This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Prevent creation of shared flows with given prefix?

Posted on 03-26-2021 01:39 AM
michaelveit
New Member
Reply posted on --/--/---- --:-- AM

Is it possible to prevent the user creating shared flows with specific prefix?

Target is that users can maintain shared flows, except of platform provided ones with prefix "Platform-".

We are able to prevent users modifying them, as the path has the shared flow name in it, hence we can use wildcards in the permissions.

However, we would like prevent that the user CREATES such objects by himself. As the POST /sharedflows is used for creating new shared flows, we cannot refine the permission. Trying to use query parameters in the permissions path is not evaluated: "/sharedflows?name=Platform-*".

In the current setting, the user can create such flows, but not modify them anymore, which is a pain from concept point of view.

This is working fine for configuring read/update/delete, but not for create (I did not paste the deployment related permissions here), we would need full control for all CRUD operations:

- path: /sharedflows
  permissions: get,put
# Unfortunately, this can be imported, but is not evaluated:
- path: /sharedflows?name=Platform-*
  permissions: get
- path: /sharedflows/*
  permissions: get,delete
- path: /sharedflows/Platform-*
  permissions: get
- path: /sharedflows/*/revisions
  permissions: get
- path: /sharedflows/*/revisions/*
  permissions: get,put,delete
- path: /sharedflows/Platform-*/revisions/*
  permissions: get
0 1 200
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes

We've discussed adding wildcards, or some other pattern-matching capability to the permissions model in Apigee Edge. So far it's a feature request in the backlog.

In Apigee X, this problem is a little different because the permissions are determined by the Google IAM permissions model, which includes Conditions. And Apigee X will support IAM Conditions, which would give you the expressiveness you desire to set up these rules.

In the absence of these rules, for now, you'd need a post-facto sweeper task, that looked at the name of the sharedflows, and deleted them, or flagged them, or something like that.

0 Likes