Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gateway Visibility Control in Dev Portal #3378

Open
npamudika opened this issue Nov 22, 2024 · 17 comments
Open

Gateway Visibility Control in Dev Portal #3378

npamudika opened this issue Nov 22, 2024 · 17 comments

Comments

@npamudika
Copy link

npamudika commented Nov 22, 2024

Problem

Currently, there is no way to restrict access to the gateways based on the gateway deployment region for the APIs in the Dev Portal.
That means, for a User A who belongs to the region A, should only see the gateway belongs to region A, and not the gateways from regions B and C.

Solution

There should be a visibility control mechanism for the gateways based on the roles, so that the roles can be assigned to the users in each region and when showing the gateway URLs for the APIs in the Dev Portal, the visibility control can be done based on the regions.

Affected Component

APIM

Version

APIM 4.5.0

@npamudika
Copy link
Author

npamudika commented Nov 25, 2024

Did a background search for the gateway visibility control based on the regions and came up with the following approach.

Introduce a new property to the gateway environment configurations at the deployment.toml to capture the gateway visibility roles as below.

[[apim.gateway.environment]]
name = "gateway-1"
type = "hybrid"
visibility = ["role-1","role-2","role-3"]
gateway_type = "Regular"
provider = "wso2"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "[https://localhost:${mgt.transport.https.port}/services/](https://localhost:$%7Bmgt.transport.https.port%7D/services/)"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "[http://localhost:${http.nio.port}](http://localhost:$%7Bhttp.nio.port%7D/)"
https_endpoint = "[https://localhost:${https.nio.port}](https://localhost:$%7Bhttps.nio.port%7D/)"
websub_event_receiver_http_endpoint = "http://localhost:9021/"
websub_event_receiver_https_endpoint = "https://localhost:8021/"

[[apim.gateway.environment]]
name = "gateway-2"
type = "hybrid"
visibility = ["role-1"]
gateway_type = "Regular"
provider = "wso2"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "[https://localhost:${mgt.transport.https.port}/services/](https://localhost:$%7Bmgt.transport.https.port%7D/services/)"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "[http://localhost:${http.nio.port}](http://localhost:$%7Bhttp.nio.port%7D/)"
https_endpoint = "[https://localhost:${https.nio.port}](https://localhost:$%7Bhttps.nio.port%7D/)"
websub_event_receiver_http_endpoint = "http://localhost:9021/"
websub_event_receiver_https_endpoint = "https://localhost:8021/"

Provide a way to do a gateway-role mapping via the Admin portal as well.

The roles incorporated to each gateway environment (via the deployment.toml or at the Admin portal UI) can be used to do the gateway visibility control for the APIs. If the visibility is set at the deployment.toml, it will be shown under the environments section in the Admin portal and wise versa.

Filter and show the gateway URLs in the Dev Portal based on the roles assigned for the logged-in user.

@npamudika
Copy link
Author

npamudika commented Nov 26, 2024

@npamudika
Copy link
Author

npamudika commented Nov 27, 2024

Sub Tasks -

  • Check on the KM visibility feature in API manager
  • Design the DB with schema changes
  • Implement the DB layer with schema changes
  • Implement API changes in the backend
  • Restrict or control GW URLs for the APIs at the Developer portal (Including the Developer portal UI changes for both the API Overview and API Console pages)
  • Design the UI changes for Admin portal
  • Implement Admin UI changes for the feature - At the Gateway Environments page with Add/Edit/View capabilities for the visibility
  • Design the UI changes for Publisher portal
  • Implement the Publisher UI changes to show the visibility roles for the gateway environments at the Deployments page
  • Write UI Integration test
  • Write Integration test
  • Handle migration changes
  • Documentation for the feature

@npamudika
Copy link
Author

Came up with the following DB schema changes for the feature.

