Stats API always returning a 401 error

Dear community,

I am new to Apigee so please be patient if I make too many silly questions. 😉

Here is my issue: I am trying to call the stats API to list some metrics produced by Apigee out-of-the-box however, not matter what profile I assign to the user, I always get a 401 Unauthorized error returned.

This is what the URL I am calling looks like:

https://api.enterprise.apigee.com/v1/o/my-org/environments/test/stats/apis?select=avg(response_size)...

The user I am using has all of the existing roles in the organization, including:

"Organization Administrator", which has the following rights:

Organization resource/GET PUT DELETE
/apimonitoring/apimonitoringGET PUT DELETE

and "Operations Administrator" with:

Organization resource/GET
/apimodels/apimodels
/apimodels/*/apimodels/*
/apimonitoring/apimonitoringGET PUT DELETE
Products/apiproductsGET
API Proxies/applicationsGET
Deploy API to any environment (deprecated path)/applications/*/revisions/*/deploymentsGET PUT DELETE
Developer Apps/appsGET
Analytics Custom Reports/axCustomReportsGET
Companies/companiesGET
Deployments/deploymentsGET
Developers/developersGET
Analytics DB Schema/environments/*/analytics/adminGET
/environments/*/apipattern/environments/*/apipatternGET PUT DELETE
Trace in any environment/environments/*/applications/*/revisions/*/debugsessions
Deploy API to any environment/environments/*/applications/*/revisions/*/deploymentsGET PUT DELETE
/environments/*/keyvaluemaps/environments/*/keyvaluemaps
Analytics Data/environments/*/statsGET
/keyvaluemaps/keyvaluemapsGET
Reports/reportsGET
UserRoles resource at organization level/userroles
User's Own Permissions/userroles/*/permissionsGET


What I am missing?

Thanks a lot in advance for your help and kind regards,

CGR

0 5 786
5 REPLIES 5

Can you call other Administrative APIs ?

What if you try

GET https://api.enterprise.apigee.com/v1/o/my-org

...passing the same credential (user credentials or token). What do you see?

Hi,

Being assigned to any customized role, you could able to 200 response but with "No data in the response" provided that credentials supplied are correct.

sample call for user whose role is Customized one for above case:

https://api.enterprise.apigee.com/v1/organizations/ORGNAME/environments/test/stats/apiproxy,target_r... eq 'abc proxy')

You could easily perform those operations easily if you are org admin. i would like you to check the below:

  1. check whether any spaces left for ur credentials i,e space at end or beginning. It leads to issues like 401
  2. Check whether you can perform basic operations with management APIS like fetching apis in an ORG as shown below:
      curl -X GET \
      https://api.enterprise.apigee.com/v1/o/ORGNAME/apis \
      -H 'Authorization: Basic <>' \
      -H 'Content-Type: application/json' \
      -H 'cache-control: no-cache'
    
  3. check the permissions for the role
      curl -X GET \
    https://api.enterprise.apigee.com/v1/o/ORGNAME/userroles/<ROLE?/permissions \
      -H 'Authorization: Basic <>' \
      -H 'Content-Type: application/json' \
      -H 'cache-control: no-cache'

Let us know yet if you are not able to find the fix. Thanks and Regards,

Mani

Dear Manikanta,

Thanks for your answer. Plese refer to my answer to Dino's previous comment. I guess I found the root cause of my login issues. Let's see what he says and if I manage to login using a token based auth.

Regards

Hi Dino,

Thanks a lot for your prompt answer.

I've just tried the call you suggest and still getting a 401 error. Additionally, I recreated the same user configuration on my "personal" Apigee edge and it worked like charm: 200 error code returned with data in the response, etc.

This confirms there is a particularity with the way the authentication / authorization is setup in "my-org" (the one we use at work).

In this sense, there is an importan detail to take into account that I missed to mention in my original post: In "my-org", by default, there as a certificate based SAML login enabled to access the Apigee Edge UI. However, in order to call the stats API, as suggested by our Apigee admin, I created a "service account" to be able to use the basic auth with login and password in Postman (my REST client).

I just found this article

https://docs.apigee.com/api-platform/system-administration/using-saml

which I think explains the way I should proceed (using a token and not credentials as you mention in your comment), correct?

I guess this confirms that if SAML is enabled, this is for Apigee UI but also for the Apigee Management API within same organization, which makes sense (in our org it is not the case as REST endpoints are out-of-scope of SAML even if they share the domain name with a SSO enabled UI).

Am I right?

Thanks a lot again for your help!

CGR

You are Correct! You must obtain a token if you use a SAML-enabled org and a service account.