> On May 15, 2019, at 4:16 PM, Fieck, Brennan <brennan_fi...@comcast.com> wrote:
>
> You could just set tenant permissions based on the owning tenant of the
> Delivery Service.
> Should the child of a tenant be able to modify cache assignments of said
> tenant's Delivery Services?
> I wouldn't think so.
EF> Isn’t this what the capabilities are for? If a user has
“cacheassignmentgroup-write” capability, then they can modify the assignments
for any delivery services in that tenant
> ________________________________________
> From: Jeremy Mitchell <mitchell...@gmail.com>
> Sent: Wednesday, May 15, 2019 1:22 PM
> To: dev@trafficcontrol.apache.org
> Subject: [EXTERNAL] Re: [PROPOSAL] Cache Assignment Group REST API
>
> example tenant tree:
>
> root
> - 1 (foo)
> -- 1.1 (bar)
> - 2 (baz)
> -- 2.1 (bee)
> --- 2.1.1 (bang)
> -- 2.2 (bop)
>
> the foo ds belongs to tenant 1, bar ds belongs to tenant 1.1, etc.
>
> a CGA is created with tenantId=2 which means it can only have the baz, bee,
> bang and bop ds's in it. John belongs to the 2 tenant and adds all 4 (baz,
> bee, bang, bop).
>
> Sally belongs to the 2.1 tenant, and only sees [bee, bang] in the CGA and
> does an update with [], so it blows away bee (the ds in her tenant) and
> bang (plus any child tenant ds's)
>
> Linda belongs to the 2.1.1 tenant, and sees [] in the CGA (because sally
> blew them all away) and does an update with [goo]. now the CAG has baz and
> goo ds's.
>
> so basically, a user can only modify the ds's that they can see based on
> their tenant (and subtenants). and a CAG can only have certain ds's in it
> based on it's tenant...
>
> I "think" that would work....sounds a bit complicated but i really feel
> like tenancy probably belongs on a CAG because of its relationship with
> ds's. plus, then it would be nice to create CAG's for tenants. for example,
> create a trial tenant and some trial ds's and some trial users and they
> have no choice but to use the trial CAG that has 2 caches in it or
> something.
>
> jeremy
>
> On Wed, May 15, 2019 at 1:01 PM Eric Friedrich -X (efriedri - TRITON UK
> BIDCO LIMITED c/o Alter Domus (UK) Limited -OBO at Cisco)
> <efrie...@cisco.com.invalid> wrote:
>
>> What if the tenantId on the cacheassignmentgroup does not match the
>> tenantID on one of the included delivery services?
>>
>> On May 15, 2019, at 2:55 PM, Jeremy Mitchell <mitchell...@gmail.com>
>> wrote:
>>>
>>> I got an idea. If you made a cachegroupassignment a "tenantable"
>> resource,
>>> you could avoid the problem i mentioned above (having ds's hidden for
>>> tenancy reasons). so this instead:
>>>
>>> {"id": 1,
>>> "name": "name1",
>>> "description": "description1",
>>> tenantId: 2,
>>> "cdnId": 1,
>>> "servers": [1,2,...n],
>>> "deliveryServices": [10, 20, 30, 35]
>>> "lastUpdated": "",
>>> }
>>>
>>> this has a nice benefit as well. i.e. certain tenants (content providers)
>>> have access to certain cachegroupassignment configurations.
>>>
>>> jeremy
>>>
>>>
>>>
>>>
>>> On Wed, May 15, 2019 at 12:43 PM Jeremy Mitchell <mitchell...@gmail.com>
>>> wrote:
>>>
>>>> Just be careful that a GET /api/1.4/cacheassignmentgroups?id=4 doesn't
>>>> return a filtered list of delivery services because of tenancy
>>>>
>>>> {"id": 1,
>>>> "name": "name1",
>>>> "description": "description1",
>>>> "cdnId": 1,
>>>> "servers": [1,2,...n],
>>>> "deliveryServices": [10, 20, 30], <-- maybe there are really 5 delivery
>>>> services but 2 of them (40 and 50) are hidden from you due to tenancy
>>>> "lastUpdated": "",
>>>> }
>>>>
>>>> and a subsequent PUT with the same json (plus a new delivery service
>> that
>>>> is added):
>>>>
>>>> {"id": 1,
>>>> "name": "name1",
>>>> "description": "description1",
>>>> "cdnId": 1,
>>>> "servers": [1,2,...n],
>>>> "deliveryServices": [10, 20, 30, 35]
>>>> "lastUpdated": "",
>>>> }
>>>>
>>>> doesn't wipe out 40 and 50.
>>>>
>>>> if you do this, it begs the question. how do you remove ALL ds
>> assignments
>>>> from a cache assignment group?
>>>>
>>>> also, how about
>>>>
>>>> DELETE /api/1.4/cacheassignmentgroups?id=
>>>>
>>>> instead of
>>>>
>>>> DELETE /api/1.4/cacheassignmentgroups/{id}
>>>>
>>>> jeremy
>>>>
>>>> On Wed, May 15, 2019 at 12:22 PM Eric Friedrich -X (efriedri - TRITON UK
>>>> BIDCO LIMITED c/o Alter Domus (UK) Limited -OBO at Cisco)
>>>> <efrie...@cisco.com.invalid> wrote:
>>>>
>>>>> Feature description
>>>>>
>>>>> --------------------
>>>>>
>>>>> Mail Thread:
>>>>>
>> https://lists.apache.org/thread.html/35ee49f4be1c30ff4a12c71e02897aee0e0d3d2f356640ab69ba247e@%3Cdev.trafficcontrol.apache.org%3E
>>>>> <
>>>>>
>> https://lists.apache.org/thread.html/35ee49f4be1c30ff4a12c71e02897aee0e0d3d2f356640ab69ba247e@
>>>>> <dev.trafficcontrol.apache.org>>
>>>>>
>>>>> Github Issue: https://github.com/apache/trafficcontrol/issues/3557
>>>>>
>>>>>
>>>>> API Proposal
>>>>>
>>>>> ------------
>>>>>
>>>>> POST,GET /api/1.4/cacheassignmentgroups/
>>>>>
>>>>> PUT /api/1.4/cacheassignmentgroups/{id}
>>>>>
>>>>> {"id": 1,
>>>>> "name": "name1",
>>>>> "description": "description1",
>>>>> "cdnId": 1,
>>>>> "servers": [1,2,...n],
>>>>> "deliveryServices": [10, 20, 30],
>>>>> "lastUpdated": "",
>>>>> }
>>>>>
>>>>>
>>>>> DELETE /api/1.4/cacheassignmentgroups/{id}
>>>>>
>>>>> -- No request body
>>>>>
>>>>> This API is tenant-aware by delivery service.
>>>>>
>>>>> Query Parameters (all optional)
>>>>> If multiple filter parameters are specified, they are AND'd together
>>>>> - id: Filter for a specific entry
>>>>> - servers: Filter all entries containing this server
>>>>> - deliveryService: Filter all entries containing this DS
>>>>>
>>>>> - limit: Return maximum number of entries (default 20)
>>>>> - page: Return page n, with each page having limit number of entries
>>>>> (default 0)
>>>>>
>>>>> Body Parameters:
>>>>> - id: Numeric identifier, automatically assigned on creation.
>> [Read-Only,
>>>>> not allowed in PUT/POST]
>>>>> - name: Name of the cache assignment group
>>>>> - description Description of the cache assignment group
>>>>> - cdnId: ID of the CDN the cache assignment group belongs to
>>>>> - servers: List of server IDs.
>>>>> - deliveryServices: List of delivery service IDs. All caches in the
>>>>> servers list will be assigned to these delivery services
>>>>> - lastUpdated: Timestamp this cache assignment group was last updated.
>>>>> [Read-Only, not allowed in PUT/POST]
>>>>>
>>>>>
>>
>>
