This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Management Users / Roles / Environments

Posted on 05-10-2022 03:44 PM
ivialex
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I would like to know how I can manage it automatically, making a matrix between users, roles and environments for apigee.

For example,  I could create a yaml file as follows. And manage, add a new user/role/environment, run a pipeline that reads this yaml file and give users access to the respective roles and the respective environments.

Any suggestions on how to manage this? Use a Flux or ArgoCD (GitOps)? Azure DevOps or Jenkins? Keycloak?

 

 

environments:
- env1:
     - user1:
          - role1
          - role2 
     - user2:
          - role1
          - role4
     - user3:
          - role3
- env2:
     - user1:
          - role1
          - role2 
     - user2:
          - role1
          - role4
     - user3:
          - role3
- env3:
     - user1:
          - role1
          - role2 
     - user2:
          - role1
          - role4
     - user3:
          - role3

 

 Thanks

0 3 154
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Apigee X/hybrid or Edge? 

For Apigee Edge, there is a permissions API.  For example to set permissions for a role

POST :mgmtserver/v1/o/:orgname/userroles/:role/permissions
Authorization: :apigee-auth
Content-type: application/json

{
     "organization" : ":orgname",
     "path": "/apiproducts/*",
     "permissions" : [ "get" ]
}

 And to add users to a role: 

POST :mgmtserver/v1/o/:orgname/userroles/:role/users?id=:useremail
Authorization: :apigee-auth
Content-type: application/x-www-form-urlencoded

 So you would need to write a script to read the YAML and then invoke those APIs.  Here is the reference on permissions.

For Apigee X/hybrid, the permissions and role-based access control is different. The control plane and all the RBAC and authorization for operations users is managed by GCP.  You would need to perform the same things, except you'd be invoking the Google IAM API, rather than the Apigee permissions API. 

0 Likes

Posted on --/--/---- --:-- AM
ivialex
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks!

What would be the best way for me to manage this? For example, a new employee has entered, I need to give permissions for certain environments. Another example, a new environment was created, and I will give permissions to some users, etc. Do I write the permissions on that YAML file and run the pipeline? Or is there a better way to manage these permissions?

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to ivialex
Reply posted on --/--/---- --:-- AM

If you're using Apigee Edge, then.... you should use roles. When a new employee comes into the picture, just add that employee to the userrole that is associated to the environment. 

When a new environment is created, then... you need to set up the Role or Roles for that environment.  And then add users to the respective roles. 

The pipeline sounds like a good way to accomplish these things. But in order to do it you'd need to have a read-then-write process.

For each environment in the YAML file

read the roles and see if they exist.  If not create

read the users attached to each role.  See if you need to add users to the roles

And then, read the environments in the Organization, and if they are not present in the YAML file, flag this as an inconsistency. 

ps: You probably want a "dry-run" flag on that automation tool! 

 

0 Likes
Top Solution Authors
View all