Dear community,
I am new to Apigee so please be patient if I make too many silly questions. 😉
Here is my issue: I am trying to call the stats API to list some metrics produced by Apigee out-of-the-box however, not matter what profile I assign to the user, I always get a 401 Unauthorized error returned.
This is what the URL I am calling looks like:
The user I am using has all of the existing roles in the organization, including:
"Organization Administrator", which has the following rights:
Organization resource | / | GET PUT DELETE |
/apimonitoring | /apimonitoring | GET PUT DELETE |
and "Operations Administrator" with:
Organization resource | / | GET |
/apimodels | /apimodels | |
/apimodels/* | /apimodels/* | |
/apimonitoring | /apimonitoring | GET PUT DELETE |
Products | /apiproducts | GET |
API Proxies | /applications | GET |
Deploy API to any environment (deprecated path) | /applications/*/revisions/*/deployments | GET PUT DELETE |
Developer Apps | /apps | GET |
Analytics Custom Reports | /axCustomReports | GET |
Companies | /companies | GET |
Deployments | /deployments | GET |
Developers | /developers | GET |
Analytics DB Schema | /environments/*/analytics/admin | GET |
/environments/*/apipattern | /environments/*/apipattern | GET PUT DELETE |
Trace in any environment | /environments/*/applications/*/revisions/*/debugsessions | |
Deploy API to any environment | /environments/*/applications/*/revisions/*/deployments | GET PUT DELETE |
/environments/*/keyvaluemaps | /environments/*/keyvaluemaps | |
Analytics Data | /environments/*/stats | GET |
/keyvaluemaps | /keyvaluemaps | GET |
Reports | /reports | GET |
UserRoles resource at organization level | /userroles | |
User's Own Permissions | /userroles/*/permissions | GET |
What I am missing?
Thanks a lot in advance for your help and kind regards,
CGR
Can you call other Administrative APIs ?
What if you try
GET https://api.enterprise.apigee.com/v1/o/my-org
...passing the same credential (user credentials or token). What do you see?
Hi,
Being assigned to any customized role, you could able to 200 response but with "No data in the response" provided that credentials supplied are correct.
sample call for user whose role is Customized one for above case:
https://api.enterprise.apigee.com/v1/organizations/ORGNAME/environments/test/stats/apiproxy,target_r... eq 'abc proxy')
You could easily perform those operations easily if you are org admin. i would like you to check the below:
curl -X GET \ https://api.enterprise.apigee.com/v1/o/ORGNAME/apis \ -H 'Authorization: Basic <>' \ -H 'Content-Type: application/json' \ -H 'cache-control: no-cache'
curl -X GET \ https://api.enterprise.apigee.com/v1/o/ORGNAME/userroles/<ROLE?/permissions \ -H 'Authorization: Basic <>' \ -H 'Content-Type: application/json' \ -H 'cache-control: no-cache'
Let us know yet if you are not able to find the fix. Thanks and Regards,
Mani
Dear Manikanta,
Thanks for your answer. Plese refer to my answer to Dino's previous comment. I guess I found the root cause of my login issues. Let's see what he says and if I manage to login using a token based auth.
Regards
Hi Dino,
Thanks a lot for your prompt answer.
I've just tried the call you suggest and still getting a 401 error. Additionally, I recreated the same user configuration on my "personal" Apigee edge and it worked like charm: 200 error code returned with data in the response, etc.
This confirms there is a particularity with the way the authentication / authorization is setup in "my-org" (the one we use at work).
In this sense, there is an importan detail to take into account that I missed to mention in my original post: In "my-org", by default, there as a certificate based SAML login enabled to access the Apigee Edge UI. However, in order to call the stats API, as suggested by our Apigee admin, I created a "service account" to be able to use the basic auth with login and password in Postman (my REST client).
I just found this article
https://docs.apigee.com/api-platform/system-administration/using-saml
which I think explains the way I should proceed (using a token and not credentials as you mention in your comment), correct?
I guess this confirms that if SAML is enabled, this is for Apigee UI but also for the Apigee Management API within same organization, which makes sense (in our org it is not the case as REST endpoints are out-of-scope of SAML even if they share the domain name with a SSO enabled UI).
Am I right?
Thanks a lot again for your help!
CGR
You are Correct! You must obtain a token if you use a SAML-enabled org and a service account.