API product access control conflicts with "Apigee Edge API product RBAC" #197
Comments
|
@arlina-espinoza For edge, enabling RBAC removes the custom access hook so that control is handed over to RBAC. Should we do same for m10n? /**
* Implements hook_module_implements_alter().
*/
function apigee_edge_apiproduct_rbac_module_implements_alter(&$implementations, $hook) {
if ($hook == 'api_product_access') {
// Disable API Product access provided by Apigee Edge module when
// this module is enabled. API product visibility based access control
// and role based access control provided by this module is incompatible
// with each other.
unset($implementations['apigee_edge']);
}
}This is what m10n is doing right now: /**
* Implements hook_ENTITY_TYPE_access().
*/
function apigee_m10n_api_product_access(EntityInterface $entity, $operation, AccountInterface $account) {
// For the assignment operation a product must either be free or purchased.
if ($operation == 'assign') {
return \Drupal::service('apigee_m10n.monetization')
->apiProductAssignmentAccess($entity, $account);
}
// No opinion on other operations.
return AccessResult::neutral();
} |
|
I've been thinking about this, and in the end it seems that it is doing what is correct, and perhaps we should just document that If monetization is enabled, the "assign" operation (used when adding or updating an API product on an app) should only show API products that a developer is eligible to access, which is what
It would not make sense to have monetization enabled, and then have another module allow apps with API products that a developer has not purchased. If RBAC is also enabled, it might be confusing, because the way access control works is by gathering all the entity access hooks results, and:
This could mean some confusing scenarios, like:
Let me know your thoughts @arshad / @cnovak / @arunz6161 . |
|
I agree with what @arlina-espinoza said above. If both Let's add this to the documentation (and m10n readme). We can also add a note to the |
|
I agree on Monetized API Products, I think what is missing is documentation on how you do RBAC when M10n is enabled. Instead of having access control on the API Product, you instead use the "Audience" on the rate plan to only allow certain developers to purchase a rate plan. However, does the API product RBAC module still work with API Products that are not monetized? I would think that the RBAC module would still allow non-monetized API Product to be configured. Can the API product RBAC module show the monetized API Products disabled in the admin UI with info saying that the API Products that are monetized needs to be configured at the rate plan in the Edge UI for access control? |
|
Need to discuss this in deep dive- 08/10 |
|
Need to discuss this in deep dive- 08/24 |
|
After discussing with @arlina-espinoza , we realized that we have two different access control systems: 1) The RBAC submodule in Apigee Edge or the simple access control using audience in Apigee Edge, and 2) access control for API products which are monetized. The access control for API products which are monetized have access control configured when you set up the rate plan. Our approach will be:
|
|
@cnovak @arlina-espinoza Are we going to break this down into smaller tickets/how do we proceed? |
|
@arlina-espinoza @arshad we can just break this down into three tickets as listed above, or do we need more than that? |
Describe the bug
Enabling monetization disables the API product entity access control provided by the
apigee_edge_apiproduct_rbacmodule.To Reproduce
Steps to reproduce the behavior:
apigee_edgeandapigee_edge_apiproduct_rbacmodules.apigee_m10n.Expected behavior
Only the API products that the user's roles has access to (as configured on the RBAC settings page) should be displayed.
Version Info
Latest
apigee_edge8.x-1.x andapigee_m10n8.x-1.x.The text was updated successfully, but these errors were encountered: