You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@stratos.apache.org by Pradeep Fernando <pr...@gmail.com> on 2013/08/17 15:28:46 UTC
RESTful API for Stratos Controller
Hi All,
I participated in the recent hangout and came to know that command-line
client and stratos controller interact via WS calls. I would like to
propose a RESTful interface to the stratos admin operations.
WDYT ? if the community agrees, i would like to implement this
functionality.
RESTful stratos
services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
thanks,
--Pradeep
Re: RESTful API for Stratos Controller
Posted by Isuru Perera <ch...@gmail.com>.
It's a great idea. +1 for implementing REST services.
Stratos Controller UI also interacts with back-end services via WS calls.
We need to change that also. May be using direct OSGi service calls (since
both UI and back-end runs on same JVM)
Perhaps you could implement RESTful services first and then do a hangout. I
mean not the whole implementation, but at least when you start on
developing you could identify challenges.
On Sun, Aug 18, 2013 at 8:45 AM, Pradeep Fernando <pr...@gmail.com>wrote:
> Thanks guys.. Please allow me some time to figure out implementation
> challenges and other things. Will update the thread and +1 for a hangout.
>
> thanks,
> --Pradeep
>
>
> On Sun, Aug 18, 2013 at 8:03 AM, Lakmal Warusawithana <la...@wso2.com>wrote:
>
>>
>> On Aug 18, 2013 2:40 AM, "Jason Daly" <ja...@systembind.com> wrote:
>> >
>> > Indeed. Possibly a hangout to discuss?
>>
>> +1 for hangout to discuss. @pradeep. Shall we list down items and will
>> plan for a hangout.
>>
>> >
>> >
>> >
>> > Jason Daly
>> > VP, Product Development
>> > SystemBind Consulting & IT Services Inc.
>> > 5115 Maingate Drive, Unit #1 | Mississauga | Ontario
>> > Tel: 416.848.0980 x 850
>> > Mobile: 416.388.4070
>> > Toll: 1.877.SYS.BIND
>> > www.systembind.com
>> >
>> >
>> >
>> > From: Imesh Gunaratne [mailto:imesh@wso2.com]
>> > Sent: August-17-13 1:47 PM
>> > To: dev@stratos.incubator.apache.org
>> > Subject: Re: RESTful API for Stratos Controller
>> >
>> >
>> >
>> > +1 A great thought! May be it's good to discuss the design of the API
>> before the implementation.
>> >
>> >
>> >
>> > Thanks
>> >
>> >
>> >
>> > On Sat, Aug 17, 2013 at 10:51 PM, Nirmal Fernando <
>> nirmal070125@gmail.com> wrote:
>> >
>> > +1 Pradeep. We should ideally provide REST interfaces for most of our
>> service APIs.
>> >
>> >
>> >
>> > On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>
>> wrote:
>> >
>> > Hi All,
>> >
>> >
>> >
>> > I participated in the recent hangout and came to know that command-line
>> client and stratos controller interact via WS calls. I would like to
>> propose a RESTful interface to the stratos admin operations.
>> >
>> >
>> >
>> > WDYT ? if the community agrees, i would like to implement this
>> functionality.
>> >
>> >
>> >
>> > RESTful stratos services
>> >
>> >
>> >
>> >
>> >
>> > thanks,
>> >
>> > --Pradeep
>> >
>> >
>> >
>> > --
>> >
>> > Best Regards,
>> > Nirmal
>> >
>> > C.S.Nirmal J. Fernando
>> > Senior Software Engineer,
>> > WSO2 Inc.
>> >
>> >
>> >
>> > Blog: http://nirmalfdo.blogspot.com/
>> >
>> >
>> >
>> >
>> >
>> > --
>> >
>> > Imesh Gunaratne
>> > Technical Lead
>> > WSO2 Inc | http://wso2.com
>> > Mobile: +94 77 374 2057
>> > Blog: http://imesh.gunaratne.org
>> >
>> > Lean . Enterprise . Middleware
>>
>>
>
>
> --
> Pradeep Fernando.
> http://pradeepfernando.blogspot.com/
>
--
Isuru Perera
about.me/chrishantha
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Thanks guys.. Please allow me some time to figure out implementation
challenges and other things. Will update the thread and +1 for a hangout.
thanks,
--Pradeep
On Sun, Aug 18, 2013 at 8:03 AM, Lakmal Warusawithana <la...@wso2.com>wrote:
>
> On Aug 18, 2013 2:40 AM, "Jason Daly" <ja...@systembind.com> wrote:
> >
> > Indeed. Possibly a hangout to discuss?
>
> +1 for hangout to discuss. @pradeep. Shall we list down items and will
> plan for a hangout.
>
> >
> >
> >
> > Jason Daly
> > VP, Product Development
> > SystemBind Consulting & IT Services Inc.
> > 5115 Maingate Drive, Unit #1 | Mississauga | Ontario
> > Tel: 416.848.0980 x 850
> > Mobile: 416.388.4070
> > Toll: 1.877.SYS.BIND
> > www.systembind.com
> >
> >
> >
> > From: Imesh Gunaratne [mailto:imesh@wso2.com]
> > Sent: August-17-13 1:47 PM
> > To: dev@stratos.incubator.apache.org
> > Subject: Re: RESTful API for Stratos Controller
> >
> >
> >
> > +1 A great thought! May be it's good to discuss the design of the API
> before the implementation.
> >
> >
> >
> > Thanks
> >
> >
> >
> > On Sat, Aug 17, 2013 at 10:51 PM, Nirmal Fernando <
> nirmal070125@gmail.com> wrote:
> >
> > +1 Pradeep. We should ideally provide REST interfaces for most of our
> service APIs.
> >
> >
> >
> > On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>
> wrote:
> >
> > Hi All,
> >
> >
> >
> > I participated in the recent hangout and came to know that command-line
> client and stratos controller interact via WS calls. I would like to
> propose a RESTful interface to the stratos admin operations.
> >
> >
> >
> > WDYT ? if the community agrees, i would like to implement this
> functionality.
> >
> >
> >
> > RESTful stratos services
> >
> >
> >
> >
> >
> > thanks,
> >
> > --Pradeep
> >
> >
> >
> > --
> >
> > Best Regards,
> > Nirmal
> >
> > C.S.Nirmal J. Fernando
> > Senior Software Engineer,
> > WSO2 Inc.
> >
> >
> >
> > Blog: http://nirmalfdo.blogspot.com/
> >
> >
> >
> >
> >
> > --
> >
> > Imesh Gunaratne
> > Technical Lead
> > WSO2 Inc | http://wso2.com
> > Mobile: +94 77 374 2057
> > Blog: http://imesh.gunaratne.org
> >
> > Lean . Enterprise . Middleware
>
>
--
Pradeep Fernando.
http://pradeepfernando.blogspot.com/
RE: RESTful API for Stratos Controller
Posted by Lakmal Warusawithana <la...@wso2.com>.
On Aug 18, 2013 2:40 AM, "Jason Daly" <ja...@systembind.com> wrote:
>
> Indeed. Possibly a hangout to discuss?
+1 for hangout to discuss. @pradeep. Shall we list down items and will plan
for a hangout.
>
>
>
> Jason Daly
> VP, Product Development
> SystemBind Consulting & IT Services Inc.
> 5115 Maingate Drive, Unit #1 | Mississauga | Ontario
> Tel: 416.848.0980 x 850
> Mobile: 416.388.4070
> Toll: 1.877.SYS.BIND
> www.systembind.com
>
>
>
> From: Imesh Gunaratne [mailto:imesh@wso2.com]
> Sent: August-17-13 1:47 PM
> To: dev@stratos.incubator.apache.org
> Subject: Re: RESTful API for Stratos Controller
>
>
>
> +1 A great thought! May be it's good to discuss the design of the API
before the implementation.
>
>
>
> Thanks
>
>
>
> On Sat, Aug 17, 2013 at 10:51 PM, Nirmal Fernando <ni...@gmail.com>
wrote:
>
> +1 Pradeep. We should ideally provide REST interfaces for most of our
service APIs.
>
>
>
> On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>
wrote:
>
> Hi All,
>
>
>
> I participated in the recent hangout and came to know that command-line
client and stratos controller interact via WS calls. I would like to
propose a RESTful interface to the stratos admin operations.
>
>
>
> WDYT ? if the community agrees, i would like to implement this
functionality.
>
>
>
> RESTful stratos services
>
>
>
>
>
> thanks,
>
> --Pradeep
>
>
>
> --
>
> Best Regards,
> Nirmal
>
> C.S.Nirmal J. Fernando
> Senior Software Engineer,
> WSO2 Inc.
>
>
>
> Blog: http://nirmalfdo.blogspot.com/
>
>
>
>
>
> --
>
> Imesh Gunaratne
> Technical Lead
> WSO2 Inc | http://wso2.com
> Mobile: +94 77 374 2057
> Blog: http://imesh.gunaratne.org
>
> Lean . Enterprise . Middleware
Re: RESTful API for Stratos Controller
Posted by Imesh Gunaratne <im...@wso2.com>.
+1 A great thought! May be it's good to discuss the design of the API
before the implementation.
Thanks
On Sat, Aug 17, 2013 at 10:51 PM, Nirmal Fernando <ni...@gmail.com>wrote:
> +1 Pradeep. We should ideally provide REST interfaces for most of our
> service APIs.
>
>
> On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>> Hi All,
>>
>> I participated in the recent hangout and came to know that command-line
>> client and stratos controller interact via WS calls. I would like to
>> propose a RESTful interface to the stratos admin operations.
>>
>> WDYT ? if the community agrees, i would like to implement this
>> functionality.
>>
>> RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
>>
>>
>> thanks,
>> --Pradeep
>>
>
>
>
> --
> Best Regards,
> Nirmal
>
> C.S.Nirmal J. Fernando
> Senior Software Engineer,
> WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/
>
--
*Imesh Gunaratne*
Technical Lead
WSO2 Inc | http://wso2.com
Mobile: +94 77 374 2057
Blog: http://imesh.gunaratne.org
Lean . Enterprise . Middleware
Re: RESTful API for Stratos Controller
Posted by Nirmal Fernando <ni...@gmail.com>.
+1 Pradeep. We should ideally provide REST interfaces for most of our
service APIs.
On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
> Hi All,
>
> I participated in the recent hangout and came to know that command-line
> client and stratos controller interact via WS calls. I would like to
> propose a RESTful interface to the stratos admin operations.
>
> WDYT ? if the community agrees, i would like to implement this
> functionality.
>
> RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
>
>
> thanks,
> --Pradeep
>
--
Best Regards,
Nirmal
C.S.Nirmal J. Fernando
Senior Software Engineer,
WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Nirmal Fernando <ni...@gmail.com>.
Hi Pradeep,
Can you please share a rough outline on what you're going to cover in this
hangout?
On Wed, Sep 11, 2013 at 3:52 PM, Pradeep Fernando <pr...@gmail.com>wrote:
> Hi Devs,
>
> Can someone of you please schedule a hangout for the above topic. :)
>
> below is the description i came up with,
>
> <description>
> At the moment, the Stratos admin interfaces are tightly coupled to Carbon
> admin services. Hence All the backend interfaces are exposed as
> web-services. This in turn has encouraged developers to develop stratos
> controller front-ends as Carbon UI components.
>
> IMHO it is possible to develop Stratos backend interfaces as RESTful
> services. The initial proposal is to develop them as a seperate JAX-WS
> webapp. But the topic is open for discusssion.
>
> This would allow Stratos developers to,
>
> create front-ends (simple web-apps) that make use of restful APIs.
> Commandline tooling can make use of REST APIs as well.
> </description>
>
>
>
> thanks,
> --Pradeep
>
>
>
> On Sun, Aug 18, 2013 at 7:25 PM, Isuru Haththotuwa <is...@wso2.com>wrote:
>
>> On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>>
>>> Hi All,
>>>
>>> I participated in the recent hangout and came to know that command-line
>>> client and stratos controller interact via WS calls. I would like to
>>> propose a RESTful interface to the stratos admin operations.
>>>
>>> WDYT ? if the community agrees, i would like to implement this
>>> functionality.
>>>
>> +1 for the idea. The team discussed this some time ago (prior to the
>> incubation) but could not do it then due to time constraints.
>>
>>>
>>> RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
>>>
>>>
>>> thanks,
>>> --Pradeep
>>>
>>
>>
>>
>> --
>> Thanks and Regards,
>>
>> Isuru H.
>>
>>
>>
>
>
> --
> Pradeep Fernando.
> http://pradeepfernando.blogspot.com/
>
--
Best Regards,
Nirmal
C.S.Nirmal J. Fernando
Senior Software Engineer,
WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Lahiru Sandaruwan <la...@wso2.com>.
Commit is ecef467e8e8e1cc0c3633825650a75fc28987710.
Thanks.
On Thu, Oct 24, 2013 at 11:00 AM, Lahiru Sandaruwan <la...@wso2.com>wrote:
> I'll commit the patch.
>
> thanks.
>
>
> On Thu, Oct 24, 2013 at 10:57 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>> Hi,
>>
>> gentle reminder..
>>
>> --Pradeep
>>
>>
>> On Tue, Oct 8, 2013 at 11:27 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>>
>>> Appreciate if someone can add my patch to the trunk... I will provide a
>>> patch with @SuperTenantService as a marker interface..
>>>
>>> thanks,
>>> --Pradeep
>>>
>>>
>>> On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>>>
>>>> Yes.. I already created a JIRA task to track oauth authenticator
>>>>
>>>> --Pradeep
>>>> sent from my phone
>>>> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <ni...@gmail.com>
>>>> wrote:
>>>>
>>>>> Pradeep,
>>>>>
>>>>> Thanks for the reply.
>>>>>
>>>>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <pradeepfn@gmail.com
>>>>> > wrote:
>>>>>
>>>>>>
>>>>>> Hi Nirmal,
>>>>>>
>>>>>> Please find answers inline,
>>>>>>
>>>>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <
>>>>>> nirmal070125@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Pradeep,
>>>>>>>
>>>>>>> Thanks for this contribution. I hope this will provide the basis for
>>>>>>> others to build Stratos REST API.
>>>>>>>
>>>>>>> Few questions inline.
>>>>>>>
>>>>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <
>>>>>>> pradeepfn@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Devs,
>>>>>>>>
>>>>>>>>
>>>>>>>> I came up with implemented the above feature and the patch can be
>>>>>>>> found at, [1]
>>>>>>>>
>>>>>>>> *How it works*
>>>>>>>>
>>>>>>>> - The web-app to Carbon runtime state exchange happens via OSGi
>>>>>>>> services
>>>>>>>> - The JAX-RS application is using Apache CXF as the REST engine
>>>>>>>> - Authentication and Authorization of incoming requests are handled
>>>>>>>> using two seperate JAX-RS providers registered against the service class
>>>>>>>> - Authentication/Authorization is closely integrated to the
>>>>>>>> underlying carbon authentication/authorizaiton framework
>>>>>>>> - I have defined two new annotation classes to capture method level
>>>>>>>> permission details
>>>>>>>> * @AuthorizationAction("PermissionString") - allows the admin
>>>>>>>> service writer to annotate a certain operation with permission string.
>>>>>>>> Request get authorized only if the invoking user has enough permissions
>>>>>>>>
>>>>>>>
>>>>>>> Where are these permissions stored? Can you explain how can someone
>>>>>>> compile this string?
>>>>>>>
>>>>>>
>>>>>> This is permission string related to carbon permission model. IIRC,
>>>>>> this is the same string that you use inside services.xml
>>>>>> AuthorizationAction element
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> * @SuperTenantService (true|false) - only the super-tenant
>>>>>>>> user can access the service
>>>>>>>>
>>>>>>>
>>>>>>> false implies all the tenants including super-tenant can access this
>>>>>>> operation right? If so, can you please consider renaming this annotation?
>>>>>>>
>>>>>>
>>>>>> In the Carbon permission structure, super-tenant is special. Other
>>>>>> way around, that is super-tenant can perform tenant operations is implicit
>>>>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
>>>>>> not a super tenant service. - > any other tenant admin service. I'm ok to
>>>>>> change this annotation, two concerns,
>>>>>>
>>>>>> 1. I used the same jargon that is being used in services.xml.
>>>>>> <SuperTenantService>. Introducing another wording for the same thing might
>>>>>> be confusing.
>>>>>> 2. We don't really use @SuperTenantService(false) annotation. default
>>>>>> is false.
>>>>>>
>>>>>> May be we should change this to a marker annoation, - >
>>>>>> @SuperTenantService
>>>>>>
>>>>>
>>>>> +1, makes sense. So, if you want to restrict an operation only for
>>>>> super tenant access, you use @SuperTenantService annotation.
>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>> - During the deployment time, the authorization handler get
>>>>>>>> injected with service bean. It process all the authorization related
>>>>>>>> annotation and builds a information model. When a request comes in it
>>>>>>>> verifies the expected permission vs bearing permission.
>>>>>>>>
>>>>>>>> Can you please explain how someone can plug a new authorization
>>>>>>> handler? What classes to extend, what interfaces to implement etc.?
>>>>>>>
>>>>>>
>>>>>> They just have to implement jaxrs.ReauestHandler interface and
>>>>>> declare the bean in spring config file (cxf-servlet.xml)
>>>>>>
>>>>>> I did not came up with a authentication/authorization abstraction for
>>>>>> Stratos in implementation.
>>>>>>
>>>>>
>>>>> No problem.
>>>>>
>>>>>
>>>>>> It is too early IMHO. Once we have atleast one other
>>>>>> authentication/authorization module we can define the abstraction.
>>>>>>
>>>>>
>>>>> IMO we should go for OAuth2 based authentication/authorization model
>>>>> as soon as possible.
>>>>>
>>>>> We should ideally start building up a wiki page on this too.
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> *Challenges/Approaches that did not work.*
>>>>>>>>
>>>>>>>> CXF project provides a AuthorizationFilter called
>>>>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>>>>>>>> @RolesAllowed annotation to identify authorized users. However it does not
>>>>>>>> suit well for the Carbon authorization system. Hence I came up with my own
>>>>>>>> Annotation types, which closely resembles, params used in existing WS admin
>>>>>>>> services.
>>>>>>>>
>>>>>>>>
>>>>>>>> *Authentication mechanism is pluggable *
>>>>>>>>
>>>>>>>> - Right now there is only one authenticator. It uses basic-auth to
>>>>>>>> authenticate incoming requests. It is possible to plug in other kinds of
>>>>>>>> authenticators.
>>>>>>>>
>>>>>>>> *How to write your new RESTful admin service*
>>>>>>>>
>>>>>>>> @POST
>>>>>>>> @Path("/tenant/create")
>>>>>>>> @Consumes("application/json")
>>>>>>>> @Produces("application/json")
>>>>>>>>
>>>>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>>>>>>>> @SuperTenantService(true)
>>>>>>>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>>>>>>>
>>>>>>>> return success;
>>>>>>>> }
>>>>>>>>
>>>>>>>> *Sample Request from CURL*
>>>>>>>>
>>>>>>>> curl -X POST -H "Content-Type: application/json" -d
>>>>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>>>>>>>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>>>>>>>> https://localhost:9443/stratos/admin/tenant/create
>>>>>>>>
>>>>>>>>
>>>>>>>> *TODO*
>>>>>>>> *
>>>>>>>> *
>>>>>>>> This is more of the framework for implementing RESTful admin APIs.
>>>>>>>> I have implemented two Operations for the moment. We have to populate the
>>>>>>>> service bean with rest of the API. Its matter of porting existing code to
>>>>>>>> new service bean. What is more important is, to carefully design REST
>>>>>>>> endpoints.
