Solved: Permission for deploy just a single proxy via Mave...

lucassilva · 05-17-2021 07:59 AM

Hi Everyone, i'm trying to create a role who just can deploy a single proxy, and i'm getting 403. I'm doing the deploy using maven.
I want to know what permissions do I've to have in my role. Thanks.

Role Permissions:

{ "resourcePermission": [ { "organization": "MYORG", "path": "/applications/*", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/*", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/revisions", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/deployments", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/MYPROXY/deployments", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/revisions/*/npm", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/revisions/*/policies", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/revisions/*/deployments", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/applications/MYPROXY/revisions/*/policies/*", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/*/applications/MYPROXY/deployments", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/dev/applications/*/revisions/*/deployments", "permissions": [ "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/hml/applications/*/revisions/*/deployments", "permissions": [ "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/prd/applications/*/revisions/*/deployments", "permissions": [ "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/dev/applications/*/revisions/*/debugsessions", "permissions": [ "get", "put" ] }, { "organization": "MYORG", "path": "/environments/hml/applications/*/revisions/*/debugsessions", "permissions": [ "get", "put" ] }, { "organization": "MYORG", "path": "/environments/prd/applications/*/revisions/*/debugsessions", "permissions": [ "get", "put" ] }, { "organization": "MYORG", "path": "/environments/*/applications/MYPROXY/revisions/*/deployments", "permissions": [ "get", "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/dev/applications/MYPROXY/revisions/*/deployments", "permissions": [ "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/hml/applications/MYPROXY/revisions/*/deployments", "permissions": [ "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/prd/applications/MYPROXY/revisions/*/deployments", "permissions": [ "delete", "put" ] }, { "organization": "MYORG", "path": "/environments/dev/applications/MYPROXY/revisions/*/debugsessions", "permissions": [] }, { "organization": "MYORG", "path": "/environments/hml/applications/MYPROXY/revisions/*/debugsessions", "permissions": [] }, { "organization": "MYORG", "path": "/environments/prd/applications/MYPROXY/revisions/*/debugsessions", "permissions": [] } ] }

Maven Log:
GET https://api.enterprise.apigee.com/v1/organizations/MYORG/apis/MYPROXY/deployments/

accept: [application/json]
accept-encoding: [gzip]
authorization: [Basic [Not shown in log]
[INFO] Request prepared for the server 
 **************************
POST  https://api.enterprise.apigee.com/v1/organizations/MYORG/apis?action=import&name=MYPROXY
accept: [application/json]
accept-encoding: [gzip]
authorization: [Basic [Not shown in log]
content-type: application/octet-stream
 [Request body contains data, not shown] 

[ERROR] 403 Forbidden
com.google.api.client.http.HttpResponseException: 403 Forbidden
    at com.google.api.client.http.HttpRequest.execute (HttpRequest.java:1070)
    at io.apigee.buildTools.enterprise4g.rest.RestClient.executeAPI (RestClient.java:165)
    at io.apigee.buildTools.enterprise4g.rest.RestClient.uploadBundle (RestClient.java:429)
    at io.apigee.buildTools.enterprise4g.mavenplugin.DeployMojo.overrideBundle (DeployMojo.java:159)
    at io.apigee.buildTools.enterprise4g.mavenplugin.DeployMojo.execute (DeployMojo.java:66)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.969 s
[INFO] Finished at: 2021-05-17T14:25:36Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:1.2.2:deploy (default-cli) on project Cartao_Credito: 403 Forbidden -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

lucassilva

The solution was create the rule on the UI and aplicate via API the permissions from https://docs.apigee.com/api-platform/system-administration/permissions#api-proxies in this part "api-proxies" and after /applications/ I put my proxy name. Thanks guys

View solution in original post

ssvaidyanathan

Hi @Lucas Alexo

Its difficult to help offline but try adding these to your permissions

{
	 "organization":"MYORG",
	 "path":"/",
	 "permissions":[
	    "get"
	 ]
},
{
	 "organization":"MYORG",
	 "path":"/applications",
	 "permissions":[
	    "get"
	 ]
},
{
	 "organization":"MYORG",
	 "path":"/environments",
	 "permissions":[
	    "get"
	 ]
},
{
	 "organization":"MYORG",
	 "path":"/environments/*/virtualhosts",
	 "permissions":[
	    "get"
	 ]
},
{
	 "organization":"MYORG",
	 "path":"/environments/*/virtualhosts/*",
	 "permissions":[
	    "get"
	 ]
}

A tip I would like to recommend is, try creating the custom role using the UI with the basic permissions you want. The UI automatically inserts the default permissions thats needed for the custom role to work. Once thats created, then you can add other fine grained permissions using the Management API.

I would suggest, create a new custom role using the UI (leave the previous one as-is) and then select the appropriate permissions from the UI like deploy, trace, view, which environment, etc etc.. Once thats done, assign that role to the user with whom you are trying to deploy in the Maven plugin. Once that works, then compare the resource permissions among the two custom roles and find the delta.

My above list might not be sufficient (or could be) and involves more testing, so I would recommend the later approach (creating a new custom role and trying)

lucassilva

Thanks for the quick response! I had already tried to create the permission only through the interface and only with the permissions of the web interface were not enough. I have now added these paths that you reported, but you still had a 403 error. Is there any test I can do to help you help me?

lucassilva

The solution was create the rule on the UI and aplicate via API the permissions from https://docs.apigee.com/api-platform/system-administration/permissions#api-proxies in this part "api-proxies" and after /applications/ I put my proxy name. Thanks guys

Permission for deploy just a single proxy via Maven