Solved: Re: Teamwork: who created & who changed any given ...

optimism · 10-29-2021 12:41 AM

Hi, dearest Community,

"Teamwork: who created & who changed any given Apigee proxy?"

Could someone please suggest, what kind of existing capabilities do we have in Apigee to answer this question?
Maybe there are any plans to implement such features in the Apigee?

When someone does not use Version Control System such as Git & directly uses Apigee web UI, how we could keep track of who created, changed, or deleted any given Apigee proxy?
Audit trail, proxy history.
regards, thanks,

sidd-harth

Hi, within Apigee X we can make use of GCP Logging feature.

Most changes (I can't say all because I have not explored Apigee X fully) within the Apigee UI like proxy revision creation, updating revisions, creating products, modifying them will be automatically Audited.

The Audit gives info on who (email ID) created it or who made the changes along with a snapshot of the latest configuration(e.g. proxy config when we save a Revision).

In GCP >> Logs Explorer
Filter for Apigee resources
For proxy revision update logs use below query

resource.type="audited_resource" resource.labels.service="apigee.googleapis.com" resource.labels.method="google.cloud.apigee.v1.ApiProxyService.UpdateApiProxyRevision"

Sample JSON Log FYR -

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "student-01-a428489a2ef4@qwiklabs.net"
    },
    "requestMetadata": {
      "callerIp": "xxxx.xxx.xx.xxxx",
      "callerSuppliedUserAgent": "Go-http-client/1.1",
      "requestAttributes": {
        "time": "2021-10-29T12:35:56.157038352Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "apigee.googleapis.com",
    "methodName": "google.cloud.apigee.v1.ApiProxyService.UpdateApiProxyRevision",
    "authorizationInfo": [
      {
        "resource": "organizations/qwiklabs-gcp-02-fe7ea20d1cbf/apis/hello-world/revisions/4",
        "permission": "apigee.proxyrevisions.update",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "organizations/qwiklabs-gcp-02-fe7ea20d1cbf/apis/hello-world/revisions/4",
    "request": {
      "name": "organizations/qwiklabs-gcp-02-fe7ea20d1cbf/apis/hello-world/revisions/4",
      "@type": "type.googleapis.com/google.cloud.apigee.v1.UpdateApiProxyRevisionRequest"
    },
    "response": {
      "@type": "type.googleapis.com/google.cloud.apigee.v1.ApiProxyRevision",
      "description": "An example API proxy.",
      "policies": [
        "Verify-JWT-1",
        "Spike-Arrest-1",
        "JavaScript-1"
      ],
      "entityMetaDataAsProperties": {
        "lastModifiedAt": "1635510956200",
        "bundle_type": "zip",
        "subType": "Proxy",
        "createdAt": "1635510595940"
      },
      "resources": [
        "jsc://JavaScript-1.js"
      ],
      "targets": [
        "default"
      ],
      "targetEndpoints": [
        "default"
      ],
      "revision": "4",
      "basepaths": [
        "/hello"
      ],
      "name": "hello-world",
      "proxies": [
        "default"
      ],
      "displayName": "Hello World"
    }
  },
  "insertId": "166bui9e1ebhd",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.cloud.apigee.v1.ApiProxyService.UpdateApiProxyRevision",
      "service": "apigee.googleapis.com",
      "project_id": "qwiklabs-gcp-02-fe7ea20d1cbf"
    }
  },
  "timestamp": "2021-10-29T12:35:56.971787987Z",
  "severity": "NOTICE",
  "logName": "projects/qwiklabs-gcp-02-fe7ea20d1cbf/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2021-10-29T12:35:56.971787987Z"
}

I hope this helps.

View solution in original post

gmornet

Hello optimism,

I have the same question. I tried to get information with the gcloud command-line, but commands such as the following do not list any user information.

~ gcloud alpha apigee apis describe Guillaume-OAuth2-Location-v110

Same with REST API, the "revisions" ressource (sample URL below) gives out a lot of information about a revision, but omits the revision creator.

organizations/api-groupe-rocher-npe-23f8d0/apis/Guillaume-OAuth2-Location-v110/revisions/2

This is really a pain point for us, as we're migrating from another APIM platform that lets us know who created a revision.

Regards,

Guillaume

sidd-harth

Hi, within Apigee X we can make use of GCP Logging feature.

Most changes (I can't say all because I have not explored Apigee X fully) within the Apigee UI like proxy revision creation, updating revisions, creating products, modifying them will be automatically Audited.

The Audit gives info on who (email ID) created it or who made the changes along with a snapshot of the latest configuration(e.g. proxy config when we save a Revision).

In GCP >> Logs Explorer
Filter for Apigee resources
For proxy revision update logs use below query

resource.type="audited_resource" resource.labels.service="apigee.googleapis.com" resource.labels.method="google.cloud.apigee.v1.ApiProxyService.UpdateApiProxyRevision"

Sample JSON Log FYR -

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "student-01-a428489a2ef4@qwiklabs.net"
    },
    "requestMetadata": {
      "callerIp": "xxxx.xxx.xx.xxxx",
      "callerSuppliedUserAgent": "Go-http-client/1.1",
      "requestAttributes": {
        "time": "2021-10-29T12:35:56.157038352Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "apigee.googleapis.com",
    "methodName": "google.cloud.apigee.v1.ApiProxyService.UpdateApiProxyRevision",
    "authorizationInfo": [
      {
        "resource": "organizations/qwiklabs-gcp-02-fe7ea20d1cbf/apis/hello-world/revisions/4",
        "permission": "apigee.proxyrevisions.update",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "organizations/qwiklabs-gcp-02-fe7ea20d1cbf/apis/hello-world/revisions/4",
    "request": {
      "name": "organizations/qwiklabs-gcp-02-fe7ea20d1cbf/apis/hello-world/revisions/4",
      "@type": "type.googleapis.com/google.cloud.apigee.v1.UpdateApiProxyRevisionRequest"
    },
    "response": {
      "@type": "type.googleapis.com/google.cloud.apigee.v1.ApiProxyRevision",
      "description": "An example API proxy.",
      "policies": [
        "Verify-JWT-1",
        "Spike-Arrest-1",
        "JavaScript-1"
      ],
      "entityMetaDataAsProperties": {
        "lastModifiedAt": "1635510956200",
        "bundle_type": "zip",
        "subType": "Proxy",
        "createdAt": "1635510595940"
      },
      "resources": [
        "jsc://JavaScript-1.js"
      ],
      "targets": [
        "default"
      ],
      "targetEndpoints": [
        "default"
      ],
      "revision": "4",
      "basepaths": [
        "/hello"
      ],
      "name": "hello-world",
      "proxies": [
        "default"
      ],
      "displayName": "Hello World"
    }
  },
  "insertId": "166bui9e1ebhd",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.cloud.apigee.v1.ApiProxyService.UpdateApiProxyRevision",
      "service": "apigee.googleapis.com",
      "project_id": "qwiklabs-gcp-02-fe7ea20d1cbf"
    }
  },
  "timestamp": "2021-10-29T12:35:56.971787987Z",
  "severity": "NOTICE",
  "logName": "projects/qwiklabs-gcp-02-fe7ea20d1cbf/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2021-10-29T12:35:56.971787987Z"
}

I hope this helps.

gmornet

Thanks a lot sidd-harth, this tip provides us with the information we need to help us run ApigeeX!

optimism

Hi, @sidd-harth

thanks a lot for the resolution! I've accepted it & it works nice!

@gmornet thanks for your input & support on this topic!

thanks,

regards,