>>>>>>>>
>>>>>>>> Unlike WS endpoints, we have to be careful with REST endpoint /
>>>>>>>> where the parameter goes in endpoint / HTTP method used / etc. I will spawn
>>>>>>>> a separate thread on the topic.
>>>>>>>>
>>>>>>>> I have applied the patches to the JIRA. Would be great if the code
>>>>>>>> can be committed to the main trunk. :)
>>>>>>>>
>>>>>>>>
>>>>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>>>>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>> --Pradeep
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Best Regards,
>>>>>>> Nirmal
>>>>>>>
>>>>>>> C.S.Nirmal J. Fernando
>>>>>>> Senior Software Engineer,
>>>>>>> WSO2 Inc.
>>>>>>>
>>>>>>> Blog: http://nirmalfdo.blogspot.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> thanks,
>>>>>> --Pradeep
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best Regards,
>>>>> Nirmal
>>>>>
>>>>> C.S.Nirmal J. Fernando
>>>>> Senior Software Engineer,
>>>>> WSO2 Inc.
>>>>>
>>>>> Blog: http://nirmalfdo.blogspot.com/
>>>>>
>>>>
>>>
>>>
>>> --
>>> Pradeep Fernando.
>>> http://pradeepfernando.blogspot.com/
>>>
>>
>>
>>
>> --
>> Pradeep Fernando.
>> http://pradeepfernando.blogspot.com/
>>
>
>
>
> --
> --
> Lahiru Sandaruwan
> Software Engineer,
> Platform Technologies,
> WSO2 Inc., http://wso2.com
> lean.enterprise.middleware
>
> email: lahirus@wso2.com cell: (+94) 773 325 954
> blog: http://lahiruwrites.blogspot.com/
> twitter: http://twitter.com/lahirus
> linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
>
>
--
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware
email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
Re: RESTful API for Stratos Controller
Posted by Lahiru Sandaruwan <la...@wso2.com>.
I'll commit the patch.
thanks.
On Thu, Oct 24, 2013 at 10:57 AM, Pradeep Fernando <pr...@gmail.com>wrote:
> Hi,
>
> gentle reminder..
>
> --Pradeep
>
>
> On Tue, Oct 8, 2013 at 11:27 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>> Appreciate if someone can add my patch to the trunk... I will provide a
>> patch with @SuperTenantService as a marker interface..
>>
>> thanks,
>> --Pradeep
>>
>>
>> On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>>
>>> Yes.. I already created a JIRA task to track oauth authenticator
>>>
>>> --Pradeep
>>> sent from my phone
>>> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <ni...@gmail.com>
>>> wrote:
>>>
>>>> Pradeep,
>>>>
>>>> Thanks for the reply.
>>>>
>>>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>>>>
>>>>>
>>>>> Hi Nirmal,
>>>>>
>>>>> Please find answers inline,
>>>>>
>>>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <
>>>>> nirmal070125@gmail.com> wrote:
>>>>>
>>>>>> Hi Pradeep,
>>>>>>
>>>>>> Thanks for this contribution. I hope this will provide the basis for
>>>>>> others to build Stratos REST API.
>>>>>>
>>>>>> Few questions inline.
>>>>>>
>>>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <
>>>>>> pradeepfn@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Devs,
>>>>>>>
>>>>>>>
>>>>>>> I came up with implemented the above feature and the patch can be
>>>>>>> found at, [1]
>>>>>>>
>>>>>>> *How it works*
>>>>>>>
>>>>>>> - The web-app to Carbon runtime state exchange happens via OSGi
>>>>>>> services
>>>>>>> - The JAX-RS application is using Apache CXF as the REST engine
>>>>>>> - Authentication and Authorization of incoming requests are handled
>>>>>>> using two seperate JAX-RS providers registered against the service class
>>>>>>> - Authentication/Authorization is closely integrated to the
>>>>>>> underlying carbon authentication/authorizaiton framework
>>>>>>> - I have defined two new annotation classes to capture method level
>>>>>>> permission details
>>>>>>> * @AuthorizationAction("PermissionString") - allows the admin
>>>>>>> service writer to annotate a certain operation with permission string.
>>>>>>> Request get authorized only if the invoking user has enough permissions
>>>>>>>
>>>>>>
>>>>>> Where are these permissions stored? Can you explain how can someone
>>>>>> compile this string?
>>>>>>
>>>>>
>>>>> This is permission string related to carbon permission model. IIRC,
>>>>> this is the same string that you use inside services.xml
>>>>> AuthorizationAction element
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>> * @SuperTenantService (true|false) - only the super-tenant
>>>>>>> user can access the service
>>>>>>>
>>>>>>
>>>>>> false implies all the tenants including super-tenant can access this
>>>>>> operation right? If so, can you please consider renaming this annotation?
>>>>>>
>>>>>
>>>>> In the Carbon permission structure, super-tenant is special. Other way
>>>>> around, that is super-tenant can perform tenant operations is implicit
>>>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
>>>>> not a super tenant service. - > any other tenant admin service. I'm ok to
>>>>> change this annotation, two concerns,
>>>>>
>>>>> 1. I used the same jargon that is being used in services.xml.
>>>>> <SuperTenantService>. Introducing another wording for the same thing might
>>>>> be confusing.
>>>>> 2. We don't really use @SuperTenantService(false) annotation. default
>>>>> is false.
>>>>>
>>>>> May be we should change this to a marker annoation, - >
>>>>> @SuperTenantService
>>>>>
>>>>
>>>> +1, makes sense. So, if you want to restrict an operation only for
>>>> super tenant access, you use @SuperTenantService annotation.
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>> - During the deployment time, the authorization handler get injected
>>>>>>> with service bean. It process all the authorization related annotation and
>>>>>>> builds a information model. When a request comes in it verifies the
>>>>>>> expected permission vs bearing permission.
>>>>>>>
>>>>>>> Can you please explain how someone can plug a new authorization
>>>>>> handler? What classes to extend, what interfaces to implement etc.?
>>>>>>
>>>>>
>>>>> They just have to implement jaxrs.ReauestHandler interface and declare
>>>>> the bean in spring config file (cxf-servlet.xml)
>>>>>
>>>>> I did not came up with a authentication/authorization abstraction for
>>>>> Stratos in implementation.
>>>>>
>>>>
>>>> No problem.
>>>>
>>>>
>>>>> It is too early IMHO. Once we have atleast one other
>>>>> authentication/authorization module we can define the abstraction.
>>>>>
>>>>
>>>> IMO we should go for OAuth2 based authentication/authorization model as
>>>> soon as possible.
>>>>
>>>> We should ideally start building up a wiki page on this too.
>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> *Challenges/Approaches that did not work.*
>>>>>>>
>>>>>>> CXF project provides a AuthorizationFilter called
>>>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>>>>>>> @RolesAllowed annotation to identify authorized users. However it does not
>>>>>>> suit well for the Carbon authorization system. Hence I came up with my own
>>>>>>> Annotation types, which closely resembles, params used in existing WS admin
>>>>>>> services.
>>>>>>>
>>>>>>>
>>>>>>> *Authentication mechanism is pluggable *
>>>>>>>
>>>>>>> - Right now there is only one authenticator. It uses basic-auth to
>>>>>>> authenticate incoming requests. It is possible to plug in other kinds of
>>>>>>> authenticators.
>>>>>>>
>>>>>>> *How to write your new RESTful admin service*
>>>>>>>
>>>>>>> @POST
>>>>>>> @Path("/tenant/create")
>>>>>>> @Consumes("application/json")
>>>>>>> @Produces("application/json")
>>>>>>>
>>>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>>>>>>> @SuperTenantService(true)
>>>>>>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>>>>>>
>>>>>>> return success;
>>>>>>> }
>>>>>>>
>>>>>>> *Sample Request from CURL*
>>>>>>>
>>>>>>> curl -X POST -H "Content-Type: application/json" -d
>>>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>>>>>>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>>>>>>> https://localhost:9443/stratos/admin/tenant/create
>>>>>>>
>>>>>>>
>>>>>>> *TODO*
>>>>>>> *
>>>>>>> *
>>>>>>> This is more of the framework for implementing RESTful admin APIs. I
>>>>>>> have implemented two Operations for the moment. We have to populate the
>>>>>>> service bean with rest of the API. Its matter of porting existing code to
>>>>>>> new service bean. What is more important is, to carefully design REST
>>>>>>> endpoints.
>>>>>>>
>>>>>>> Unlike WS endpoints, we have to be careful with REST endpoint /
>>>>>>> where the parameter goes in endpoint / HTTP method used / etc. I will spawn
>>>>>>> a separate thread on the topic.
>>>>>>>
>>>>>>> I have applied the patches to the JIRA. Would be great if the code
>>>>>>> can be committed to the main trunk. :)
>>>>>>>
>>>>>>>
>>>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>>>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>>>>>>
>>>>>>> thanks,
>>>>>>> --Pradeep
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Best Regards,
>>>>>> Nirmal
>>>>>>
>>>>>> C.S.Nirmal J. Fernando
>>>>>> Senior Software Engineer,
>>>>>> WSO2 Inc.
>>>>>>
>>>>>> Blog: http://nirmalfdo.blogspot.com/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> thanks,
>>>>> --Pradeep
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards,
>>>> Nirmal
>>>>
>>>> C.S.Nirmal J. Fernando
>>>> Senior Software Engineer,
>>>> WSO2 Inc.
>>>>
>>>> Blog: http://nirmalfdo.blogspot.com/
>>>>
>>>
>>
>>
>> --
>> Pradeep Fernando.
>> http://pradeepfernando.blogspot.com/
>>
>
>
>
> --
> Pradeep Fernando.
> http://pradeepfernando.blogspot.com/
>
--
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware
email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Hi,
gentle reminder..
