by Term' module, we have never been able to get the API catalog to play nice. I've tried what you have suggested again and no - go. Do you have a running example of this? |
|
@kiranjyoth , @giteshk: @arlina-espinoza just posted PR #71 for this if you want to help review and verify. By creating a new 2.0 version that uses node content type instead of a custom entity, you can use any of the existing node RBAC modules that already exist for nodes. |
…edit node access check.
* [#71] Create apidoc node bundle on install/update. * [#71] Apidoc conversion. * [#71] Apidoc conversion. * [#71] Apidoc conversion. * [#71] Apidoc - node path aliases. * [#71] Apidoc - tests. * [#71] Apidoc - README. * [#71] Apidoc - links/tasks/actions. * [#71] Apidoc - ApiDocsAdminTest. * [#71] Apidoc - ApiDocsJsonApi. * [#71] Apidoc - removing ApiDocsAccessTest as it is covered by core. * [#71] Apidoc - node form validation and conditionals. * [#71] Apidoc - add back the ApiDocFileLink constraint. * Update README.md Co-authored-by: Chris Novak <[email protected]> * Update apigee_api_catalog.install Co-authored-by: Chris Novak <[email protected]> * Update config/optional/views.view.apigee_api_catalog.yml Co-authored-by: Chris Novak <[email protected]> * Update config/optional/views.view.api_catalog_admin.yml Co-authored-by: Chris Novak <[email protected]> * [#71] Apidoc - replace "reimport apidoc specs" permission with edit node access check. * [#71] Apidoc - remove API product field, show body in display. * [#71] Apidoc - updtes to the spec fetcher form and logic. * [#71] Apidoc - fixing schema errors so tests can run with schema validation. * [#71] Apidoc - removing Apigee Edge module dependency. * [#71] Apidoc - fixing SmartdocRoutingTest. * [#71] Apidoc - phpcs and deprecation fixes. * [#71] Apidoc - README refers RBAC section to drupal.org docs . Co-authored-by: Chris Novak <[email protected]>
|
Closed by #84 , which implements the API Catalog functionality using a node type, making it possible to use permissions by term or other node access control modules from contrib to implement RBAC. |
* [#71] Create apidoc node bundle on install/update. * [#71] Apidoc conversion. * [#71] Apidoc conversion. * [#71] Apidoc conversion. * [#71] Apidoc - node path aliases. * [#71] Apidoc - tests. * [#71] Apidoc - README. * [#71] Apidoc - links/tasks/actions. * [#71] Apidoc - ApiDocsAdminTest. * [#71] Apidoc - ApiDocsJsonApi. * [#71] Apidoc - removing ApiDocsAccessTest as it is covered by core. * [#80] Allow updating from 1.x branch, and import config to create node type and fields, etc. * [#80] Moving logic to an update service. * [#80] Update step 8802 successful. * [#80] Update steps complete correctly. * [#80] Code sniffer fixes. * [#80] Fieldname and values fix. * [#80] Remove some merged code. * [#80] Fixes from the scenario where 1.x was never installed.
Share with chat channel so that Andrew P and others can review it.
The text was updated successfully, but these errors were encountered: