Hi Amila I don't understand how appowner sees all the Apps which belongs to different groups on same APIM screen. I tested this in APIM setup, but when a one user has 2 groupIds, he/she could see the Default application only.
On Thu, Jan 14, 2016 at 10:28 AM, Amila De Silva <ami...@wso2.com> wrote: > Hi Amalka, > > Apparently when the AppOwner logs in without a groupId, he/she sees all > the Apps (even the one's created with different groupIds) in the same > screen. > So the problem would only be there for AppDevelopers. > > Answering to your query; it depends on how you get the group Id. If we > assume that SSO is enabled at Store, when trying to login directly to > Store, users (only talking about App Owners here) will be re-directed to an > IDP, and whatever the groupId set from IDP will be used for fetching Apps. > If the IDP doesn't set a groupId, all the apps will be shown. > > On Thu, Jan 14, 2016 at 8:35 AM, Amalka Subasinghe <ama...@wso2.com> > wrote: > >> >> With this Amila's explanation; when a appowner login to the APIM via two >> different apps of AF, will see two different views in APIM. >> If the same appowner login to the APIM directly, what will he see in APIM? >> >> I believe when a user login to the APIM; (either via AF or directly), he >> should see the same view every time. (if that user belongs to two different >> groups he should see all subscriptions belongs to all groups). >> >> >> On Wed, Jan 13, 2016 at 11:05 PM, Amila De Silva <ami...@wso2.com> wrote: >> >>> Hi Danushka/Amalka, >>> >>> It's not that the scenario of user belonging to two or more groups is >>> not supported in the current version. It's only that the way it currently >>> happens slightly differs from how you need it. >>> >>> What we are basically trying to achieve is, displaying Apps, >>> subscriptions when user belongs to two or more groups. A single user can >>> have many group Ids, but in a single session user can only have one group >>> Id. >>> AFAIU, with the existing implementation following can be achieved; >>> 1. AppOwner creates 2 Apps in AppF , App1 (with groupId as >>> appowner1_app1) and App2 (groupId being appowner1_app2). >>> 2. I assume Apps in APIM gets automatically created while doing 1. >>> 3. AppOwner selects App1 in AppF and tries to see the relevant App in >>> APIM. >>> 4. AppOwner is re-directed to API Store with groupId set as >>> appowner1_app1 (need to discuss how/where this is set) >>> 5. AppOwner is logged into the Store as a user with groupId >>> appowner1_app1, therefore only sees App1. >>> 6. AppOwner logs out from Store. >>> 7. AppOwner goes to AppF and selects App2, follows a link that >>> re-directs to APIMStore. >>> 8. AppOwner now goes to Store as a user in appowner1_app2 group, so only >>> sees App2. >>> >>> To view each App, user would need to make a trip back to the AppF. It >>> might be possible eliminate step 6, and if it's so, we might have to change >>> subscription.jag (and several other jags) to clear out the groupId set in >>> the session, and set the one coming with the request. There are few points >>> that needs to be discussed more with the above steps, but this would be the >>> way it would look like. >>> >>> It's true that the default group Id extractor gets the group Id from >>> http://wso2.org/claims/organization claim, but it doesn't have to be >>> like that in every case. In the very first time it was written thinking >>> that Group ID is coming with the SAML Response sent back from IDp. >>> >>> On Wed, Jan 13, 2016 at 6:37 PM, Danushka Fernando <danush...@wso2.com> >>> wrote: >>> >>>> Hi Nuwan >>>> The issue of adding extension to cloud is we have to add it to API >>>> cloud and it will affect all API cloud users who don't use APP cloud also. >>>> And since multiple groups per user seems to be a valid use case how >>>> complex will this be to implement? >>>> >>>> Thanks & Regards >>>> Danushka Fernando >>>> Senior Software Engineer >>>> WSO2 inc. http://wso2.com/ >>>> Mobile : +94716332729 >>>> >>>> >>>> On Jan 13, 2016 3:53 PM, "Lakshman Udayakantha" <lakshm...@wso2.com> >>>> wrote: >>>> >>>>> Hi Nuwan, >>>>> >>>>> Even though we have extracted multiple group ids using group id >>>>> extractor, DAO classes use one group id to extract the applications and >>>>> subscriptions. I think we have to implement to get all the applications >>>>> and >>>>> subscriptions if user are in several groups. >>>>> >>>>> Thanks >>>>> >>>>> On Wed, Jan 13, 2016 at 2:18 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Jan 13, 2016 at 12:32 PM, Amalka Subasinghe <ama...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Nuwan, >>>>>>> >>>>>>> We need APIM support to show subscribed API, when there's 1 user >>>>>>> assigned to 2 user groups. >>>>>>> >>>>>>> *Our current AF APIM integration flow works as follows.