Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gateway Visibility Control in Dev Portal #3378

Open
npamudika opened this issue Nov 22, 2024 · 8 comments
Open

Gateway Visibility Control in Dev Portal #3378

npamudika opened this issue Nov 22, 2024 · 8 comments
Assignees
@npamudika
Labels
4.5.0 Component/APIM Type/NewFeature
Milestone
APIM 4.5.0

Comments

@npamudika
Copy link

npamudika commented Nov 22, 2024
edited
Loading

Problem

Currently, there is no way to restrict access to the gateways based on the gateway deployment region for the APIs in the Dev Portal.
That means, for a User A who belongs to the region A, should only see the gateway belongs to region A, and not the gateways from regions B and C.

Solution

There should be a visibility control mechanism for the gateways based on the roles, so that the roles can be assigned to the users in each region and when showing the gateway URLs for the APIs in the Dev Portal, the visibility control can be done based on the regions.

Affected Component

APIM

Version

APIM 4.5.0
@npamudika npamudika self-assigned this Nov 22, 2024
@npamudika npamudika added this to the APIM 4.5.0 milestone Nov 22, 2024
@npamudika
Copy link
Author

npamudika commented Nov 25, 2024
edited
Loading

Did a background search for the gateway visibility control based on the regions and came up with the following approach.

Introduce a new property to the gateway environment configurations at the deployment.toml to capture the gateway visibility roles as below.

[[apim.gateway.environment]]
name = "gateway-1"
type = "hybrid"
visibility = ["role-1","role-2","role-3"]
gateway_type = "Regular"
provider = "wso2"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "[https://localhost:${mgt.transport.https.port}/services/](https://localhost:$%7Bmgt.transport.https.port%7D/services/)"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "[http://localhost:${http.nio.port}](http://localhost:$%7Bhttp.nio.port%7D/)"
https_endpoint = "[https://localhost:${https.nio.port}](https://localhost:$%7Bhttps.nio.port%7D/)"
websub_event_receiver_http_endpoint = "http://localhost:9021/"
websub_event_receiver_https_endpoint = "https://localhost:8021/"

[[apim.gateway.environment]]
name = "gateway-2"
type = "hybrid"
visibility = ["role-1"]
gateway_type = "Regular"
provider = "wso2"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "[https://localhost:${mgt.transport.https.port}/services/](https://localhost:$%7Bmgt.transport.https.port%7D/services/)"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "[http://localhost:${http.nio.port}](http://localhost:$%7Bhttp.nio.port%7D/)"
https_endpoint = "[https://localhost:${https.nio.port}](https://localhost:$%7Bhttps.nio.port%7D/)"
websub_event_receiver_http_endpoint = "http://localhost:9021/"
websub_event_receiver_https_endpoint = "https://localhost:8021/"

Provide a way to do a gateway-role mapping via the Admin portal as well.

The roles incorporated to each gateway environment (via the deployment.toml or at the Admin portal UI) can be used to do the gateway visibility control for the APIs. If the visibility is set at the deployment.toml, it will be shown under the environments section in the Admin portal and wise versa.

Filter and show the gateway URLs in the Dev Portal based on the roles assigned for the logged-in user.

@npamudika
Copy link
Author

npamudika commented Nov 26, 2024
edited
Loading

Design Document - https://docs.google.com/document/d/1DCoVOEqq8-o5Lcpptd5k2ui-mvGR32IadwPSXhuOGD0/edit?usp=sharing

@npamudika
Copy link
Author

npamudika commented Nov 27, 2024
edited
Loading

Sub Tasks -

  • Check on the KM visibility feature in API manager
  • Design the DB with schema changes
  • Implement the DB layer with schema changes
  • Implement API changes in the backend
  • Restrict or control GW URLs for the APIs at the Developer portal (Including the Developer portal UI changes for both the API Overview and API Console pages)
  • Design the UI changes for Admin and Publisher portals
  • Implement Admin UI changes for the feature - At the Gateway Environments page with Add/Edit/View capabilities for the visibility
  • Implement the Publisher UI changes to show the visibility roles for the gateway environments at the Deployments page
  • Write UI Integration test
  • Write Integration test
  • Handle migration changes
  • Documentation for the feature

@npamudika
Copy link
Author

Came up with the following DB schema changes for the feature.

-- Gateway Environments Table --
CREATE TABLE IF NOT EXISTS AM_GATEWAY_ENVIRONMENT (
           ID INTEGER NOT NULL AUTO_INCREMENT,
           UUID VARCHAR(45) NOT NULL,
           NAME VARCHAR(255) NOT NULL,
           DISPLAY_NAME VARCHAR(255) NULL,
           TYPE VARCHAR(255) NULL,
           VISIBILITY VARCHAR (1024) NULL,
           DESCRIPTION VARCHAR(1023) NULL,
           PROVIDER VARCHAR(255) NOT NULL,
           GATEWAY_TYPE VARCHAR(255) NOT NULL,
           ORGANIZATION  VARCHAR(255) NOT NULL,
           UNIQUE (NAME, ORGANIZATION),
           UNIQUE (UUID),
           PRIMARY KEY (ID)
);

@npamudika
Copy link
Author

Working on the backend implementation for the feature atm. Firstly the visibility configuration will be handled via the deployment.toml.

@npamudika
Copy link
Author

I have completed the visibility configurations set via the deployment.toml and working on the GW URL retrieval part at the Dev Portal.

@npamudika
Copy link
Author

I have completed the relevant backend API changes to handle the gateway environment visibility.

Facing some issues when showing the environments at the API Console page in the Dev Portal as the environments are retrieved via the endpoints currently [1] and we are considering the visibility for the environments here. Checking the APIConsole page implementation [1] and relevant backend changes [2], [3] to get it fixed.

[1] https://github.com/wso2/apim-apps/blob/main/portals/devportal/src/main/webapp/source/src/app/components/Apis/Details/ApiConsole/ApiConsole.jsx#L189
[2] https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/mappings/APIMappingUtil.java#L466
[3] https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/mappings/APIMappingUtil.java#L529

@npamudika
Copy link
Author

Solved the issue faced while retrieving the GW environments at the Dev Portal.

Added a draft PR [1] with the current implementation changes. Testing the flows atm and refactoring/improving the code changes.

Will be starting with the Admin UI changes as the next step.

[1] wso2/carbon-apimgt#12722

@npamudika npamudika mentioned this issue Dec 10, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@npamudika npamudika

Labels
4.5.0 Component/APIM Type/NewFeature
Projects
None yet
Milestone
APIM 4.5.0
Development

No branches or pull requests
1 participant
@npamudika