On Thu, May 5, 2016 at 2:32 PM, Kishanthan Thangarajah <kishant...@wso2.com> wrote:
> Another thing is, should we also work on exposing admin services on one > listener (probably over https) and other user api's on different listener? > May be we need to bring in some changes to MSF4J core to support this via > OSGi level service properties and listener id's. > Usually it uses separate port for admin services so that that port can be protected with high level of security, +1 explore this option. Thanks ! > > > On Thu, May 5, 2016 at 7:39 AM, Afkham Azeez <az...@wso2.com> wrote: > >> Will you run admin stuff & user stuff on the same instances? At least >> shouldn't our recommendation be that admin & user stuff have to be >> separate, as a best practice? >> >> On Wed, May 4, 2016 at 9:12 PM, Hasitha Aravinda <hasi...@wso2.com> >> wrote: >> >>> Hi Manu, >>> >>> In my point of view, we have to decide it based on what API does and who >>> are the actual users involve. >>> >>> In BPS, we have two sets of users: workflow participants and admin >>> user/devOps of the BPS. Based on these users we can categorized BPS APIs >>> into two sets. >>> >>> - Admin APIs : There are few APIs like artifact deployer API, >>> accessed only by administrators of the server or devOps. >>> >>> >>> - User APIs : BPMN Rest API and HumanTask API are user APIs, because >>> these APIs only accessed by participants of processes and user tasks. But >>> we can argue some of the operations are admin operations, but those are >>> business admin operations. These resources/operations need to >>> be authorized using an ACL, based on current user and his role in >>> workflow >>> or user-task. >>> >>> For example in HumanTask [1], we have several roles i.e. Business >>> Administrator, Potential Owners, Excluded Owners, Stakeholders etc. Based >>> on current user and his role in defined task, user are authorized to >>> perform an operation. >>> >>> IMO having clear separations between User API and Admin API may >>> important when securing these APIs separately. >>> >>> [1] - >>> http://docs.oasis-open.org/bpel4people/ws-humantask-1.1-spec-cs-01.html#_Toc261430341 >>> >>> Thanks, >>> Hasitha. >>> >>> On Wed, May 4, 2016 at 7:55 PM, Manuranga Perera <m...@wso2.com> wrote: >>> >>>> How do we define an admin vs non-admin API? >>>> Is getting list of users different from getting the list of processes? >>>> >>>> A customer written UI may have to call both. We can argue that some >>>> things are 100% admin eg: shutdown server. But to me this seems like an >>>> arbitrary decision. >>>> >>>> >>>> On Wed, May 4, 2016 at 12:14 AM, Hasitha Aravinda <hasi...@wso2.com> >>>> wrote: >>>> >>>>> Another thing, we need to consider exposing different ports for user >>>>> APIs and Admin APIs to have a clear separation. In C4 all user and admin >>>>> APIs exposed in 9443 and 9763. AFAIK this is not supported in current >>>>> MSF4J >>>>> OSGi version. >>>>> >>>>> Thanks, >>>>> Hasitha. >>>>> >>>>> On Wed, May 4, 2016 at 9:26 AM, Nandika Jayawardana <nand...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> In all the carbon platform versions up to now, we used 9443, and 9763 >>>>>> ports for admin services for all server products. Are we going to use the >>>>>> same ports for C5. >>>>>> >>>>>> Regards >>>>>> Nandika >>>>>> >>>>>> -- >>>>>> Nandika Jayawardana >>>>>> WSO2 Inc ; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> -- >>>>> Hasitha Aravinda, >>>>> Senior Software Engineer, >>>>> WSO2 Inc. >>>>> Email: hasi...@wso2.com >>>>> Mobile : +94 718 210 200 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> With regards, >>>> *Manu*ranga Perera. >>>> >>>> phone : 071 7 70 20 50 >>>> mail : m...@wso2.com >>>> >>> >>> >>> >>> -- >>> -- >>> Hasitha Aravinda, >>> Senior Software Engineer, >>> WSO2 Inc. >>> Email: hasi...@wso2.com >>> Mobile : +94 718 210 200 >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Afkham Azeez* >> Director of Architecture; WSO2, Inc.; http://wso2.com >> Member; Apache Software Foundation; http://www.apache.org/ >> * <http://www.apache.org/>* >> *email: **az...@wso2.com* <az...@wso2.com> >> * cell: +94 77 3320919 <%2B94%2077%203320919>blog: * >> *http://blog.afkham.org* <http://blog.afkham.org> >> *twitter: **http://twitter.com/afkham_azeez* >> <http://twitter.com/afkham_azeez> >> *linked-in: **http://lk.linkedin.com/in/afkhamazeez >> <http://lk.linkedin.com/in/afkhamazeez>* >> >> *Lean . Enterprise . Middleware* >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Kishanthan Thangarajah* > Associate Technical Lead, > Platform Technologies Team, > WSO2, Inc. > lean.enterprise.middleware > > Mobile - +94773426635 > Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* > Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>* > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Sagara Gunathunga Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
