API Product to mandate addition of atleast one proxy

Hi,

As per this document, https://docs.apigee.com/api-platform/publish/create-api-products

there is a warning saying that If you don't select an API proxy, any app associated with the product can make calls to any API in your entire organization.

Is there a way to mandate addition of atleast one proxy to the product so that if anybody misses to add a proxy to the product it does not expose all the APIs. If not, what is the best way to prevent this.

Solved Solved
0 4 439
1 ACCEPTED SOLUTION

As this is a situation that can bite you unexpectedly (this is the "skeleton key" mentioned by @wwitman in his excellent article here) -- it would be awesome to at least see a warning on the API Product page that warned when this condition exists. Silent superuser privilege seems dangerous...

View solution in original post

4 REPLIES 4

sidd-harth
Participant V

Hi @GargiTalukdar, AFAIK there is no mandate which adds at least one proxy to a product.

Maybe you can use RBAC, and assign the Product Create Role to only selected people and control the process.

https://docs.apigee.com/api-platform/system-administration/understanding-roles#whatareroles

@Siddharth Barahalikar: Creating role is one option that we are looking into but it would be better to have this check as part of product creation in order to avoid risk of exposing all APIs by mistake.

As this is a situation that can bite you unexpectedly (this is the "skeleton key" mentioned by @wwitman in his excellent article here) -- it would be awesome to at least see a warning on the API Product page that warned when this condition exists. Silent superuser privilege seems dangerous...

@Mike Dunker: Thanks for pointing me to the article. But yes, the feature- Product with no resource and no proxy seems to be little dangerous and at least a warning will help to avoid this when done by mistake.