* >>>>>>> >>>>>>> let's say we have a tenant foo.com and users - appowner1 and >>>>>>> developer1 >>>>>>> App owner1 creates an AF application 'AFapp1' and assign devloper1 >>>>>>> as a developer of that application. >>>>>>> according to the current implementation only the appowner1 can >>>>>>> subscribe to the APIM API. >>>>>>> [When appowner1 login to the APIM, we create an application 'AFapp1' >>>>>>> in APIM side and selecting that application appowner1 can subscribe to >>>>>>> an >>>>>>> API] >>>>>>> Then appowner1 can see subscribed APIs in AF side, where developers >>>>>>> can't see that API. >>>>>>> >>>>>>> So we need to implement APIM group subscriptions in AF. >>>>>>> to implement it we have to set the organization claim (as eg: >>>>>>> 'foo.com_AFapp1') for appowner1 and developer1. >>>>>>> Then both users can see the subscribed API. >>>>>>> >>>>>>> *We have another use case;* >>>>>>> basically our user grouping happens per AF application and 1 user >>>>>>> can be in 2 groups >>>>>>> >>>>>>> Let's say appowner1 creates an another application AFapp2 >>>>>>> then appowner1 is belongs to 2 user groups. So we need to assign two >>>>>>> values for the organization claim. (foo.com_AFapp1, foo.com_AFapp2) >>>>>>> appowner1 want to see subscribed API in APIM side based on that 2 >>>>>>> organizations. >>>>>>> >>>>>>> As I know, APIM does not support this when there's a more than 1 >>>>>>> group assigned for the organization claim. >>>>>>> But this is a required use case for the AF/cloud, and we can't >>>>>>> customize the GroupingExtractor due to maintainability issues in cloud. >>>>>>> >>>>>>> Can this improvement provide by APIM? >>>>>>> >>>>>> >>>>>> It can be done. But we've already done product plans for releases >>>>>> covering the year. It might take time to get this into the product as a >>>>>> GA >>>>>> release. I guess the timely solution is to customize the >>>>>> GroupingExtractor. >>>>>> >>>>>> What maintainability concerns do you have? If a standard extension >>>>>> point in the product is a maintainability concern it makes no sense to >>>>>> have >>>>>> those extension points at all. So I would like to understand those >>>>>> concerns >>>>>> and improve if possible. >>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> Amalka >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jan 12, 2016 at 1:42 PM, Amalka Subasinghe <ama...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Currently only the app owner allows to subscribed to an API, >>>>>>>> generate keys and see subscribed APIs, where other users are not >>>>>>>> allowed as >>>>>>>> showed in the below table. >>>>>>>> >>>>>>>> >>>>>>>> Subscribe to API Generate Keys View subscribed APIs in AF side View >>>>>>>> Prod keys in AF side View Sandbox keys in AF side App owner Y Y Y Y >>>>>>>> Y Developer >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Y QA >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Y DevOps >>>>>>>> >>>>>>>> >>>>>>>> Y Y >>>>>>>> We want to improve the AF - APIM integration as follows. So we need >>>>>>>> implement $subject. >>>>>>>> 1. making both app owner and developer can subscribe to an API and >>>>>>>> generate keys >>>>>>>> 2. making all users to see subscribed API per application >>>>>>>> >>>>>>>> >>>>>>>> Subscribe to API Generate Keys View subscribed APIs in AF side View >>>>>>>> Prod keys in AF side View Sandbox keys in AF side App owner Y Y Y Y >>>>>>>> Y Developer Y Y Y >>>>>>>> Y QA >>>>>>>> >>>>>>>> Y >>>>>>>> Y DevOps >>>>>>>> >>>>>>>> Y Y Y >>>>>>>> *Things to do:* >>>>>>>> >>>>>>>> 1. All the users of a particular app we need to maintain as a >>>>>>>> group. >>>>>>>> >>>>>>>> In APIM side they uses http://wso2.org/claims/organization claim >>>>>>>> to group the users. We have to set this claim (eg: app key as the >>>>>>>> value of >>>>>>>> the claim) when appowner or developer try to click on 'Go to API >>>>>>>> Manager' >>>>>>>> button. >>>>>>>> Currently we use a role app_appName to group the users of a >>>>>>>> particular application in AF. If we use this we have to implement a >>>>>>>> custom >>>>>>>> grouping extractor to get the users of a particular group. >>>>>>>> >>>>>>>> >>>>>>>> *Issues: *a. Since we don't set the claim for QA and DevOps users, >>>>>>>> they can't view subscribed APIs in AF side, and If we add the claim >>>>>>>> they >>>>>>>> also will be able to subscribe to APIs and generate keys. So we need to >>>>>>>> find a way to view subscribed api for a particular application by QA >>>>>>>> and >>>>>>>> Devops users. >>>>>>>> b. With this implementation Developer can see prod keys also. >>>>>>>> >>>>>>>> >>>>>>>> 2. Make Go to API Manager and Sync Keys buttons enabled only to >>>>>>>> appowner and developer. >>>>>>>> For this we can use resource permissions we already have. >>>>>>>> >>>>>>>> >>>>>>>> 3. Need to improve/test all the rest calls we do with APIM to work >>>>>>>> with groups and fix if there's any issue. >>>>>>>> >>>>>>>> - Login - When user clicks on 'Go to API Manager' button of a >>>>>>>> particular app, it should login to APIM and show the subscribed >>>>>>>> APIs, >>>>>>>> listed under selected application. >>>>>>>> - Create application >>>>>>>> - Remove application >>>>>>>> - Get published APIs by application >>>>>>>> - List subscription >>>>>>>> - Get applications >>>>>>>> >>>>>>>> [1] https://wso2.org/jira/browse/APPFAC-3217 >>>>>>>> >>>>>>>> Thanks >>>>>>>> Amalka >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Amalka Subasinghe >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc. >>>>>>> Mobile: +94 77 9401267 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nuwan Dias >>>>>> >>>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>>> email : nuw...@wso2.com >>>>>> Phone : +94 777 775 729 >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Lakshman Udayakantha >>>>> WSO2 Inc. www.wso2.com >>>>> lean.enterprise.middleware >>>>> Mobile: *0714388124* >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> *Amila De Silva* >>> >>> WSO2 Inc. >>> mobile :(+94) 775119302 >>> >>> >> >> >> -- >> Amalka Subasinghe >> Senior Software Engineer >> WSO2 Inc. >> Mobile: +94 77 9401267 >> > > > > -- > *Amila De Silva* > > WSO2 Inc. > mobile :(+94) 775119302 > > -- Amalka Subasinghe Senior Software Engineer WSO2 Inc. Mobile: +94 77 9401267
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev