Re: [Architecture] [APIM] Admin REST API to check user role existence
On Tue, May 5, 2020 at 11:36 AM Vithursa Mahendrarajah
wrote:
> Hi Meruja,
>
> The Publisher REST APIs for role validation is used to check whether the given
> role exists and the logged-in user has the given role. Here the role is
> taken from the user input, AFAIU the requirement, in this case we need to
> check whether the new user has the subscriber role before changing the
> application owner. Please correct if it is wrong.
>
> Since we need to validate whether the user has only a particular role, we
> do not need to have roleId in the resource path. Shall we have a resource
> name like /user/validate-subscriber-role. WDYT?
>
> Yes, you are correct. The requirement we are going to address through the
first API is to check whether the input username of the app owner has a
particular role(subscriber in this case). Hence, appowner name should be an
input to the first API. So I would suggest modifying the API resource as
follows.
/roles/{roleName}?{UserID}
> Thanks,
> Vithursa
>
>
> On Tue, May 5, 2020 at 9:47 AM Meruja Selvamanikkam
> wrote:
>
>> Hi All,
>>
>> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs
>> and the intention is to check the existence of a particular role name (
>> Internal/subscriber) when transferring ownership of an application to a
>> user. We have similar API in the publisher to check the availability of
>> the role[1].
>> We have to decide the OAuth2 scope which functionalities are used by Admin
>> .
>>
>> The swagger definition for the new endpoint would be as follows:
>>
>> ##
>> # The Role Name Existence
>> ##
>> /roles/{roleName}:
>> #-
>> # The role name existence check resource
>> #-
>> head:
>> security:
>> - OAuth2Security:
>> - apim:
>> summary:
>> Check given role name already exists
>> description:
>> Using this operation, to check whether given role already exists
>> parameters:
>> - $ref : '#/parameters/roleName'
>> responses:
>> 200:
>> description:
>> OK.
>> Requested role name is returned.
>> 404:
>> description:
>> Not Found.
>> Requested role name does not exist.
>>
>> ##
>> # The Role Name Existence for the logged-in user
>> ##
>> /me/roles/{roleName}:
>> #-
>> # Validate role against a user
>> #-
>> head:
>> security:
>> - OAuth2Security:
>> - apim:
>> summary:
>> Validate whether the logged-in user has the given role
>> description:
>> Using this operation, logged-in user can check whether he has given
>> role.
>> parameters:
>> - $ref : '#/parameters/roleName'
>> responses:
>> 200:
>> description:
>> OK.
>> Logged-in user has the role.
>> 404:
>> description:
>> Not Found.
>> Logged-in user does not have the role.
>>
>> Appreciate any feedback on this and correct me if I am wrong.
>>
>> [1] - [APIM-3.0] Publisher rest API to check a role name existence
>>
>> Thanks & Regards,
>> *S.Meruja* |Software Engineer | WSO2 Inc.
>> (m) +94779650506 | Email: mer...@wso2.com
>> Linkedin: https://www.linkedin.com/in/meruja
>>
>> Medium: https://medium.com/@meruja
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> *Vithursa Mahendrarajah* | Senior Software Engineer | WSO2 Inc
> (m) +94 766 695 643 | (e) vithu...@wso2.com
>
> * [image: https://wso2.com/signature]
> *
>
--
Thilini Shanika
Technical Lead
WSO2, Inc.; http://wso2.com
20, Palmgrove Avenue, Colombo 3
Mobile: +94710892258
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [APIM] Admin REST API to check user role existence
Hi,
If we introduce this API in a way like we have [1] where we can get all the
available roles of the given user, does it create security risk ( Any way
we this is an Admin API right?). If we can get all the available roles, we
can validate it at the client side in this case. At the sametime, this api
may be very useful in customizations where the user does not need to
specifically pass the role name to validate. WDYT?
[1]
https://is.docs.wso2.com/en/5.9.0/develop/managing-users-and-roles-with-apis/#getrolelistofuser
Thanks
Shammi
On Tue, May 5, 2020 at 1:18 AM Frank Leymann wrote:
> Dear Meruja,
>
> the URI of the second API (i.e. /me/roles/{roleName}) is really
> debatable: the intent of the */me* part of the URI seems to be to
> identify the logged-in user, and to me, such a user is a resource. I.e I
> assume that a user is represented in APIM as a resource (but I didn't check
> the current API), or has a unique UserID - correct?
>
> Thus, the URI of the API should be something like
> .../users/{UserID}?{roleName} or /roles/{roleName}?{UserID}.
>
> Best regards,
> Frank
>
>
>
>
> Am Di., 5. Mai 2020 um 06:17 Uhr schrieb Meruja Selvamanikkam <
> mer...@wso2.com>:
>
>> Hi All,
>>
>> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs
>> and the intention is to check the existence of a particular role name (
>> Internal/subscriber) when transferring ownership of an application to a
>> user. We have similar API in the publisher to check the availability of
>> the role[1].
>> We have to decide the OAuth2 scope which functionalities are used by Admin
>> .
