How to dynamically update key value map entries in...

vednath_pittala · 09-15-2016 07:24 AM

Hi,

We have a use-case where in we have a backend that would be exposed to external clients through apigee. For application level authentication for a given app we intend to use API key, there are multiple users inside each app. Each user gets an exclusive session id from the backend when he logs in. The session management is done by the backend. We intend to use this session id to implement quotas for a given user.The approach we are looking into for implementing this is as follows

1. When a user tries to use the login endpoint we would do the following

a. Do an APIKEY authentication for application level access, if authenticated pass on the request to backend

b. The backend responds back with a session id, which we want to extract at apigee and associate it with the app using the key value map, where in an app is represented by a key and the values are all the session id's active at a given time

2. When a user tries to use the logout endpoint we would do the following

a. Do an APIKEY authentication for application level access, if authenticated pass on the request to backend

b. The backend invalidates the session and hence session id becomes invalid. APIGEE removes the session id value from its KVM

3. When a user tries to use any other endpoint (apart from login and logout) which points to the same backend

a. Do an APIKEY authentication for application level access

b. If authenticated implement quotas against the session id present in incoming request, which already has an entry in KVM from step 1 (this would help us prevent abuse)

c. If quota limit has not been reached pass on the request to the backend

The above steps would involve dynamic updates on KVM, how do we dynamically update/delete the set of values associated with a given key in the proxy flow. Is this doable? Is there a better solution?

Thanks,

Vednath

hanselm

You can use the PUT and DELETE operations in the KVM policy as documented here: http://docs.apigee.com/api-services/reference/key-value-map-operations-policy

You should consider using PopulateCache policy instead of the KVM to cache the apikey-sessionId entries. Using the cache is more performant than KVM with large number of entries. Its also possible to set the TTL on the cache entry so you can match that to be the same as the session timeout so the entry is automatically evicted upon session expiry.

More details on using PopulateCache policy is here: http://docs.apigee.com/api-services/reference/populate-cache-policy

vednath_pittala

@hmiranda@apigee.com I understand that KVM could be leveraged in this case and I want to but the issue I have with kvm is described below

If request 1 comes in with apikey1 and session_id1, it updates the kvm with key = value of apikey 1, value= value of session_id1

If request 2 comes in with apikey1 and session_id2, it updates the kvm with key = value of apikey 1, value= value of session_id2

What I want is

If request 2 comes in with apikey1 and session_id2, it updates the kvm with key = value of apikey 1, value to be updated as= value of session_id2, value of session_id1

unless I have performed a delete operation to remove value of session_id1 (which is what I intend to do only when user accesses a logout endpoint)

Let me know if you need further information on this.

Thanks,

Vednath

hanselm

You might want to consider constructing a dynamic composite key using: value of apikey+'_'+value of session_id, with a 1 as the entry value. This will be easier to manage while creating sessions and logging out sessions using TTL. Using cache instead of KVM is recommended as it is better performant, and also since the number of entries will grow as you have more sessions.

vednath_pittala

@Hansel Miranda Thanks Miranda, this approach worked I will work on the cache approach too

How to dynamically update key value map entries in proxy flow