Import API using Org-Admin role

[cwiechmann]

Today the tool needs for certain actions a user having Admin-Role.
The request is to make it possible, that an Org-Admin user can be used by the tool to avoid using an Admin user for Security & Audit reasons.

[cwiechmann]

@rathnapandi, I fully understand the requirement and it makes sense, hence I have already discussed this with a colleague some time ago, as the change would be quite challenging.

As you know, in order to replicate the desired state of the API into the API-Manager, the tool needs to perform many actions requiring Admin-Role (like Grant permission, Unpublish, Delete, etc.) anyway.
Hence, adding support for an Org-Admin user will require a second Admin-Role user anyway, which steps in whenever an Admin-Action is required.

To me adding this Second-User-Approach makes the code quite complex and finally doesn't bring much value. The colleague I have discussed with said using a Technical-Account with Admin-Role is sufficient. Auditing, Permission-Management (check if the user is allowed to do this), etc. all this can be handled by the CI/CD-Workflow upfront.

I recommend not to implement this and close this issue. What are your thoughts on this.

@rchinthakuntla, you are welcome to share your thoughts as well.

[rchinthakuntla]

@cwiechmann, I see Rathna's point but i agree with you that adding org-admin role is not critical at the moment. I think we should focus our efforts on the pending items like supporting API method descriptions, custom policy plugin. The current custom MAVEN plugin which leverage api-manager-promote script is great but can be a tough sell especially in Microsoft shops. I see CLI tool to more powerful and flexible.

Needless to say, I can convince a customer about how they should put governance checks in place to use the tool in a safe fashion using API administrator role. Supporting org Admin role would be a PLUS but not a priority at the moment, IMHO.

Thanks
Ravee

[cwiechmann]

Based on conversations/feedback I get from colleagues/customers, it looks like, that many customers have a strong need for Org-Admin support. Hence, I'm thinking it is worth now to start implementing a potential solution.

As Swagger-Promote cannot by-pass the user-role-limitation in API-Manager, it can only provide some kind of a work-around.

I'm thinking about the following:

• if an Org-Admin-User is given
• all possible actions, such as import BE-API, create FE-API, configured FE-API will be performed with the given Org-Admin-User
• the leads to the fact, that the Audit-Log will contain the Org-Admin user and the owner of an API also becomes the org-admin
• whenever it comes to actions, such as Publishing the API, setting up the Quota, etc. an Admin-Role user is needed, so the tool will fall-back to a previously configured Admin-User
• this Admin-User can be considered as a technical user
• idea is to have this admin-user stored in a properties file available to the tool
• with that, a CI/CD-Slave could safely store that information (for instance for promotion to production)
• the program will internally decide ("know") what kind of user to use for a certain action
• if the "Desired API-State" is unpublished, an admin-user-role isn't needed. As all actions can be handled by the Org-Admin-Account.

CC: @rchinthakuntla, @rathnapandi
Feedback on this is very welcome.

[cwiechmann]

Released with version 1.5.0