--Pradeep
On Tue, Oct 8, 2013 at 11:27 AM, Pradeep Fernando <pr...@gmail.com>wrote:
> Appreciate if someone can add my patch to the trunk... I will provide a
> patch with @SuperTenantService as a marker interface..
>
> thanks,
> --Pradeep
>
>
> On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>> Yes.. I already created a JIRA task to track oauth authenticator
>>
>> --Pradeep
>> sent from my phone
>> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <ni...@gmail.com>
>> wrote:
>>
>>> Pradeep,
>>>
>>> Thanks for the reply.
>>>
>>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>>>
>>>>
>>>> Hi Nirmal,
>>>>
>>>> Please find answers inline,
>>>>
>>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <
>>>> nirmal070125@gmail.com> wrote:
>>>>
>>>>> Hi Pradeep,
>>>>>
>>>>> Thanks for this contribution. I hope this will provide the basis for
>>>>> others to build Stratos REST API.
>>>>>
>>>>> Few questions inline.
>>>>>
>>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <pradeepfn@gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Hi Devs,
>>>>>>
>>>>>>
>>>>>> I came up with implemented the above feature and the patch can be
>>>>>> found at, [1]
>>>>>>
>>>>>> *How it works*
>>>>>>
>>>>>> - The web-app to Carbon runtime state exchange happens via OSGi
>>>>>> services
>>>>>> - The JAX-RS application is using Apache CXF as the REST engine
>>>>>> - Authentication and Authorization of incoming requests are handled
>>>>>> using two seperate JAX-RS providers registered against the service class
>>>>>> - Authentication/Authorization is closely integrated to the
>>>>>> underlying carbon authentication/authorizaiton framework
>>>>>> - I have defined two new annotation classes to capture method level
>>>>>> permission details
>>>>>> * @AuthorizationAction("PermissionString") - allows the admin
>>>>>> service writer to annotate a certain operation with permission string.
>>>>>> Request get authorized only if the invoking user has enough permissions
>>>>>>
>>>>>
>>>>> Where are these permissions stored? Can you explain how can someone
>>>>> compile this string?
>>>>>
>>>>
>>>> This is permission string related to carbon permission model. IIRC,
>>>> this is the same string that you use inside services.xml
>>>> AuthorizationAction element
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>> * @SuperTenantService (true|false) - only the super-tenant user
>>>>>> can access the service
>>>>>>
>>>>>
>>>>> false implies all the tenants including super-tenant can access this
>>>>> operation right? If so, can you please consider renaming this annotation?
>>>>>
>>>>
>>>> In the Carbon permission structure, super-tenant is special. Other way
>>>> around, that is super-tenant can perform tenant operations is implicit
>>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
>>>> not a super tenant service. - > any other tenant admin service. I'm ok to
>>>> change this annotation, two concerns,
>>>>
>>>> 1. I used the same jargon that is being used in services.xml.
>>>> <SuperTenantService>. Introducing another wording for the same thing might
>>>> be confusing.
>>>> 2. We don't really use @SuperTenantService(false) annotation. default
>>>> is false.
>>>>
>>>> May be we should change this to a marker annoation, - >
>>>> @SuperTenantService
>>>>
>>>
>>> +1, makes sense. So, if you want to restrict an operation only for super
>>> tenant access, you use @SuperTenantService annotation.
>>>
>>>>
>>>>
>>>>>
>>>>>> - During the deployment time, the authorization handler get injected
>>>>>> with service bean. It process all the authorization related annotation and
>>>>>> builds a information model. When a request comes in it verifies the
>>>>>> expected permission vs bearing permission.
>>>>>>
>>>>>> Can you please explain how someone can plug a new authorization
>>>>> handler? What classes to extend, what interfaces to implement etc.?
>>>>>
>>>>
>>>> They just have to implement jaxrs.ReauestHandler interface and declare
>>>> the bean in spring config file (cxf-servlet.xml)
>>>>
>>>> I did not came up with a authentication/authorization abstraction for
>>>> Stratos in implementation.
>>>>
>>>
>>> No problem.
>>>
>>>
>>>> It is too early IMHO. Once we have atleast one other
>>>> authentication/authorization module we can define the abstraction.
>>>>
>>>
>>> IMO we should go for OAuth2 based authentication/authorization model as
>>> soon as possible.
>>>
>>> We should ideally start building up a wiki page on this too.
>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>> *Challenges/Approaches that did not work.*
>>>>>>
>>>>>> CXF project provides a AuthorizationFilter called
>>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>>>>>> @RolesAllowed annotation to identify authorized users. However it does not
>>>>>> suit well for the Carbon authorization system. Hence I came up with my own
>>>>>> Annotation types, which closely resembles, params used in existing WS admin
>>>>>> services.
>>>>>>
>>>>>>
>>>>>> *Authentication mechanism is pluggable *
>>>>>>
>>>>>> - Right now there is only one authenticator. It uses basic-auth to
>>>>>> authenticate incoming requests. It is possible to plug in other kinds of
>>>>>> authenticators.
>>>>>>
>>>>>> *How to write your new RESTful admin service*
>>>>>>
>>>>>> @POST
>>>>>> @Path("/tenant/create")
>>>>>> @Consumes("application/json")
>>>>>> @Produces("application/json")
>>>>>>
>>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>>>>>> @SuperTenantService(true)
>>>>>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>>>>>
>>>>>> return success;
>>>>>> }
>>>>>>
>>>>>> *Sample Request from CURL*
>>>>>>
>>>>>> curl -X POST -H "Content-Type: application/json" -d
>>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>>>>>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>>>>>> https://localhost:9443/stratos/admin/tenant/create
>>>>>>
>>>>>>
>>>>>> *TODO*
>>>>>> *
>>>>>> *
>>>>>> This is more of the framework for implementing RESTful admin APIs. I
>>>>>> have implemented two Operations for the moment. We have to populate the
>>>>>> service bean with rest of the API. Its matter of porting existing code to
>>>>>> new service bean. What is more important is, to carefully design REST
>>>>>> endpoints.
>>>>>>
>>>>>> Unlike WS endpoints, we have to be careful with REST endpoint / where
>>>>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a
>>>>>> separate thread on the topic.
>>>>>>
>>>>>> I have applied the patches to the JIRA. Would be great if the code
>>>>>> can be committed to the main trunk. :)
>>>>>>
>>>>>>
>>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>>>>>
>>>>>> thanks,
>>>>>> --Pradeep
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best Regards,
>>>>> Nirmal
>>>>>
>>>>> C.S.Nirmal J. Fernando
>>>>> Senior Software Engineer,
>>>>> WSO2 Inc.
>>>>>
>>>>> Blog: http://nirmalfdo.blogspot.com/
>>>>>
>>>>
>>>>
>>>>
>>>> thanks,
>>>> --Pradeep
>>>>
>>>
>>>
>>>
>>> --
>>> Best Regards,
>>> Nirmal
>>>
>>> C.S.Nirmal J. Fernando
>>> Senior Software Engineer,
>>> WSO2 Inc.
>>>
>>> Blog: http://nirmalfdo.blogspot.com/
>>>
>>
>
>
> --
> Pradeep Fernando.
> http://pradeepfernando.blogspot.com/
>
--
Pradeep Fernando.
http://pradeepfernando.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Appreciate if someone can add my patch to the trunk... I will provide a
patch with @SuperTenantService as a marker interface..
thanks,
--Pradeep
On Mon, Oct 7, 2013 at 1:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
> Yes.. I already created a JIRA task to track oauth authenticator
>
> --Pradeep
> sent from my phone
> On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <ni...@gmail.com> wrote:
>
>> Pradeep,
>>
>> Thanks for the reply.
>>
>> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>>
>>>
>>> Hi Nirmal,
>>>
>>> Please find answers inline,
>>>
>>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <nirmal070125@gmail.com
>>> > wrote:
>>>
>>>> Hi Pradeep,
>>>>
>>>> Thanks for this contribution. I hope this will provide the basis for
>>>> others to build Stratos REST API.
>>>>
>>>> Few questions inline.
>>>>
>>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>>>>
>>>>> Hi Devs,
>>>>>
>>>>>
>>>>> I came up with implemented the above feature and the patch can be
>>>>> found at, [1]
>>>>>
>>>>> *How it works*
>>>>>
>>>>> - The web-app to Carbon runtime state exchange happens via OSGi
>>>>> services
>>>>> - The JAX-RS application is using Apache CXF as the REST engine
>>>>> - Authentication and Authorization of incoming requests are handled
>>>>> using two seperate JAX-RS providers registered against the service class
>>>>> - Authentication/Authorization is closely integrated to the underlying
>>>>> carbon authentication/authorizaiton framework
>>>>> - I have defined two new annotation classes to capture method level
>>>>> permission details
>>>>> * @AuthorizationAction("PermissionString") - allows the admin
>>>>> service writer to annotate a certain operation with permission string.
>>>>> Request get authorized only if the invoking user has enough permissions
>>>>>
>>>>
>>>> Where are these permissions stored? Can you explain how can someone
>>>> compile this string?
>>>>
>>>
>>> This is permission string related to carbon permission model. IIRC, this
>>> is the same string that you use inside services.xml AuthorizationAction
>>> element
>>>
>>>
>>>
>>>>
>>>>
>>>>> * @SuperTenantService (true|false) - only the super-tenant user
>>>>> can access the service
>>>>>
>>>>
>>>> false implies all the tenants including super-tenant can access this
>>>> operation right? If so, can you please consider renaming this annotation?
>>>>
>>>
>>> In the Carbon permission structure, super-tenant is special. Other way
>>> around, that is super-tenant can perform tenant operations is implicit
>>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
>>> not a super tenant service. - > any other tenant admin service. I'm ok to
>>> change this annotation, two concerns,
>>>
>>> 1. I used the same jargon that is being used in services.xml.
>>> <SuperTenantService>. Introducing another wording for the same thing might
>>> be confusing.
>>> 2. We don't really use @SuperTenantService(false) annotation. default is
>>> false.
