2021-07-08 - Meeting Notes

Date

Jul 8, 2021  

Attendees

@Steven Maglio



@Ian Lessing (Unlicensed)



@Vince Nievares



@Kevin Wu



@Diana Antova



@Reinard Dolleschel



@christian.montecino (Unlicensed)



@Navodit Dhiman (Unlicensed)



Goals

  • Updates on continuing development

  • Review, organize and add to work items



Focus points for this meeting

General update

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

Welcome

  • Greetings and salutations



Vacations



  • Diana - Jul 2, 2021 - Jul 23, 2021



Contractor needs



  • Contract until about July 31st.

  • Migrate site as is

    • Feb 12, 2021 

  • Front page redesign 

    • Feb 26, 2021 

  • SSO integration and teams feature

    • May 28, 2021 

 

Apigee RBACK security model

@Steven Maglio

 

Photos API

@Gary Scott

  • Photos API for Fusion

    • might have to redo it as it returns a large amount of data - all hashes of all photos, instead of changes only.

 

Not found errors

@Gary Scott



Splunk



  • Dec 17, 2020 Christian and Thomas enabled Splunk calls. Thomas promised the separate splunk instance by end of the year.

  • Mar 4, 2021 Diana and Christian met with Tom. He will set up the new instance without moving the history as this is challenging.

  • May 13, 2021 We have https://splunkweb2.ets.ucsb.edu available. Tom wants to test with both instances for a week. We need to copy the reports and dashboards. Christian will setup the export to splunk 2. Christian will enable it today. We can verify the results next Thursday. Christian will move all 4 reports and dashboard.

  • May 20, 2021 error in Splunk, looks like licensing issue. Christian will ask Tom Howard.



Developer Portal Migration to Drupal 8

@Steven Maglio

Notes: Drupal 8 Migration Notes

Links:

Feb 4, 2021

Navodit - Working on the workflow transitions. Learning/using the the original Workflow modules code to pull in the transitions data and filter it. Still needing to determine how to get the correct filtering for display.

  • During the week, we also discussed that Diana, Navodit and Steven met. During their meeting they decided:

    • That Diana will review the system once these three things are completed:

      • The emails/rule transitions are corrected (they were correct at the time of the meeting)

      • The display values for workflow transitions would be working properly (this is what Navodit is currently working on)

      • That Navodit will create fake accounts for our end user roles (Developer, Business Approver, and API Administrator) and verify that the system shows the correct state transitions for each role. (to do)

  • Feb 18, 2021 Custom module is pushed to dev instance. Tested with the different roles. Will start to work on the API Publishing view. The workflow status is not showing in the view. Navodit will check all business rules for both workflows and send Diana an email to begin testing.

  • Mar 4, 2021 working on workflow status migration automation. created a feature branch. Roles will be next after the workflow status script.

Mar 18, 2021

  • Migration Process (update new site with data from the current/old site)

    • Updated to include the API Access / API Publishing Request Workflow History (ie. Audit History)

    • Updated to include the API Access / API Publishing Request Status values (they changed the format what data is stored in the database between versions)

  • Updated the workflow processes to better replicate the logic of when to send emails (it looks to be exactly matching the original sites logic now)

  • Currently looking into a discrepancy in the emails that are sent. In the new system the url to the API Access / API Publishing requests that are included in the email looks like “/node/234”, where it should be “/some-application-name”.

  • Merged the latest upstream changes into the dev environment.

  • We changed the workflow for Jira tickets. We are now creating a new multidev environment for each ticket. The multidev environment get’s reviewed and approved before being merged back into the main line.

  • Navodit will be out on Mar 29, 2021

  • Steven will be out Mar 22, 2021 - Mar 26, 2021, Ian will meet with Navodit during the week (Monday - Thursday, Friday is Caesar Chavez Day)

  • Apr 8, 2021 Navodit finished the Swagger documentation. Yaml file issue - pantheon is not accepting .yml files. It has to be .yaml extension. Pantheon is fixing it but not sure when. We will need to change the extension any time we publish a new API. Navodit is working on ticket 88 - to recreate the API menu.

  • Navodit will be out 4/30.

Apr 15, 2021

  • Workflow fixes have been completed and are ready for final sign-off.

  • We are struggling with a password storing problem for the Apigee drupal portal account. The default storage system is not working so Navodit is troubleshooting it. Unfortunately, he doesn’t have access to the drupal portal account password in order to verify his testing.

    • We sent Navodit the password to the drupal portal account so that he can verify his testing.

  • If Navodit complete’s the Apigee configuration setup over the next week, he will start work on re-adding the Register and Login buttons.

