Custom Role Permissions for Deployment

Report Inappropriate Content · 02-08-2018 01:27 PM

I need to create a custom role to Download an existing API, Upload a revision of the existing API, and Deploy the new revision. The role needs limited scope and cannot be an org admin. I tried using the operations admin but that cannot upload new revisions.

Even with excessive permissions I can't upload files using the API (though I can update using the UI). Here are my permissions:

{
  "organization": "sandbox",
  "path": "/environments/sandbox/*",
  "permissions": ["put", "get"]
}, {
  "organization": "sandbox",
  "path": "/applications/HelloWorld/*",
  "permissions": ["put", "get"]
}, {
  "organization": "sandbox",
  "path": "/applications/*",
  "permissions": ["put", "get"]
}, {
  "organization": "sandbox",
  "path": "/environment/*",
  "permissions": ["put", "get"]
}

Here's the curl command to upload the zip:

curl -X POST -u 'user@gmail.com' -F 'file=@HelloWorld.v333.zip' 'https://api.enterprise.apigee.com/v1/o/costco-sandbox/apis?action=import&name=HelloWorld' --insecure -i

I get this response: HTTP/1.1 403 Forbidden

DChiesa

ok, you want to upload a revision of an API Proxy.

Here's how I do it.

curl -X POST "${mgmtserver}/v1/o/$org/apis?action=import&name=$proxyname" -T $zipname -H "Content-Type: application/octet-stream"

I see a couple problems with the curl command you are using.

the curl form you are sending... results in a content-type of "multipart/form-data;" Which is not supported by that API, as far as I know. You want application/octet-stream . But this is not the source of the 403. When I try sending "multipart/form-data", I get a 400 Bad Request (As expected).
The 403 indicates you are not authorized. There are a couple reasons this might happen:
1. you have given a mismatched set of credentials,
2. The role for that user is not permitted according to RBAC
3. or , your org is enabled for SSO Zone authentication and multi-factor authn. In which you need to use a token to post to that endpoint. For more info on using tokens with the Apigee Admin API, see this link.

A bit more.... The title text on your question says you want to "Deploy". But the API you are using is for IMPORT. Those are two separate actions, in Apigee Edge. I think a permission like this governs import:

{
  "path": "/applications",
  "permissions": ["put", "get"]
},

...while a permission like this governs deployment of the API in an environment:

{
 "path" : "/environments/test/applications/*/revisions/*/deployments",
 "permissions" : [ "get", "put", "delete" ]
}

Report Inappropriate Content

Thanks Dino.

My initial curl command works (with an Org Admin user). But I switched to yours. That also works with the Org Admin User but not with the Non-Org Admin user. I suspect the problem is that the user is not permitted according to RBAC. Do you know what permissions I'd use to enable the user to do the upload. I set these permissions: { "organization" : "sandbox", "path" : "/applications/*", "permissions" : [ "get", "put" ] }, { "organization" : "sandbox", "path" : "/environment/*", "permissions" : [ "get", "put" ] }

Setting those let me make the update with the Non-Org Admin user in the web UI but still not via the API.

DChiesa

Hmm, can you try

{
  "path": "/applications",
  "permissions": ["put", "get"]
},

..rather than

{
  "path": "/applications/*",
  "permissions": ["put", "get"]
},

Report Inappropriate Content

That worked. Thanks Dino.