>>>
>>> May be we should change this to a marker annoation, - >
>>> @SuperTenantService
>>>
>>
>> +1, makes sense. So, if you want to restrict an operation only for super
>> tenant access, you use @SuperTenantService annotation.
>>
>>>
>>>
>>>>
>>>>> - During the deployment time, the authorization handler get injected
>>>>> with service bean. It process all the authorization related annotation and
>>>>> builds a information model. When a request comes in it verifies the
>>>>> expected permission vs bearing permission.
>>>>>
>>>>> Can you please explain how someone can plug a new authorization
>>>> handler? What classes to extend, what interfaces to implement etc.?
>>>>
>>>
>>> They just have to implement jaxrs.ReauestHandler interface and declare
>>> the bean in spring config file (cxf-servlet.xml)
>>>
>>> I did not came up with a authentication/authorization abstraction for
>>> Stratos in implementation.
>>>
>>
>> No problem.
>>
>>
>>> It is too early IMHO. Once we have atleast one other
>>> authentication/authorization module we can define the abstraction.
>>>
>>
>> IMO we should go for OAuth2 based authentication/authorization model as
>> soon as possible.
>>
>> We should ideally start building up a wiki page on this too.
>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>> *Challenges/Approaches that did not work.*
>>>>>
>>>>> CXF project provides a AuthorizationFilter called
>>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>>>>> @RolesAllowed annotation to identify authorized users. However it does not
>>>>> suit well for the Carbon authorization system. Hence I came up with my own
>>>>> Annotation types, which closely resembles, params used in existing WS admin
>>>>> services.
>>>>>
>>>>>
>>>>> *Authentication mechanism is pluggable *
>>>>>
>>>>> - Right now there is only one authenticator. It uses basic-auth to
>>>>> authenticate incoming requests. It is possible to plug in other kinds of
>>>>> authenticators.
>>>>>
>>>>> *How to write your new RESTful admin service*
>>>>>
>>>>> @POST
>>>>> @Path("/tenant/create")
>>>>> @Consumes("application/json")
>>>>> @Produces("application/json")
>>>>>
>>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>>>>> @SuperTenantService(true)
>>>>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>>>>
>>>>> return success;
>>>>> }
>>>>>
>>>>> *Sample Request from CURL*
>>>>>
>>>>> curl -X POST -H "Content-Type: application/json" -d
>>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>>>>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>>>>> https://localhost:9443/stratos/admin/tenant/create
>>>>>
>>>>>
>>>>> *TODO*
>>>>> *
>>>>> *
>>>>> This is more of the framework for implementing RESTful admin APIs. I
>>>>> have implemented two Operations for the moment. We have to populate the
>>>>> service bean with rest of the API. Its matter of porting existing code to
>>>>> new service bean. What is more important is, to carefully design REST
>>>>> endpoints.
>>>>>
>>>>> Unlike WS endpoints, we have to be careful with REST endpoint / where
>>>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a
>>>>> separate thread on the topic.
>>>>>
>>>>> I have applied the patches to the JIRA. Would be great if the code can
>>>>> be committed to the main trunk. :)
>>>>>
>>>>>
>>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>>>>
>>>>> thanks,
>>>>> --Pradeep
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards,
>>>> Nirmal
>>>>
>>>> C.S.Nirmal J. Fernando
>>>> Senior Software Engineer,
>>>> WSO2 Inc.
>>>>
>>>> Blog: http://nirmalfdo.blogspot.com/
>>>>
>>>
>>>
>>>
>>> thanks,
>>> --Pradeep
>>>
>>
>>
>>
>> --
>> Best Regards,
>> Nirmal
>>
>> C.S.Nirmal J. Fernando
>> Senior Software Engineer,
>> WSO2 Inc.
>>
>> Blog: http://nirmalfdo.blogspot.com/
>>
>
--
Pradeep Fernando.
http://pradeepfernando.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Yes.. I already created a JIRA task to track oauth authenticator
--Pradeep
sent from my phone
On Oct 7, 2013 12:03 PM, "Nirmal Fernando" <ni...@gmail.com> wrote:
> Pradeep,
>
> Thanks for the reply.
>
> On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>>
>> Hi Nirmal,
>>
>> Please find answers inline,
>>
>> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <ni...@gmail.com>wrote:
>>
>>> Hi Pradeep,
>>>
>>> Thanks for this contribution. I hope this will provide the basis for
>>> others to build Stratos REST API.
>>>
>>> Few questions inline.
>>>
>>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>>>
>>>> Hi Devs,
>>>>
>>>>
>>>> I came up with implemented the above feature and the patch can be found
>>>> at, [1]
>>>>
>>>> *How it works*
>>>>
>>>> - The web-app to Carbon runtime state exchange happens via OSGi services
>>>> - The JAX-RS application is using Apache CXF as the REST engine
>>>> - Authentication and Authorization of incoming requests are handled
>>>> using two seperate JAX-RS providers registered against the service class
>>>> - Authentication/Authorization is closely integrated to the underlying
>>>> carbon authentication/authorizaiton framework
>>>> - I have defined two new annotation classes to capture method level
>>>> permission details
>>>> * @AuthorizationAction("PermissionString") - allows the admin
>>>> service writer to annotate a certain operation with permission string.
>>>> Request get authorized only if the invoking user has enough permissions
>>>>
>>>
>>> Where are these permissions stored? Can you explain how can someone
>>> compile this string?
>>>
>>
>> This is permission string related to carbon permission model. IIRC, this
>> is the same string that you use inside services.xml AuthorizationAction
>> element
>>
>>
>>
>>>
>>>
>>>> * @SuperTenantService (true|false) - only the super-tenant user
>>>> can access the service
>>>>
>>>
>>> false implies all the tenants including super-tenant can access this
>>> operation right? If so, can you please consider renaming this annotation?
>>>
>>
>> In the Carbon permission structure, super-tenant is special. Other way
>> around, that is super-tenant can perform tenant operations is implicit
>> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
>> not a super tenant service. - > any other tenant admin service. I'm ok to
>> change this annotation, two concerns,
>>
>> 1. I used the same jargon that is being used in services.xml.
>> <SuperTenantService>. Introducing another wording for the same thing might
>> be confusing.
>> 2. We don't really use @SuperTenantService(false) annotation. default is
>> false.
>>
>> May be we should change this to a marker annoation, - >
>> @SuperTenantService
>>
>
> +1, makes sense. So, if you want to restrict an operation only for super
> tenant access, you use @SuperTenantService annotation.
>
>>
>>
>>>
>>>> - During the deployment time, the authorization handler get injected
>>>> with service bean. It process all the authorization related annotation and
>>>> builds a information model. When a request comes in it verifies the
>>>> expected permission vs bearing permission.
>>>>
>>>> Can you please explain how someone can plug a new authorization
>>> handler? What classes to extend, what interfaces to implement etc.?
>>>
>>
>> They just have to implement jaxrs.ReauestHandler interface and declare
>> the bean in spring config file (cxf-servlet.xml)
>>
>> I did not came up with a authentication/authorization abstraction for
>> Stratos in implementation.
>>
>
> No problem.
>
>
>> It is too early IMHO. Once we have atleast one other
>> authentication/authorization module we can define the abstraction.
>>
>
> IMO we should go for OAuth2 based authentication/authorization model as
> soon as possible.
>
> We should ideally start building up a wiki page on this too.
>
>>
>>
>>
>>>
>>>
>>>
>>>> *Challenges/Approaches that did not work.*
>>>>
>>>> CXF project provides a AuthorizationFilter called
>>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>>>> @RolesAllowed annotation to identify authorized users. However it does not
>>>> suit well for the Carbon authorization system. Hence I came up with my own
>>>> Annotation types, which closely resembles, params used in existing WS admin
>>>> services.
>>>>
>>>>
>>>> *Authentication mechanism is pluggable *
>>>>
>>>> - Right now there is only one authenticator. It uses basic-auth to
>>>> authenticate incoming requests. It is possible to plug in other kinds of
>>>> authenticators.
>>>>
>>>> *How to write your new RESTful admin service*
>>>>
>>>> @POST
>>>> @Path("/tenant/create")
>>>> @Consumes("application/json")
>>>> @Produces("application/json")
>>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>>>> @SuperTenantService(true)
>>>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>>>
>>>> return success;
>>>> }
>>>>
>>>> *Sample Request from CURL*
>>>>
>>>> curl -X POST -H "Content-Type: application/json" -d
>>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>>>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>>>> https://localhost:9443/stratos/admin/tenant/create
>>>>
>>>>
>>>> *TODO*
>>>> *
>>>> *
>>>> This is more of the framework for implementing RESTful admin APIs. I
>>>> have implemented two Operations for the moment. We have to populate the
>>>> service bean with rest of the API. Its matter of porting existing code to
>>>> new service bean. What is more important is, to carefully design REST
>>>> endpoints.
>>>>
>>>> Unlike WS endpoints, we have to be careful with REST endpoint / where
>>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a
>>>> separate thread on the topic.
>>>>
>>>> I have applied the patches to the JIRA. Would be great if the code can
>>>> be committed to the main trunk. :)
>>>>
>>>>
>>>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>>>
>>>> thanks,
>>>> --Pradeep
>>>>
>>>
>>>
>>>
>>> --
>>> Best Regards,
>>> Nirmal
>>>
>>> C.S.Nirmal J. Fernando
>>> Senior Software Engineer,
>>> WSO2 Inc.
>>>
>>> Blog: http://nirmalfdo.blogspot.com/
>>>
>>
>>
>>
>> thanks,
>> --Pradeep
>>
>
>
>
> --
> Best Regards,
> Nirmal
>
> C.S.Nirmal J. Fernando
> Senior Software Engineer,
> WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/
>
Re: RESTful API for Stratos Controller
Posted by Nirmal Fernando <ni...@gmail.com>.
Pradeep,
Thanks for the reply.
On Mon, Oct 7, 2013 at 10:42 AM, Pradeep Fernando <pr...@gmail.com>wrote:
>
> Hi Nirmal,
>
> Please find answers inline,
>
> On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <ni...@gmail.com>wrote:
>
>> Hi Pradeep,
>>
>> Thanks for this contribution. I hope this will provide the basis for
>> others to build Stratos REST API.
>>
>> Few questions inline.
>>
>> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>>
>>> Hi Devs,
>>>
>>>
>>> I came up with implemented the above feature and the patch can be found
>>> at, [1]
>>>
>>> *How it works*
>>>
>>> - The web-app to Carbon runtime state exchange happens via OSGi services
>>> - The JAX-RS application is using Apache CXF as the REST engine
>>> - Authentication and Authorization of incoming requests are handled
>>> using two seperate JAX-RS providers registered against the service class
>>> - Authentication/Authorization is closely integrated to the underlying
>>> carbon authentication/authorizaiton framework
>>> - I have defined two new annotation classes to capture method level
>>> permission details
>>> * @AuthorizationAction("PermissionString") - allows the admin
>>> service writer to annotate a certain operation with permission string.
>>> Request get authorized only if the invoking user has enough permissions
>>>
>>
>> Where are these permissions stored? Can you explain how can someone
>> compile this string?
>>
>
> This is permission string related to carbon permission model. IIRC, this
> is the same string that you use inside services.xml AuthorizationAction
> element
>
>
>
>>
>>
>>> * @SuperTenantService (true|false) - only the super-tenant user
>>> can access the service
>>>
>>
>> false implies all the tenants including super-tenant can access this
>> operation right? If so, can you please consider renaming this annotation?
>>
>
> In the Carbon permission structure, super-tenant is special. Other way
> around, that is super-tenant can perform tenant operations is implicit
> IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
> not a super tenant service. - > any other tenant admin service. I'm ok to
> change this annotation, two concerns,
>
> 1. I used the same jargon that is being used in services.xml.
> <SuperTenantService>. Introducing another wording for the same thing might
> be confusing.
> 2. We don't really use @SuperTenantService(false) annotation. default is
> false.
>
> May be we should change this to a marker annoation, - > @SuperTenantService
>
+1, makes sense. So, if you want to restrict an operation only for super
tenant access, you use @SuperTenantService annotation.
>
>
>>
>>> - During the deployment time, the authorization handler get injected
>>> with service bean. It process all the authorization related annotation and
>>> builds a information model. When a request comes in it verifies the
>>> expected permission vs bearing permission.
>>>
>>> Can you please explain how someone can plug a new authorization handler?
>> What classes to extend, what interfaces to implement etc.?
>>
>
> They just have to implement jaxrs.ReauestHandler interface and declare the
> bean in spring config file (cxf-servlet.xml)
>
> I did not came up with a authentication/authorization abstraction for
> Stratos in implementation.
>
No problem.
> It is too early IMHO. Once we have atleast one other
> authentication/authorization module we can define the abstraction.
>
IMO we should go for OAuth2 based authentication/authorization model as
soon as possible.
We should ideally start building up a wiki page on this too.
>
>
>
>>
>>
>>
>>> *Challenges/Approaches that did not work.*
>>>
>>> CXF project provides a AuthorizationFilter called
>>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>>> @RolesAllowed annotation to identify authorized users. However it does not
>>> suit well for the Carbon authorization system. Hence I came up with my own
>>> Annotation types, which closely resembles, params used in existing WS admin
>>> services.
>>>
>>>
>>> *Authentication mechanism is pluggable *
>>>
>>> - Right now there is only one authenticator. It uses basic-auth to
>>> authenticate incoming requests. It is possible to plug in other kinds of
>>> authenticators.
>>>
>>> *How to write your new RESTful admin service*
>>>
>>> @POST
>>> @Path("/tenant/create")
>>> @Consumes("application/json")
>>> @Produces("application/json")
>>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>>> @SuperTenantService(true)
>>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>>
>>> return success;
>>> }
>>>
>>> *Sample Request from CURL*
>>>
>>> curl -X POST -H "Content-Type: application/json" -d
>>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>>> https://localhost:9443/stratos/admin/tenant/create
>>>
>>>
>>> *TODO*
>>> *
>>> *
>>> This is more of the framework for implementing RESTful admin APIs. I
>>> have implemented two Operations for the moment. We have to populate the
>>> service bean with rest of the API. Its matter of porting existing code to
>>> new service bean. What is more important is, to carefully design REST
>>> endpoints.
>>>
>>> Unlike WS endpoints, we have to be careful with REST endpoint / where
>>> the parameter goes in endpoint / HTTP method used / etc. I will spawn a
>>> separate thread on the topic.
>>>
>>> I have applied the patches to the JIRA. Would be great if the code can
>>> be committed to the main trunk. :)
>>>
>>>
>>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>>
>>> thanks,
>>> --Pradeep
>>>
>>
>>
>>
>> --
>> Best Regards,
>> Nirmal
>>
>> C.S.Nirmal J. Fernando
>> Senior Software Engineer,
>> WSO2 Inc.
>>
>> Blog: http://nirmalfdo.blogspot.com/
>>
>
>
>
> thanks,
> --Pradeep
>
--
Best Regards,
Nirmal
C.S.Nirmal J. Fernando
Senior Software Engineer,
WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Hi Nirmal,
Please find answers inline,
On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <ni...@gmail.com>wrote:
> Hi Pradeep,
>
> Thanks for this contribution. I hope this will provide the basis for
> others to build Stratos REST API.
>
> Few questions inline.
>
> On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>> Hi Devs,
>>
>>
>> I came up with implemented the above feature and the patch can be found
>> at, [1]
>>
>> *How it works*
>>
>> - The web-app to Carbon runtime state exchange happens via OSGi services
>> - The JAX-RS application is using Apache CXF as the REST engine
>> - Authentication and Authorization of incoming requests are handled using
>> two seperate JAX-RS providers registered against the service class
>> - Authentication/Authorization is closely integrated to the underlying
>> carbon authentication/authorizaiton framework
>> - I have defined two new annotation classes to capture method level
>> permission details
>> * @AuthorizationAction("PermissionString") - allows the admin service
>> writer to annotate a certain operation with permission string. Request get
>> authorized only if the invoking user has enough permissions
>>
>
> Where are these permissions stored? Can you explain how can someone
> compile this string?
>
This is permission string related to carbon permission model. IIRC, this is
the same string that you use inside services.xml AuthorizationAction element
>
>
>> * @SuperTenantService (true|false) - only the super-tenant user can
>> access the service
>>
>
> false implies all the tenants including super-tenant can access this
> operation right? If so, can you please consider renaming this annotation?
>
In the Carbon permission structure, super-tenant is special. Other way
around, that is super-tenant can perform tenant operations is implicit
IMHO. In that sense, when we say, @SuperTenantService(false) it means it is
not a super tenant service. - > any other tenant admin service. I'm ok to
change this annotation, two concerns,
1. I used the same jargon that is being used in services.xml.
<SuperTenantService>. Introducing another wording for the same thing might
be confusing.
2. We don't really use @SuperTenantService(false) annotation. default is
false.
May be we should change this to a marker annoation, - > @SuperTenantService
>
>> - During the deployment time, the authorization handler get injected with
>> service bean. It process all the authorization related annotation and
>> builds a information model. When a request comes in it verifies the
>> expected permission vs bearing permission.
>>
>> Can you please explain how someone can plug a new authorization handler?
> What classes to extend, what interfaces to implement etc.?
>
They just have to implement jaxrs.ReauestHandler interface and declare the
bean in spring config file (cxf-servlet.xml)
I did not came up with a authentication/authorization abstraction for
Stratos in implementation. It is too early IMHO. Once we have atleast one
other authentication/authorization module we can define the abstraction.
>
>
>
>> *Challenges/Approaches that did not work.*
>>
>> CXF project provides a AuthorizationFilter called
>> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
>> @RolesAllowed annotation to identify authorized users. However it does not
>> suit well for the Carbon authorization system. Hence I came up with my own
>> Annotation types, which closely resembles, params used in existing WS admin
>> services.
>>
>>
>> *Authentication mechanism is pluggable *
>>
>> - Right now there is only one authenticator. It uses basic-auth to
>> authenticate incoming requests. It is possible to plug in other kinds of
>> authenticators.
>>
>> *How to write your new RESTful admin service*
>>
>> @POST
>> @Path("/tenant/create")
>> @Consumes("application/json")
>> @Produces("application/json")
>> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
>> @SuperTenantService(true)
>> public String addTenant(TenantInfoBean tenantInfoBean) {
>>
>> return success;
>> }
>>
>> *Sample Request from CURL*
>>
>> curl -X POST -H "Content-Type: application/json" -d
>> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
>> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
>> https://localhost:9443/stratos/admin/tenant/create
>>
>>
>> *TODO*
>> *
>> *
>> This is more of the framework for implementing RESTful admin APIs. I have
>> implemented two Operations for the moment. We have to populate the service
>> bean with rest of the API. Its matter of porting existing code to new
>> service bean. What is more important is, to carefully design REST endpoints.
>>
>> Unlike WS endpoints, we have to be careful with REST endpoint / where the
>> parameter goes in endpoint / HTTP method used / etc. I will spawn a
>> separate thread on the topic.
>>
>> I have applied the patches to the JIRA. Would be great if the code can be
>> committed to the main trunk. :)
>>
>>
>> [1] https://issues.apache.org/jira/browse/STRATOS-90
>> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>>
>> thanks,
>> --Pradeep
>>
>
>
>
> --
> Best Regards,
> Nirmal
>
> C.S.Nirmal J. Fernando
> Senior Software Engineer,
> WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/
>
thanks,
--Pradeep
Re: RESTful API for Stratos Controller
Posted by Nirmal Fernando <ni...@gmail.com>.
Hi Pradeep,
Thanks for this contribution. I hope this will provide the basis for others
to build Stratos REST API.
Few questions inline.
