Stats API & User Roles

Not applicable

We have a use case where we want to hit the stats API for information on volume, etc to display in a web portal. I am in the process of creating a user for this purpose. I wanted to limit that user to read only the stats api. Looking at the default roles (and also customizable options), I did not see an easy way to achieve this. I was able to create a custom role with no access and that allowed me to hit the stats api while preventing any action within the Apigee UI. I guess I have two questions...

1. What access does a user get "out of the box" with no predefined or custom roles added

2. What is the best way to lock a user down to only the stats api (or a small subset)

Solved Solved
1 7 572
1 ACCEPTED SOLUTION

@Steven Wolfe, @Sai Saran Vaidyanathan

Try this instead.

{
      "organization": "orgname",
      "path": "/environments/test/stats",
      "permissions": []
}

Or use the following to block access to all environments.

{
      "organization": "orgname",
      "path": "/environments/*/stats",
      "permissions": []
}

You should receive the following error. Also, make sure that the user is not assigned more than one role where the other roles grants access to the resource.

HTTP/1.1 403 Forbidden

Connection:keep-alive

Content-Length:0

Date:Thu, 28 Jul 2016 14:56:31 GMTServer:Apigee Router

View solution in original post

7 REPLIES 7

HI @Steven Wolfe

With the custom role - you can set permissions using this API

{
 "path" : "/stats",
 "permissions" : ["get"]
}

Assign this role to the user using UI or using this API

Once this done, the user will have access only to the /stats API that too for a GET operation.

To answer your first question, you can check the role's permissions using this API. You can run the API on the new custom role created to check the default permissions.

Please try and let me know if it worked.

hi @Sai Saran Vaidyanathan - This isn't quite working as expected. Adding the permissions like you suggest doesn't not appear to be impacting my ability to hit the /stats url. Here's a summary of what I've tried.

1. User Role w/ [Get, Put] Permissions - able to hit /stats api with "GET"

2. User Role w/ [Put] Permissions - able to hit /stats api with "GET"

3. User Role w/o any Permissions - able to hit /stats api with "GET"

It seems like having a user allows you default access to the stats api. Wondering what other access is given by default. This is 4.15.07.03 FYI.

HI @Steven Wolfe

You can check the permissions for a given role using this API. Looks like there is a permission on GET for "/" path by default. This is probably the reason why its working. We cannot remove this as it could impact other permissions under the "/" context.

Let me get back to you if I get any work around.

Just curious to know why would you want to lock other operations ? By default it only has GET access

{
  "resourcePermission": [
    {
      "organization": "saisarantest",
      "path": "/environments/*/virtualhosts",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "saisarantest",
      "path": "/environments",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "saisarantest",
      "path": "/environments/*/virtualhosts/*",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "saisarantest",
      "path": "/environments/*",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "saisarantest",
      "path": "/",
      "permissions": [
        "get"
      ]
    }
  ]
}

Hi @Steven Wolfe

Please look at the answer suggested by @swilliams. You can remove the GET permission for "/environments/*/stats" by using this API

@Steven Wolfe, @Sai Saran Vaidyanathan

Try this instead.

{
      "organization": "orgname",
      "path": "/environments/test/stats",
      "permissions": []
}

Or use the following to block access to all environments.

{
      "organization": "orgname",
      "path": "/environments/*/stats",
      "permissions": []
}

You should receive the following error. Also, make sure that the user is not assigned more than one role where the other roles grants access to the resource.

HTTP/1.1 403 Forbidden

Connection:keep-alive

Content-Length:0

Date:Thu, 28 Jul 2016 14:56:31 GMTServer:Apigee Router

Thanks @swilliams

I over looked at the permissions on /environments/* that comes as default. It worked.

Thanks - This worked perfectly. I actually created a new custom role and used your examples to limit that role to only the api required.