  • Our roadmap shows we still have to do: Apigee configuration/integration, Login functionality, conversation about site look & feel redesign, and then the implementation of look & feel.

    • Our projection is currently for the end of June, but that feels optimistic.

  • May 13, 2021 integration with Apigee module is setup, but there is an error getting specific application information. Navodit will create a ticket in GitHub. Steven will submit an apigee ticket. The issue is with old customer accounts. It works fine with a newly created account.

  • Next - Navodit will sort the API list alphabetically. Login/logout buttons need to be moved to the top bar.

  • May 20, 2021 issue with Apigee gateway integration was resolved. Had to disable the teams apigee module for the Apigee edge module to work. Concern with the teams module being turned off. Still discussing with the Apigee team.

  • API list sorting is done. Login button is fixed - Steven met with Alex and left it on the menu. User capability issue is fixed - user can login with an email id.

  • Jun 7, 2021

  • Jul 8, 2021

    • Went Live in Jul 7, 2021 ~10:30 am

    • The SSL certificates are working correctly, so everything as functionality as we expect.

    • The second page of the tutorial needs to have its' screenshots updated, https://developer.ucsb.edu/docs/creating-your-first-app .

    • @Steven Maglio will send an email to ETS/SEAL & Navodit’s company saying that the GoLive completed successfully.

 

graphql APIs

@Kevin Wu

  • Employee Job API - they have had multiple requests from campus. Created a GraphQL version of it. it is a simpler query language. Implemented a solution for security. client id and secret. get back a job token. can apply row level security. can do column level security as well.

  • As of Mar 18, 2021, Kevin is looking to build out the Proof-of-Concept around Apigee OAuth for usage on the endpoint by the end of April.

    • This will include:

      • An authentication endpoint (which will return JWTs)

      • .wellknown/openid-configuration endpoint

        • jwks endpoint

      • Certificates creation and management

        • Will test key rotation

      • Documentation

      • Reusable Shared Flow for authentication/authorization in Apigee

      • The expectation is that the standard OAuth/JWT libraries for service providers will be able to use this



API Security

@Kevin Wu / @Steven Maglio / @christian.montecino (Unlicensed)

  • The team wants to come up with a unified solution for API security

  • Kevin is experimenting options without using CAS

  • 2 options

    • using access token, using custom attributes in the gateway

    • JWT token, using key value maps, can be encrypted

  • Christian researched 3rd party oath - OKTA

  • Apigee cannot communicate with CAS because of a firewall issue

Mar 18, 2021

  • Meet with Noah Baker on Mar 11, 2021

    • Noah was a little hesitant about putting non-Person objects in CAS

    • But, he was okay with Services (ie. Applications) in CAS (which allows for OAuth)

    • By the end of the conversation, he was thinking about seeing if there might be a way to provide the management of CAS Services/Applications through automated means (web apis)

    • He was also on board with the API Gateway Team moving forward with doing an OAuth Proof-Of-Concept using Apigee as the OAuth provider.

      • Noah was also questioning if there is a value add in using CAS, if Apigee already provides OAuth services

      • I sounds like the API Gateway team believes the value add is that the application will be registered in the Campus Identity Systems, and it provides a Campus Provided system for validation/verification on the application servers.

    • Currently, the API Gateway team can get into the Test CAS Management Portal. This had been setup over a year ago, and Noah was a little surprised by the level of access that was available. Kevin is currently using a Service/Application that was setup for Steven (but really, for the API Gateway team) and is using it to continue Proof-of-Concept work in the future. Potentially, we would explore if the OAuth calls that would go to Apigee could flow through to CAS for authentication.

  • (See GraphQL section above for notes on Target Dates)



Student Developed Applications



Jun 4, 2020 Steven and Seth met with the students. They are continuing to grow the sites. Two new members of the team are taking over. Henry is graduating, Jimmy is staying.



Meeting and group focus year 2020



  • Project focus

    • In progress - Drupal 8  (see also Drupal 8 Migration High Level Requirements)

    • Pending - AWS - migrate the Heroku code and the sql server database

    • Pending - Account cleanup automation

    • Pending - Identity integration and automation 

  • Apigee Support

    • 1 FTE on the apigee team to help with student development oversight and support

    • Now the students have to contact so many groups to have their accounts setup, an FTE can really help with that. Adding the functionality to developer.ucsb.edu to create accounts.

      • Drupal - OK to work with a student

      • For other projects like identity account creation and others it will be difficult to work with a student

Action items

 

Instructions: Configure rules in Business Rule module

Testing the rules

Workflow - business rules

same rules are setup

same rule, conditions, actions

now we have workflow diagram