-- Gateway Environments Table --
CREATE TABLE IF NOT EXISTS AM_GATEWAY_ENVIRONMENT (
           ID INTEGER NOT NULL AUTO_INCREMENT,
           UUID VARCHAR(45) NOT NULL,
           NAME VARCHAR(255) NOT NULL,
           DISPLAY_NAME VARCHAR(255) NULL,
           TYPE VARCHAR(255) NULL,
           VISIBILITY VARCHAR (1024) NULL,
           DESCRIPTION VARCHAR(1023) NULL,
           PROVIDER VARCHAR(255) NOT NULL,
           GATEWAY_TYPE VARCHAR(255) NOT NULL,
           ORGANIZATION  VARCHAR(255) NOT NULL,
           UNIQUE (NAME, ORGANIZATION),
           UNIQUE (UUID),
           PRIMARY KEY (ID)
);

@npamudika
Copy link
Author

Working on the backend implementation for the feature atm. Firstly the visibility configuration will be handled via the deployment.toml.

@npamudika
Copy link
Author

I have completed the visibility configurations set via the deployment.toml and working on the GW URL retrieval part at the Dev Portal.

@npamudika
Copy link
Author

I have completed the relevant backend API changes to handle the gateway environment visibility.

Facing some issues when showing the environments at the API Console page in the Dev Portal as the environments are retrieved via the endpoints currently [1] and we are considering the visibility for the environments here. Checking the APIConsole page implementation [1] and relevant backend changes [2], [3] to get it fixed.

[1] https://github.com/wso2/apim-apps/blob/main/portals/devportal/src/main/webapp/source/src/app/components/Apis/Details/ApiConsole/ApiConsole.jsx#L189
[2] https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/mappings/APIMappingUtil.java#L466
[3] https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.rest.api.store.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/mappings/APIMappingUtil.java#L529

@npamudika
Copy link
Author

Solved the issue faced while retrieving the GW environments at the Dev Portal.

Added a draft PR [1] with the current implementation changes. Testing the flows atm and refactoring/improving the code changes.

Will be starting with the Admin UI changes as the next step.

[1] wso2/carbon-apimgt#12722

@npamudika
Copy link
Author

Need to get the UI designs finalized before starting the implementation.

Looking into the integration test failures occurred due to the PR wso2/carbon-apimgt#12722 atm.

@npamudika
Copy link
Author

Did the UI modifications to show the GW environment visibility roles at the Deployments page of an API in the Publisher.

Need to work on the Admin UI changes to add/update/remove GW visibility roles.

@npamudika
Copy link
Author

Started working on the Admin rest API changes to support environment visibility changes in the Admin UI.

@npamudika
Copy link
Author

As per the final discussion, it was decided to use a separate table to store GW visibility related data instead of having it in AM_GATEWAY_ENVIRONMENT as indicated in #3378 (comment)

CREATE TABLE AM_GATEWAY_PERMISSIONS (
  GATEWAY_UUID VARCHAR(50) NOT NULL,
  PERMISSIONS_TYPE VARCHAR(50) NOT NULL,
  ROLE VARCHAR(255),
  PRIMARY KEY (GATEWAY_UUID, ROLE),
  FOREIGN KEY (GATEWAY_UUID) REFERENCES AM_GATEWAY_ENVIRONMENT(UUID) ON DELETE CASCADE
);

Updated the same PR with the new DB and implementation related changes.

@npamudika
Copy link
Author

Completed and tested the feature with all the backend + rest API changes by setting the visibility via the deployment.toml.

Need to revamp the changes done in the Publisher UI to show GW visibility roles. Need to do the Admin UI changes as well.

@npamudika
Copy link
Author

npamudika commented Jan 10, 2025

Revamped the Publisher UI changes to show the GW visibility as below.
PR - wso2/apim-apps#848

Screenshot 2025-01-10 at 15 10 12 Screenshot 2025-01-10 at 15 10 42 Screenshot 2025-01-10 at 15 11 05

@npamudika
Copy link
Author

Did the styling to the UI changes done in Publisher's Deployment page as below.

Image Image Image

@npamudika
Copy link
Author

Did the Admin UI changes to add permissions for the Gateway as below.

Image Image

Roles can be set as follows in the same UI.

Image

The Gateway listing page in the Admin portal is also modified with the permissions as below.

Image Image Image

Updated the same wso2/apim-apps#848 with the new UI changes.

@npamudika
Copy link
Author

The documentation changes + the integration tests are pending for the feature.

@npamudika npamudika modified the milestones: APIM 4.5.0 , 4.5.0-M1 Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant