tyk-operator icon indicating copy to clipboard operation
tyk-operator copied to clipboard

Published 20 hours ago verified publisher icon TykTechnologies

[TT-3690] API Ownership

Open sedkis opened this issue 4 years ago • 7 comments

Expected Behavior

I want to be able to add API ownership to my API definitions.

Here's the JSON in my API definition:

  "user_group_owners": [
    "6010369dd6cd2b0001bb7ddb",
    "60103741d6cd2b0001e38435"
  ],
  "user_owners": []

In the UI: image

Potential BDD Test Coverage

Feature: <summary of feature>
  As a developer belonging to a team
  I want to add API Ownership of my team to an API definition
  So that teams cannot edit my API

  Scenario: <summary of a scenario within this feature>
    Given an API Definition
    When I add API Ownership to my API
    Then I want to get API ownership to my API

sedkis avatar Jan 26 '21 16:01 sedkis

Sorry if i'm being dumb but isn't the point of the operator that IT is the API owner and RBAC is then pushed into the kubernetes space by namespace access etc

joshblakeley avatar Jan 26 '21 16:01 joshblakeley

You still may need RBAC for the dashboard. Analytics, developers and etc. K8s handles only configurations.

buger avatar Jan 26 '21 16:01 buger

Sorry if i'm being dumb but isn't the point of the operator that IT is the API owner and RBAC is then pushed into the kubernetes space by namespace access etc

Yes, but @buger is spot on, k8s RBAC is only half the picture:

As a developer belonging to a dev team
  I want to add API Ownership of my team to an API definition
  So that other teams cannot edit my API

sedkis avatar Jan 26 '21 16:01 sedkis

Great thanks for the clarification both!

joshblakeley avatar Jan 26 '21 16:01 joshblakeley

This feels like it might be quite a big task.

How would we declaratively be able to set the group id in the API Definition? Would this scale across different environments / installations?

If not, would we need to create UserGroup CRDs and user CRDs in K8s also?

asoorm avatar Apr 07 '21 23:04 asoorm

The main problem here is that ownership info is not part of the api definition. It's the dashboard API that uses and updates the ownership info.

Api ownership support requires the dashboard.DashboardApi struct to change like as follows:

type DashboardApi struct {
	CreatedAt       string                  `json:"created_at,omitempty"`
	ApiDefinition   model.APIDefinitionSpec `json:"api_definition"`
        UserOwners      []string                `json:"user_owners,omitempty"`
        UserGroupOwners [] string               `json:"user_group_owners,omitempty"`
}

Since the ApiDefinition.spec doesn't include ownership info, this should be in a separate CRD.

patriziobrunops avatar Jul 19 '22 17:07 patriziobrunops

@asoorm I implemented the api-ownership management using OperatorContext. I added user_owners and user_group_owners to OperatorContext.spec, they're string arrays expecting user/group IDs. I also added two new keys to secret .spec.data: TYK_USER_OWNERS and TYK_USER_GROUP_OWNERS, they're expected to contain comma separated lists of user/group IDs. To you mind if I submit a PR?

patriziobrunops avatar Jul 20 '22 16:07 patriziobrunops

it is implemented in #483 and is now available with Tyk Operator v0.12.0.

buraksekili avatar Nov 14 '22 16:11 buraksekili