On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <pr...@gmail.com>wrote:
> Hi Devs,
>
>
> I came up with implemented the above feature and the patch can be found
> at, [1]
>
> *How it works*
>
> - The web-app to Carbon runtime state exchange happens via OSGi services
> - The JAX-RS application is using Apache CXF as the REST engine
> - Authentication and Authorization of incoming requests are handled using
> two seperate JAX-RS providers registered against the service class
> - Authentication/Authorization is closely integrated to the underlying
> carbon authentication/authorizaiton framework
> - I have defined two new annotation classes to capture method level
> permission details
> * @AuthorizationAction("PermissionString") - allows the admin service
> writer to annotate a certain operation with permission string. Request get
> authorized only if the invoking user has enough permissions
>
Where are these permissions stored? Can you explain how can someone compile
this string?
> * @SuperTenantService (true|false) - only the super-tenant user can
> access the service
>
false implies all the tenants including super-tenant can access this
operation right? If so, can you please consider renaming this annotation?
> - During the deployment time, the authorization handler get injected with
> service bean. It process all the authorization related annotation and
> builds a information model. When a request comes in it verifies the
> expected permission vs bearing permission.
>
> Can you please explain how someone can plug a new authorization handler?
What classes to extend, what interfaces to implement etc.?
> *Challenges/Approaches that did not work.*
>
> CXF project provides a AuthorizationFilter called
> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
> @RolesAllowed annotation to identify authorized users. However it does not
> suit well for the Carbon authorization system. Hence I came up with my own
> Annotation types, which closely resembles, params used in existing WS admin
> services.
>
>
> *Authentication mechanism is pluggable *
>
> - Right now there is only one authenticator. It uses basic-auth to
> authenticate incoming requests. It is possible to plug in other kinds of
> authenticators.
>
> *How to write your new RESTful admin service*
>
> @POST
> @Path("/tenant/create")
> @Consumes("application/json")
> @Produces("application/json")
> @AuthorizationAction("/permission/protected/manage/monitor/tenants")
> @SuperTenantService(true)
> public String addTenant(TenantInfoBean tenantInfoBean) {
>
> return success;
> }
>
> *Sample Request from CURL*
>
> curl -X POST -H "Content-Type: application/json" -d
> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
> foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
> https://localhost:9443/stratos/admin/tenant/create
>
>
> *TODO*
> *
> *
> This is more of the framework for implementing RESTful admin APIs. I have
> implemented two Operations for the moment. We have to populate the service
> bean with rest of the API. Its matter of porting existing code to new
> service bean. What is more important is, to carefully design REST endpoints.
>
> Unlike WS endpoints, we have to be careful with REST endpoint / where the
> parameter goes in endpoint / HTTP method used / etc. I will spawn a
> separate thread on the topic.
>
> I have applied the patches to the JIRA. Would be great if the code can be
> committed to the main trunk. :)
>
>
> [1] https://issues.apache.org/jira/browse/STRATOS-90
> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html
>
> thanks,
> --Pradeep
>
--
Best Regards,
Nirmal
C.S.Nirmal J. Fernando
Senior Software Engineer,
WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Hi Devs,
I came up with implemented the above feature and the patch can be found at,
[1]
*How it works*
- The web-app to Carbon runtime state exchange happens via OSGi services
- The JAX-RS application is using Apache CXF as the REST engine
- Authentication and Authorization of incoming requests are handled using
two seperate JAX-RS providers registered against the service class
- Authentication/Authorization is closely integrated to the underlying
carbon authentication/authorizaiton framework
- I have defined two new annotation classes to capture method level
permission details
* @AuthorizationAction("PermissionString") - allows the admin service
writer to annotate a certain operation with permission string. Request get
authorized only if the invoking user has enough permissions
* @SuperTenantService (true|false) - only the super-tenant user can
access the service
- During the deployment time, the authorization handler get injected with
service bean. It process all the authorization related annotation and
builds a information model. When a request comes in it verifies the
expected permission vs bearing permission.
*Challenges/Approaches that did not work.*
CXF project provides a AuthorizationFilter called
SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses
@RolesAllowed annotation to identify authorized users. However it does not
suit well for the Carbon authorization system. Hence I came up with my own
Annotation types, which closely resembles, params used in existing WS admin
services.
*Authentication mechanism is pluggable *
- Right now there is only one authenticator. It uses basic-auth to
authenticate incoming requests. It is possible to plug in other kinds of
authenticators.
*How to write your new RESTful admin service*
@POST
@Path("/tenant/create")
@Consumes("application/json")
@Produces("application/json")
@AuthorizationAction("/permission/protected/manage/monitor/tenants")
@SuperTenantService(true)
public String addTenant(TenantInfoBean tenantInfoBean) {
return success;
}
*Sample Request from CURL*
curl -X POST -H "Content-Type: application/json" -d
'{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":"
foo@bar.com","tenantDomain":"frank.com"}}' -v -u admin:admin
https://localhost:9443/stratos/admin/tenant/create
*TODO*
*
*
This is more of the framework for implementing RESTful admin APIs. I have
implemented two Operations for the moment. We have to populate the service
bean with rest of the API. Its matter of porting existing code to new
service bean. What is more important is, to carefully design REST endpoints.
Unlike WS endpoints, we have to be careful with REST endpoint / where the
parameter goes in endpoint / HTTP method used / etc. I will spawn a
separate thread on the topic.
I have applied the patches to the JIRA. Would be great if the code can be
committed to the main trunk. :)
[1] https://issues.apache.org/jira/browse/STRATOS-90
[2] http://cxf.apache.org/docs/secure-jax-rs-services.html
thanks,
--Pradeep
Re: RESTful API for Stratos Controller
Posted by Nirmal Fernando <ni...@gmail.com>.
Hi Pradeep,
I've created an event and shared it:
https://plus.google.com/u/2/103515557134069849802/posts/Zwk5kAnLFBn
Please do share.
On Thu, Sep 12, 2013 at 6:14 PM, Pradeep Fernando <pr...@gmail.com>wrote:
> Hi Nirmal,
>
> Please find the outline below,
>
> - Carbon admin services and how frontend components interacts with them
> - Stratos controller API (existing) and its UI components.
> - What it takes to deploy a web-app in Carbon kernel
> - Accessing core OSGi services by means of CarbonContext API
> - JAX-RS web-app exposing admin services of Stratos - big picture
> - How Custom web-app frontend/command line tooling can interact with the
> deployed REST apis.
>
> I would like to have this on 17 th tuesday if possible..
>
> thanks,
> --Pradeep
>
>
> On Thu, Sep 12, 2013 at 6:01 AM, Ishmal Bartley <
> Ishmal.Bartley@caremore.com> wrote:
>
>> Pradeep,****
>>
>> This is very similar to our discussion about using rest functions to
>> directly perform all activities against Carbon admin services. ****
>>
>> I think it will be a good idea to build a web app that exposes these
>> functions.****
>>
>> This way complete command line suite and/or toolkits can be built to
>> allow full automation of provisioning and administrative functions.****
>>
>> ** **
>>
>> ** **
>>
>> ** **
>>
>> *From:* Pradeep Fernando [mailto:pradeepfn@gmail.com]
>> *Sent:* Wednesday, September 11, 2013 3:23 AM
>> *To:* dev
>>
>> *Subject:* Re: RESTful API for Stratos Controller****
>>
>> ** **
>>
>> Hi Devs,****
>>
>> ** **
>>
>> Can someone of you please schedule a hangout for the above topic. :)****
>>
>> ** **
>>
>> below is the description i came up with,****
>>
>> ** **
>>
>> <description>****
>>
>> At the moment, the Stratos admin interfaces are tightly coupled to Carbon
>> admin services. Hence All the backend interfaces are exposed as
>> web-services. This in turn has encouraged developers to develop stratos
>> controller front-ends as Carbon UI components.****
>>
>> ** **
>>
>> IMHO it is possible to develop Stratos backend interfaces as RESTful
>> services. The initial proposal is to develop them as a seperate JAX-WS
>> webapp. But the topic is open for discusssion. ****
>>
>> ** **
>>
>> This would allow Stratos developers to,****
>>
>> ** **
>>
>> create front-ends (simple web-apps) that make use of restful APIs.****
>>
>> Commandline tooling can make use of REST APIs as well.****
>>
>> </description>****
>>
>> ** **
>>
>> ** **
>>
>> ** **
>>
>> thanks,****
>>
>> --Pradeep****
>>
>> ** **
>>
>> ** **
>>
>> On Sun, Aug 18, 2013 at 7:25 PM, Isuru Haththotuwa <is...@wso2.com>
>> wrote:****
>>
>> On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>
>> wrote:****
>>
>> Hi All,****
>>
>> ** **
>>
>> I participated in the recent hangout and came to know that command-line
>> client and stratos controller interact via WS calls. I would like to
>> propose a RESTful interface to the stratos admin operations.****
>>
>> ** **
>>
>> WDYT ? if the community agrees, i would like to implement this
>> functionality.****
>>
>> +1 for the idea. The team discussed this some time ago (prior to the
>> incubation) but could not do it then due to time constraints. ****
>>
>> ** **
>>
>> * RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
>> *
>>
>> ** **
>>
>> ** **
>>
>> thanks, ****
>>
>> --Pradeep****
>>
>>
>>
>>
>> --
>> Thanks and Regards,
>>
>> Isuru H.
>>
>> ****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Pradeep Fernando.
>> http://pradeepfernando.blogspot.com/****
>>
>
>
>
> --
> Pradeep Fernando.
> http://pradeepfernando.blogspot.com/
>
--
Best Regards,
Nirmal
C.S.Nirmal J. Fernando
Senior Software Engineer,
WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Hi Nirmal,
Please find the outline below,
- Carbon admin services and how frontend components interacts with them
- Stratos controller API (existing) and its UI components.