>>
>> The swagger definition for the new endpoint would be as follows:
>>
>> ##
>> # The Role Name Existence
>> ##
>> /roles/{roleName}:
>> #-
>> # The role name existence check resource
>> #-
>> head:
>> security:
>> - OAuth2Security:
>> - apim:
>> summary:
>> Check given role name already exists
>> description:
>> Using this operation, to check whether given role already exists
>> parameters:
>> - $ref : '#/parameters/roleName'
>> responses:
>> 200:
>> description:
>> OK.
>> Requested role name is returned.
>> 404:
>> description:
>> Not Found.
>> Requested role name does not exist.
>>
>> ##
>> # The Role Name Existence for the logged-in user
>> ##
>> /me/roles/{roleName}:
>> #-
>> # Validate role against a user
>> #-
>> head:
>> security:
>> - OAuth2Security:
>> - apim:
>> summary:
>> Validate whether the logged-in user has the given role
>> description:
>> Using this operation, logged-in user can check whether he has given
>> role.
>> parameters:
>> - $ref : '#/parameters/roleName'
>> responses:
>> 200:
>> description:
>> OK.
>> Logged-in user has the role.
>> 404:
>> description:
>> Not Found.
>> Logged-in user does not have the role.
>>
>> Appreciate any feedback on this and correct me if I am wrong.
>>
>> [1] - [APIM-3.0] Publisher rest API to check a role name existence
>>
>> Thanks & Regards,
>> *S.Meruja* |Software Engineer | WSO2 Inc.
>> (m) +94779650506 | Email: mer...@wso2.com
>> Linkedin: https://www.linkedin.com/in/meruja
>>
>> Medium: https://medium.com/@meruja
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
--
Best Regards,
* Shammi Jayasinghe*
*Associate Director/ Architect*
*WSO2, Inc.*
*+1-812-391-7730*
*+1-812-327-3505*
*http://shammijayasinghe.blogspot.com
*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [APIM] Admin REST API to check user role existence
Dear Meruja,
the URI of the second API (i.e. /me/roles/{roleName}) is really debatable:
the intent of the */me* part of the URI seems to be to identify the
logged-in user, and to me, such a user is a resource. I.e I assume that a
user is represented in APIM as a resource (but I didn't check the current
API), or has a unique UserID - correct?
Thus, the URI of the API should be something like
.../users/{UserID}?{roleName} or /roles/{roleName}?{UserID}.
Best regards,
Frank
Am Di., 5. Mai 2020 um 06:17 Uhr schrieb Meruja Selvamanikkam <
mer...@wso2.com>:
> Hi All,
>
> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs
> and the intention is to check the existence of a particular role name (
> Internal/subscriber) when transferring ownership of an application to a
> user. We have similar API in the publisher to check the availability of
> the role[1].
> We have to decide the OAuth2 scope which functionalities are used by Admin
> .
>
> The swagger definition for the new endpoint would be as follows:
>
> ##
> # The Role Name Existence
> ##
> /roles/{roleName}:
> #-
> # The role name existence check resource
> #-
> head:
> security:
> - OAuth2Security:
> - apim:
> summary:
> Check given role name already exists
> description:
> Using this operation, to check whether given role already exists
> parameters:
> - $ref : '#/parameters/roleName'
> responses:
> 200:
> description:
> OK.
> Requested role name is returned.
> 404:
> description:
> Not Found.
> Requested role name does not exist.
>
> ##
> # The Role Name Existence for the logged-in user
> ##
> /me/roles/{roleName}:
> #-
> # Validate role against a user
> #-
> head:
> security:
> - OAuth2Security:
> - apim:
> summary:
> Validate whether the logged-in user has the given role
> description:
> Using this operation, logged-in user can check whether he has given
> role.
> parameters:
> - $ref : '#/parameters/roleName'
> responses:
> 200:
> description:
> OK.
> Logged-in user has the role.
> 404:
> description:
> Not Found.
> Logged-in user does not have the role.
>
> Appreciate any feedback on this and correct me if I am wrong.
>
> [1] - [APIM-3.0] Publisher rest API to check a role name existence
>
> Thanks & Regards,
> *S.Meruja* |Software Engineer | WSO2 Inc.
> (m) +94779650506 | Email: mer...@wso2.com
> Linkedin: https://www.linkedin.com/in/meruja
>
> Medium: https://medium.com/@meruja
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [APIM] Admin REST API to check user role existence
On Tue, May 5, 2020 at 11:36 AM Vithursa Mahendrarajah
wrote:
> Hi Meruja,
>
> The Publisher REST APIs for role validation is used to check whether the given
> role exists and the logged-in user has the given role. Here the role is
> taken from the user input, AFAIU the requirement, in this case we need to
> check whether the new user has the subscriber role before changing the
> application owner. Please correct if it is wrong.
>
> Since we need to validate whether the user has only a particular role, we
> do not need to have roleId in the resource path. Shall we have a resource
> name like /user/validate-subscriber-role. WDYT?
>
IMO, we shouldn't restrict the API for subscriber user validation only and
it's better to keep it as a generic API which we can reuse in cases of role
validations in future requirements as well(if any).
