Not able to create GET access to /environment reso...

Report Inappropriate Content · 09-01-2015 02:46 PM

Hi, I am an organization administrator. Still I am not able to give the following access to a new role I am creating. { "path" : "/environments", "permissions" : [ "get" ]} I am getting a Forbidden. What, I am trying to achieve is a user, who has access to do anything in all environments except production and test. Thanks Jaskaran

gnanasekaran

can you share you API call? why is the path /environments, shouldn't it be /v1/o/{}/environments?

Report Inappropriate Content

I am trying /environments, because that is the access that the org admin has. See orgadmin accesses below - { "resourcePermission": [ { "organization": "", "path": "/", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments", "permissions": [ "get" ] }, { "organization": "", "path": "/environments/*", "permissions": [ "get" ] }, { "organization": "", "path": "/environments/*/virtualhosts", "permissions": [ "get" ] }, { "organization": "", "path": "/environments/*/virtualhosts/*", "permissions": [ "get" ] } ]} The API call I am trying is - REQUEST POST https://api.enterprise.apigee.com/v1/organizations...<org_name>/userroles/SuperDeveloper/permissions { "path" : "/environments", "permissions" : [ "get" ]} RESPONSE HTTP/1.1 403 Forbidden

Connection:: keep-alive
Content-Length:: 0
Date:: Tue, 01 Sep 2015 23:23:58 GMT
Server:: Apigee Router

Report Inappropriate Content

I gave "get" access to "/v1/organizations/{}/environments" but not able to get environments in the screen.

Report Inappropriate Content

This information might help. I already have following permissions for the role - { "resourcePermission": [ { "organization": "", "path": "/", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments/dev/*", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments/ci/*", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments/qa/*", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments/uat/*", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments/sandbox/*", "permissions": [ "delete", "get", "put" ] }, { "organization": "", "path": "/environments/test/caches", "permissions": [] }, { "organization": "", "path": "/environments/production/caches", "permissions": [] }, { "organization": "", "path": "/environments/test/keyvaluemaps", "permissions": [] }, { "organization": "", "path": "/environments/production/keyvaluemaps", "permissions": [] }, { "organization": "", "path": "/environments/test/applications/*/revisions/*/debugsessions", "permissions": [] }, { "organization": "", "path": "/environments/production/applications/*/revisions/*/debugsessions", "permissions": [] }, { "organization": "", "path": "/environments/test/applications/*/revisions/*/deployments", "permissions": [] }, { "organization": "", "path": "/environments/production/applications/*/revisions/*/deployments", "permissions": [] } ]}

gnanasekaran

i see, sorry my bad, its envrionments - so 403, strange -- so i check my orgadmin, it has only '/' for get,post,delete is this on-prem, can you try sysadmin creds, can you post your orgadmin roles? and were you able to try using the UI to add these permissions

Report Inappropriate Content

Here are my orgadmin access { "resourcePermission": [ { "organization": "orgname", "path": "/", "permissions": [ "delete", "get", "put" ] }, { "organization": "orgname", "path": "/environments", "permissions": [ "get" ] }, { "organization": "orgname", "path": "/environments/*", "permissions": [ "get" ] }, { "organization": "orgname", "path": "/environments/*/virtualhosts", "permissions": [ "get" ] }, { "organization": "orgname", "path": "/environments/*/virtualhosts/*", "permissions": [ "get" ] } ]} I am only using APIs to create this, as I have some unwanted behaviour from UI

adas

@jaskaran.rm I noticed something wrong with your permissions:

{
    "resourcePermission": [
        {
            "organization": "",
            "path": "/",
            "permissions": [
                "delete",
                "get",
                "put"
            ]
        },
        {
            "organization": "",
            "path": "/environments/dev/*",
            "permissions": [
                "delete",
                "get",
                "put"
            ]
        },
        {
            "organization": "",
            "path": "/environments/ci/*",
            "permissions": [
                "delete",
                "get",
                "put"
            ]
        },
        {
            "organization": "",
            "path": "/environments/qa/*",
            "permissions": [
                "delete",
                "get",
                "put"
            ]
        },
        {
            "organization": "",
            "path": "/environments/uat/*",
            "permissions": [
                "delete",
                "get",
                "put"
            ]
        },
        {
            "organization": "",
            "path": "/environments/sandbox/*",
            "permissions": [
                "delete",
                "get",
                "put"
            ]
        },
        {
            "organization": "",
            "path": "/environments/test/caches",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/production/caches",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/test/keyvaluemaps",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/production/keyvaluemaps",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/test/applications/*/revisions/*/debugsessions",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/production/applications/*/revisions/*/debugsessions",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/test/applications/*/revisions/*/deployments",
            "permissions": []
        },
        {
            "organization": "",
            "path": "/environments/production/applications/*/revisions/*/deployments",
            "permissions": []
        }
    ]
}

If you notice the "organization" field in your permissions is empty, ideally there would be the org-id for things to work. How did you create the custom role, did you use the UI or the APIs to create the role ? An example of a custom role would be this:

{
  "resourcePermission" : [ {
    "organization" : "apigee-func",
    "path" : "/",
    "permissions" : [ "get", "put", "delete" ]
  }, {
    "organization" : "apigee-func",
    "path" : "/environments",
    "permissions" : [ "get" ]
  }, {
    "organization" : "apigee-func",
    "path" : "/environments/*",
    "permissions" : [ "get" ]
  }, {
    "organization" : "apigee-func",
    "path" : "/environments/*/virtualhosts",
    "permissions" : [ "get" ]
  }, {
    "organization" : "apigee-func",
    "path" : "/environments/*/virtualhosts/*",
    "permissions" : [ "get" ]
  } ]
}

Note the organization field is populated. When that field is not populated, your permissions cannot be determined and hence you might be seeing that error.

Report Inappropriate Content

Hi @arghya das - I replaced the org name to "<org_name>" . For some name it doesnt show up in the comment

adas

@jaskaran.rm I was referring to the empty "" org name in the json payload. Are you saying you actually had the correct org-id set there ?

Report Inappropriate Content

Yes I have that. All other accesses are working as expected.

adas

Is this on cloud ? Did you try to create the same role using the UI, at least see if you get the same problem there as well.

Report Inappropriate Content

Yup. Its on cloud. From UI, it does create this access. But, it creates a bunch of other stuff aswell. Also, I cant remove access to an environment specific KVM from UI. So I will need to have a mix and match. Which is painful but is a workaround to get us started.

Report Inappropriate Content

Hi @jaskaran.rm

I am trying to do the same thing for the environment in the cloud. I am not sure whether you could successfully create the role permission for the environment or not ?

I am sending the following payload and I am getting HTTP 403 for that.

https://api.enterprise.apigee.com/v1/organizations/MY-ORG-NAME/userroles/MY-ROLE-NAME/permissions

{ 
    "organization": "MY-ORG-NAME",
    "path" : "/environments/*",
    "permissions" : [ "get" ]   
}

or even tried the following one:

{ 
    "path" : "/environments/*",
    "permissions" : [ "get" ]   
}

For all cases I am getting:

HTTP/1.1 403 
ForbiddenConnection: keep-alive
Content-Length: 0
Date: Mon, 21 Sep 2015 11:19:30 GMT
Server: Apigee Router

Not able to create GET access to /environment resource for a new role