- What it takes to deploy a web-app in Carbon kernel
- Accessing core OSGi services by means of CarbonContext API
- JAX-RS web-app exposing admin services of Stratos - big picture
- How Custom web-app frontend/command line tooling can interact with the
deployed REST apis.
I would like to have this on 17 th tuesday if possible..
thanks,
--Pradeep
On Thu, Sep 12, 2013 at 6:01 AM, Ishmal Bartley <Ishmal.Bartley@caremore.com
> wrote:
> Pradeep,****
>
> This is very similar to our discussion about using rest functions to
> directly perform all activities against Carbon admin services. ****
>
> I think it will be a good idea to build a web app that exposes these
> functions.****
>
> This way complete command line suite and/or toolkits can be built to allow
> full automation of provisioning and administrative functions.****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Pradeep Fernando [mailto:pradeepfn@gmail.com]
> *Sent:* Wednesday, September 11, 2013 3:23 AM
> *To:* dev
>
> *Subject:* Re: RESTful API for Stratos Controller****
>
> ** **
>
> Hi Devs,****
>
> ** **
>
> Can someone of you please schedule a hangout for the above topic. :)****
>
> ** **
>
> below is the description i came up with,****
>
> ** **
>
> <description>****
>
> At the moment, the Stratos admin interfaces are tightly coupled to Carbon
> admin services. Hence All the backend interfaces are exposed as
> web-services. This in turn has encouraged developers to develop stratos
> controller front-ends as Carbon UI components.****
>
> ** **
>
> IMHO it is possible to develop Stratos backend interfaces as RESTful
> services. The initial proposal is to develop them as a seperate JAX-WS
> webapp. But the topic is open for discusssion. ****
>
> ** **
>
> This would allow Stratos developers to,****
>
> ** **
>
> create front-ends (simple web-apps) that make use of restful APIs.****
>
> Commandline tooling can make use of REST APIs as well.****
>
> </description>****
>
> ** **
>
> ** **
>
> ** **
>
> thanks,****
>
> --Pradeep****
>
> ** **
>
> ** **
>
> On Sun, Aug 18, 2013 at 7:25 PM, Isuru Haththotuwa <is...@wso2.com>
> wrote:****
>
> On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>
> wrote:****
>
> Hi All,****
>
> ** **
>
> I participated in the recent hangout and came to know that command-line
> client and stratos controller interact via WS calls. I would like to
> propose a RESTful interface to the stratos admin operations.****
>
> ** **
>
> WDYT ? if the community agrees, i would like to implement this
> functionality.****
>
> +1 for the idea. The team discussed this some time ago (prior to the
> incubation) but could not do it then due to time constraints. ****
>
> ** **
>
> * RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
> *
>
> ** **
>
> ** **
>
> thanks, ****
>
> --Pradeep****
>
>
>
>
> --
> Thanks and Regards,
>
> Isuru H.
>
> ****
>
>
>
> ****
>
> ** **
>
> --
> Pradeep Fernando.
> http://pradeepfernando.blogspot.com/****
>
--
Pradeep Fernando.
http://pradeepfernando.blogspot.com/
RE: RESTful API for Stratos Controller
Posted by Ishmal Bartley <Is...@caremore.com>.
Pradeep,
This is very similar to our discussion about using rest functions to directly perform all activities against Carbon admin services.
I think it will be a good idea to build a web app that exposes these functions.
This way complete command line suite and/or toolkits can be built to allow full automation of provisioning and administrative functions.
From: Pradeep Fernando [mailto:pradeepfn@gmail.com]
Sent: Wednesday, September 11, 2013 3:23 AM
To: dev
Subject: Re: RESTful API for Stratos Controller
Hi Devs,
Can someone of you please schedule a hangout for the above topic. :)
below is the description i came up with,
<description>
At the moment, the Stratos admin interfaces are tightly coupled to Carbon admin services. Hence All the backend interfaces are exposed as web-services. This in turn has encouraged developers to develop stratos controller front-ends as Carbon UI components.
IMHO it is possible to develop Stratos backend interfaces as RESTful services. The initial proposal is to develop them as a seperate JAX-WS webapp. But the topic is open for discusssion.
This would allow Stratos developers to,
create front-ends (simple web-apps) that make use of restful APIs.
Commandline tooling can make use of REST APIs as well.
</description>
thanks,
--Pradeep
On Sun, Aug 18, 2013 at 7:25 PM, Isuru Haththotuwa <is...@wso2.com>> wrote:
On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>> wrote:
Hi All,
I participated in the recent hangout and came to know that command-line client and stratos controller interact via WS calls. I would like to propose a RESTful interface to the stratos admin operations.
WDYT ? if the community agrees, i would like to implement this functionality.
+1 for the idea. The team discussed this some time ago (prior to the incubation) but could not do it then due to time constraints.
[https://ssl.gstatic.com/docs/doclist/images/icon_11_drawing_list.png] RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
thanks,
--Pradeep
--
Thanks and Regards,
Isuru H.
--
Pradeep Fernando.
http://pradeepfernando.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Pradeep Fernando <pr...@gmail.com>.
Hi Devs,
Can someone of you please schedule a hangout for the above topic. :)
below is the description i came up with,
<description>
At the moment, the Stratos admin interfaces are tightly coupled to Carbon
admin services. Hence All the backend interfaces are exposed as
web-services. This in turn has encouraged developers to develop stratos
controller front-ends as Carbon UI components.
IMHO it is possible to develop Stratos backend interfaces as RESTful
services. The initial proposal is to develop them as a seperate JAX-WS
webapp. But the topic is open for discusssion.
This would allow Stratos developers to,
create front-ends (simple web-apps) that make use of restful APIs.
Commandline tooling can make use of REST APIs as well.
</description>
thanks,
--Pradeep
On Sun, Aug 18, 2013 at 7:25 PM, Isuru Haththotuwa <is...@wso2.com> wrote:
> On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
>
>> Hi All,
>>
>> I participated in the recent hangout and came to know that command-line
>> client and stratos controller interact via WS calls. I would like to
>> propose a RESTful interface to the stratos admin operations.
>>
>> WDYT ? if the community agrees, i would like to implement this
>> functionality.
>>
> +1 for the idea. The team discussed this some time ago (prior to the
> incubation) but could not do it then due to time constraints.
>
>>
>> RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
>>
>>
>> thanks,
>> --Pradeep
>>
>
>
>
> --
> Thanks and Regards,
>
> Isuru H.
>
>
>
--
Pradeep Fernando.
http://pradeepfernando.blogspot.com/
Re: RESTful API for Stratos Controller
Posted by Isuru Haththotuwa <is...@wso2.com>.
On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pr...@gmail.com>wrote:
> Hi All,
>
> I participated in the recent hangout and came to know that command-line
> client and stratos controller interact via WS calls. I would like to
> propose a RESTful interface to the stratos admin operations.
>
> WDYT ? if the community agrees, i would like to implement this
> functionality.
>
+1 for the idea. The team discussed this some time ago (prior to the
incubation) but could not do it then due to time constraints.
>
> RESTful stratos services<https://docs.google.com/drawings/d/1wcbGjKS9oRtmmSbo1CMJnEZzvuvj_pceaud-pfFl3f0/edit?usp=drive_web>
>
>
> thanks,
> --Pradeep
>
--
Thanks and Regards,
Isuru H.
RE: RESTful API for Stratos Controller
Posted by Jason Daly <ja...@systembind.com>.
Indeed. Possibly a hangout to discuss?
Jason Daly
VP, Product Development
SystemBind Consulting & IT Services Inc.
5115 Maingate Drive, Unit #1 | Mississauga | Ontario
Tel: 416.848.0980 x 850
Mobile: 416.388.4070
Toll: 1.877.SYS.BIND
www.systembind.com <http://www.systembind.com/>
From: Imesh Gunaratne [mailto:imesh@wso2.com]
Sent: August-17-13 1:47 PM
To: dev@stratos.incubator.apache.org
Subject: Re: RESTful API for Stratos Controller
+1 A great thought! May be it's good to discuss the design of the API before the implementation.
Thanks
On Sat, Aug 17, 2013 at 10:51 PM, Nirmal Fernando <nirmal070125@gmail.com <ma...@gmail.com> > wrote:
+1 Pradeep. We should ideally provide REST interfaces for most of our service APIs.
On Sat, Aug 17, 2013 at 6:58 PM, Pradeep Fernando <pradeepfn@gmail.com <ma...@gmail.com> > wrote:
Hi All,
I participated in the recent hangout and came to know that command-line client and stratos controller interact via WS calls. I would like to propose a RESTful interface to the stratos admin operations.
WDYT ? if the community agrees, i would like to implement this functionality.
RESTful stratos services
thanks,
--Pradeep
--
Best Regards,
Nirmal
C.S.Nirmal J. Fernando
Senior Software Engineer,
WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/ <http://nirmalfdo.blogspot.com/>
--
Imesh Gunaratne
Technical Lead
WSO2 Inc | http://wso2.com <http://wso2.com>
Mobile: +94 77 374 2057
Blog: http://imesh.gunaratne.org <http://imesh.gunaratne.org>
Lean . Enterprise . Middleware
RE: RESTful API for Stratos Controller
Posted by Jason Daly <ja...@systembind.com>.
I think that this is a great idea.
Jason Daly
VP, Product Development
SystemBind Consulting & IT Services Inc.
5115 Maingate Drive, Unit #1 | Mississauga | Ontario
Tel: 416.848.0980 x 850
Mobile: 416.388.4070
Toll: 1.877.SYS.BIND
www.systembind.com <http://www.systembind.com/>
From: Pradeep Fernando [mailto:pradeepfn@gmail.com]
Sent: August-17-13 9:29 AM
To: dev
Subject: RESTful API for Stratos Controller
Hi All,
I participated in the recent hangout and came to know that command-line client and stratos controller interact via WS calls. I would like to propose a RESTful interface to the stratos admin operations.
WDYT ? if the community agrees, i would like to implement this functionality.
RESTful stratos services
thanks,
--Pradeep