>
> Thanks,
> Vithursa
>
>
> On Tue, May 5, 2020 at 9:47 AM Meruja Selvamanikkam
> wrote:
>
>> Hi All,
>>
>> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs
>> and the intention is to check the existence of a particular role name (
>> Internal/subscriber) when transferring ownership of an application to a
>> user. We have similar API in the publisher to check the availability of
>> the role[1].
>> We have to decide the OAuth2 scope which functionalities are used by Admin
>> .
>>
>> The swagger definition for the new endpoint would be as follows:
>>
>> ##
>> # The Role Name Existence
>> ##
>> /roles/{roleName}:
>> #-
>> # The role name existence check resource
>> #-
>> head:
>> security:
>> - OAuth2Security:
>> - apim:
>> summary:
>> Check given role name already exists
>> description:
>> Using this operation, to check whether given role already exists
>> parameters:
>> - $ref : '#/parameters/roleName'
>> responses:
>> 200:
>> description:
>> OK.
>> Requested role name is returned.
>> 404:
>> description:
>> Not Found.
>> Requested role name does not exist.
>>
>> ##
>> # The Role Name Existence for the logged-in user
>> ##
>> /me/roles/{roleName}:
>> #-
>> # Validate role against a user
>> #-
>> head:
>> security:
>> - OAuth2Security:
>> - apim:
>> summary:
>> Validate whether the logged-in user has the given role
>> description:
>> Using this operation, logged-in user can check whether he has given
>> role.
>> parameters:
>> - $ref : '#/parameters/roleName'
>> responses:
>> 200:
>> description:
>> OK.
>> Logged-in user has the role.
>> 404:
>> description:
>> Not Found.
>> Logged-in user does not have the role.
>>
>> Appreciate any feedback on this and correct me if I am wrong.
>>
>> [1] - [APIM-3.0] Publisher rest API to check a role name existence
>>
>> Thanks & Regards,
>> *S.Meruja* |Software Engineer | WSO2 Inc.
>> (m) +94779650506 | Email: mer...@wso2.com
>> Linkedin: https://www.linkedin.com/in/meruja
>>
>> Medium: https://medium.com/@meruja
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> *Vithursa Mahendrarajah* | Senior Software Engineer | WSO2 Inc
> (m) +94 766 695 643 | (e) vithu...@wso2.com
>
> * [image: https://wso2.com/signature]
> *
>
--
Thilini Shanika
Technical Lead
WSO2, Inc.; http://wso2.com
20, Palmgrove Avenue, Colombo 3
Mobile: +94710892258
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [APIM] Admin REST API to check user role existence
Hi Meruja,
The Publisher REST APIs for role validation is used to check whether the given
role exists and the logged-in user has the given role. Here the role is
taken from the user input, AFAIU the requirement, in this case we need to
check whether the new user has the subscriber role before changing the
application owner. Please correct if it is wrong.
Since we need to validate whether the user has only a particular role, we
do not need to have roleId in the resource path. Shall we have a resource
name like /user/validate-subscriber-role. WDYT?
Thanks,
Vithursa
On Tue, May 5, 2020 at 9:47 AM Meruja Selvamanikkam wrote:
> Hi All,
>
> We are planning to add a REST API endpoint to APIM 3.2.0 Admin Rest APIs
> and the intention is to check the existence of a particular role name (
> Internal/subscriber) when transferring ownership of an application to a
> user. We have similar API in the publisher to check the availability of
> the role[1].
> We have to decide the OAuth2 scope which functionalities are used by Admin
> .
>
> The swagger definition for the new endpoint would be as follows:
>
> ##
> # The Role Name Existence
> ##
> /roles/{roleName}:
> #-
> # The role name existence check resource
> #-
> head:
> security:
> - OAuth2Security:
> - apim:
> summary:
> Check given role name already exists
> description:
> Using this operation, to check whether given role already exists
> parameters:
> - $ref : '#/parameters/roleName'
> responses:
> 200:
> description:
> OK.
> Requested role name is returned.
> 404:
> description:
> Not Found.
> Requested role name does not exist.
>
> ##
> # The Role Name Existence for the logged-in user
> ##
> /me/roles/{roleName}:
> #-
> # Validate role against a user
> #-
> head:
> security:
> - OAuth2Security:
> - apim:
> summary:
> Validate whether the logged-in user has the given role
> description:
> Using this operation, logged-in user can check whether he has given
> role.
> parameters:
> - $ref : '#/parameters/roleName'
> responses:
> 200:
> description:
> OK.
> Logged-in user has the role.
> 404:
> description:
> Not Found.
> Logged-in user does not have the role.
>
> Appreciate any feedback on this and correct me if I am wrong.
>
> [1] - [APIM-3.0] Publisher rest API to check a role name existence
>
> Thanks & Regards,
> *S.Meruja* |Software Engineer | WSO2 Inc.
> (m) +94779650506 | Email: mer...@wso2.com
> Linkedin: https://www.linkedin.com/in/meruja
>
> Medium: https://medium.com/@meruja
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
--
*Vithursa Mahendrarajah* | Senior Software Engineer | WSO2 Inc
(m) +94 766 695 643 | (e) vithu...@wso2.com
* [image: https://wso2.com/signature]
*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
