api-manager icon indicating copy to clipboard operation
api-manager copied to clipboard
verified publisher icon wso2

[APIM 3.2.1] Inaccurate API List Returned by Gateway REST API in Multi-Gateway Deployments

Open charithjayasanka opened this issue 8 months ago • 0 comments

Description

Hi Team,

During an attempt to validate the deployed APIs on a gateway using the Gateway REST API endpoint:

curl --location 'https://127.0.0.1:9443/api/am/gateway/v1/apis'
--header 'Authorization: Basic ***'

However, we observed that this endpoint returns a list of all APIs present in the database, regardless of whether they are deployed on the queried gateway. This behavior is misleading in scenarios where only a subset of APIs is expected to be deployed to each gateway.

Upon analysis, it appears that each gateway maintains an in-memory map of all APIs. The filtering by gateway label is performed only during artifact retrieval, not during the API listing operation. Therefore, the /apis endpoint does not reflect the actual deployed state per gateway.

Concern: This behavior prevents accurate validation of deployed APIs on a per-gateway basis.

It also raises a potential security concern: gateways are storing metadata for APIs not intended to be deployed on them.

Expected Behavior: The /apis endpoint should return only the APIs that are actually deployed on the queried gateway, possibly by considering gateway labels or deployment state.

Suggested Improvement: Introduce filtering at the API listing level to ensure the response reflects only the APIs deployed to the respective gateway.

Steps to Reproduce

  1. Deploy a WSO2 API Manager setup with multiple gateways, each configured with a specific gateway label.

  2. Deploy a subset of APIs to one of the gateways using labels (e.g., only 2 out of 5 APIs assigned to gateway-label-1).

  3. Start the gateway that corresponds to gateway-label-1.

  4. Execute the following REST API to list APIs on that gateway:

curl --location 'https://<gateway-host>:9443/api/am/gateway/v1/apis' \
--header 'Authorization: Basic <Base64-encoded-credentials>'

5.Observe the response: it contains all APIs, including those not deployed to the queried gateway.

Version

3.2.1

Environment Details (with versions)

No response

charithjayasanka avatar Apr 14 '25 10:04 charithjayasanka