quads icon indicating copy to clipboard operation
quads copied to clipboard
verified publisher icon redhat-performance

[RFE] Public/Private API Classification After Full Flask Migration

Open sadsfae opened this issue 3 years ago • 0 comments

Summary

This is an RFE for how we want to design our separation of public, private and authenticated API RBAC model after we migrate fully from CherryPy to Flask API endpoints.

Depends on:

  • #86
  • #381

Related RFE

  • #368
  • #98

Details

We'll want to separate our API endpoints (prominent endpoints documented here: https://github.com/redhat-performance/quads/blob/master/docs/quads-api.md ) into a more role-based or purpose-driven separation design for the following reasons below.

Why?

  • Provide basic public API access to tenant automation about their machines
  • Provide web-based API access to endpoints that help build our landing pages, requests, wiki and status pages to illustrate more up-to-date and granular systems, assignment and availability information
  • Protect API endpoints that should be private or local (re-architect them to use localsocket only for example)
  • Extend capabilities in other areas

Design

We want to ensure any local API calls are done against gunicorn listening on localhost as well, skipping the nginx reverse proxy tier while ensuring all public API calls utilize nginx reverse proxy tier and can reap all the benefits that gives us.

As a first pass, here might be some of the API classification we'd want to do:

Open / Public API Calls
  • Almost all of the GET API endpoints, mostly documented here: https://github.com/redhat-performance/quads/blob/master/docs/quads-api.md#api-get-operations
  • MongoDB Host metadata model information: https://github.com/redhat-performance/quads/blob/master/docs/quads-host-metadata-search.md#querying-host-information
  • Reporting API calls: https://github.com/redhat-performance/quads#quads-reporting (perhaps rate-limited?)
Protected / Local API Calls
  • All of the POST API calls, the main ones documented here https://github.com/redhat-performance/quads/blob/master/docs/quads-api.md#api-post-operations
Authenticated / Protected Public API Calls
  • (brainstorm) We might allow a subset of API calls for tenants to interact with their hosts after they receive them, this might require the implementation of #191 first.

sadsfae avatar Mar 04 '22 07:03 sadsfae